Re: [jose] Canonical JSON form

Carsten Bormann <cabo@tzi.org> Thu, 11 October 2018 19:04 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40C17130EDD for <jose@ietfa.amsl.com>; Thu, 11 Oct 2018 12:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIKMfr2cyRSp for <jose@ietfa.amsl.com>; Thu, 11 Oct 2018 12:03:59 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F13A130F13 for <jose@ietf.org>; Thu, 11 Oct 2018 12:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost2.informatik.uni-bremen.de [134.102.200.7]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id w9BJ3oXd010002; Thu, 11 Oct 2018 21:03:55 +0200 (CEST)
Received: from client-0223.vpn.uni-bremen.de (client-0223.vpn.uni-bremen.de [134.102.107.223]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 42WL3T660qz1Bpf; Thu, 11 Oct 2018 21:03:49 +0200 (CEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <073CB50F-8D91-4EF6-90BE-FC897D557AA6@oracle.com>
Date: Thu, 11 Oct 2018 21:03:49 +0200
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Manger, James" <James.H.Manger@team.telstra.com>, jose@ietf.org, Bret Jordan <jordan.ietf@gmail.com>
X-Mao-Original-Outgoing-Id: 560977427.06664-01278306aabfbed98d947bd3fe347812
Content-Transfer-Encoding: quoted-printable
Message-Id: <A37D69B1-6B77-4E11-8BB9-A0209C77752C@tzi.org>
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com> <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com> <00ad01d460f4$69ae8a00$3d0b9e00$@augustcellars.com> <8436AEE7-B25A-4538-B8F6-16D558D9A504@gmail.com> <MEAPR01MB35428606C09BF315DE04CC79E5E10@MEAPR01MB3542.ausprd01.prod.outlook.com> <CAHbuEH6DCD7Zc+PK3TnCBkKv1esnROwyCcDb8ZR+TKwgQQ+yXQ@mail.gmail.com> <0E6BD488-74D5-4640-BC31-5E45B0531AFC@gmail.com> <CAHbuEH5oH-Km6uAjrSr0pEHswFBLuDpfVweQ+gpj472yk+8iTQ@mail.gmail.com> <073CB50F-8D91-4EF6-90BE-FC897D557AA6@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/6kPrj8ybvnMwwNkIpK8UIftcq3E>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2018 19:04:02 -0000

On Oct 11, 2018, at 20:23, Phil Hunt <phil.hunt@oracle.com> wrote:
> 
> I am not sure of the value of canonicalization.  I prefer bytestream encoding style where the original content goes with the signature.

I’m afraid a lot of people are sitting in front of their screens silently agreeing, but not typing anything because their hands are tied up in an interminable facepalm.

So, for the record:
To the people asking for a c14n solution for signature: If you want XMLDSig, you know where to find it.
The basic approach of having humongous XML documents that get signatures added to themselves as part of the document only makes sense in certain processing models that went out of favor with XML.
JOSE does the right thing for more modern applications.

I’m not opposed to doing some “c14n” work on serialization schemes — deterministic serialization has other applications than just XMLDSig.
That would be work for a JSONbis WG (but I fear the interest level among JSON experts will be low).
I definitely do not like giving the message that c14n-based signatures are the new thing that will replace doing the right thing (JOSE, that is).

Grüße, Carsten