IETF Logo Mail Archive

Re: [jose] #26: Allow for signature payload to not be base64 encoded

John Bradley <ve7jtb@ve7jtb.com> Wed, 26 June 2013 20:03 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 577C011E8201 for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 13:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yuAtHuBDwHW7 for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 13:03:22 -0700 (PDT)
Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 7C58011E8142 for <jose@ietf.org>; Wed, 26 Jun 2013 13:03:22 -0700 (PDT)
Received: by mail-qc0-f179.google.com with SMTP id e11so8433085qcx.24 for <jose@ietf.org>; Wed, 26 Jun 2013 13:03:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=bQBa6AlzQ+GfkvmWwQMY7bEhrIjzxScCwSb5npt3GlQ=; b=QotnuwCPr/NnUPxDeQ4uXBZJSxNXvqGaT1IPqgeltT5mNLmNHni7FpJ5xpad3S/oJ7 JP/NWxfIX/55TT/+u7XDdDlrqz9lUpDUW+nh7mUJF2IpBbKjkHkasfBhoKd68LC1XDhi jRptC35IOryUKtXGTqFbKEib5LTKlPJu427qixE1HATNR9wZgEh16cj+wjkzPUtYv8zz j2bL+f1mly+aNx92FWliiS2GXSUvXTiadOqobz2VRnpf0bl/0nHxjLTZrQdfzBg/MoQ6 dPUc16a+tD85RgjH2YOjJWinQTvA0DpUjHWs6n2JSr5vv/LHgXx4uWkXUWlS6tGnt4lF lhBg==
X-Received: by 10.224.74.72 with SMTP id t8mr7565078qaj.74.1372277001709; Wed, 26 Jun 2013 13:03:21 -0700 (PDT)
Received: from [192.168.1.216] (190-20-19-12.baf.movistar.cl. [190.20.19.12]) by mx.google.com with ESMTPSA id l4sm125725qay.0.2013.06.26.13.03.17 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 26 Jun 2013 13:03:20 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_C4CF314B-E2A2-42A9-ACFF-9436CA5DBDB8"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <033a01ce729b$26bc3910$7434ab30$@augustcellars.com>
Date: Wed, 26 Jun 2013 16:02:57 -0400
Message-Id: <1AE58166-F5E3-4631-90C9-32EC5EE2DF07@ve7jtb.com>
References: <061.c2fcfec0a75d48eb8b194991ce56157e@trac.tools.ietf.org> <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org> <033a01ce729b$26bc3910$7434ab30$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.1508)
X-Gm-Message-State: ALoCoQnlMdO+UjaCPwtvpBmobvHS6hJlH6f2g5gqnekSIxWpLmVuCfNnFljtky4jjewppgJoz5AV
Cc: michael.jones@microsoft.com, jose@ietf.org, draft-ietf-jose-json-web-signature@tools.ietf.org
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2013 20:03:23 -0000

At the moment the signature is calculated over the base64url encoded representation of the payload and not the binary string.  

Having two different ways to calculate the signature seems like the wrong thing.  

If we were talking about always calculating the signature over the binary string and then dealing with encoding as a later step I would understand your point better but the flag is changing the processing as well as the representation.

However that would render the compact and JSON forms incompatible without recalculating the signature.

What are the issues with including a 8-bit string in a JSON sting?

What you are proposing seems like a large fundamental change, that would require a matching change in compact, that complicates that format.

Perhaps I am not understanding your proposal.

John B.

On 2013-06-26, at 2:29 PM, "Jim Schaad" <ietf@augustcellars.com> wrote:

> Having multiple ways to do something can frequently buy you a great deal of benefit.  However, in this case it is my library that is doing this and not the standard.
> 
> The client gives the library an 8-bit string.  The library signs that string.  The library puts that string into the payload field.
> 
> The client needs to make the 8-bit string URL safe if it wants to use compact encoding.
> 
> Where is there two ways of doing something?
> 
> Jim
> 
> 
>> -----Original Message-----
>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>> jose issue tracker
>> Sent: Tuesday, June 25, 2013 5:23 PM
>> To: draft-ietf-jose-json-web-signature@tools.ietf.org;
>> michael.jones@microsoft.com
>> Cc: jose@ietf.org
>> Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
>> 
>> #26: Allow for signature payload to not be base64 encoded
>> 
>> 
>> Comment (by michael.jones@microsoft.com)
>> 
>> Having multiple ways to do something is one of the classic pitfalls to  avoid in
>> standards.  They tend to generate interop problems because  developers will
>> often only build the way that they think they need, never
>> getting around to the others.   I don t think the potential benefits of
>> having multiple ways to encode the payload outweigh this cost.
>> 
>> Next, this feature would only work with the JSON serialization; it would  not
>> work for the Compact Serialization because the payload must be URL  safe.
>> The base64url encoding accomplishes that, and so is a necessary  part of the
>> encoding.  Having the two serializations diverge in this  manner seems
>> suboptimal.
>> 
>> Third, I am concerned that the payload will sometimes change during
>> transmission if not encoded in some manner.  Tabs can change to spaces.
>> LFs can change to CRLFs.  HTML is notorious for adding a blank at the end  of
>> each line.  Two spaces can change to a space and a non-breaking space.
>> Etc.  Not encoding the payload would open us up to all of these potential
>> modification-during-transmission problems   all of which would render the
>> JWS useless by breaking the signature.
>> 
>> Finally, this feature seems to be motivated by detached signatures, which  per
>> my comment on Ticket #25, can be accomplished at the application layer
>> without adding general-purpose support for detached signatures.  Thus, I  don
>> t think this related feature is needed either.
>> 
>> For all these reasons, I believe that this issue should be closed as   won t fix .
>> 
>> --
>> -------------------------+----------------------------------------------
>> -------------------------+---
>> Reporter:               |       Owner:  draft-ietf-jose-json-web-
>>  ietf@augustcellars.com |  signature@tools.ietf.org
>>     Type:  defect       |      Status:  new
>> Priority:  major        |   Milestone:
>> Component:  json-web-    |     Version:
>>  signature              |  Resolution:
>> Severity:  -            |
>> Keywords:               |
>> -------------------------+----------------------------------------------
>> -------------------------+---
>> 
>> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/26#comment:1>
>> jose <http://tools.ietf.org/jose/>
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.39.1 | Report a Bug | By Email | System Status