IETF Logo Mail Archive

Re: [jose] canonical JSON

<Axel.Nennker@telekom.de> Wed, 20 February 2013 06:07 UTC

Return-Path: <Axel.Nennker@telekom.de>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28CDD21F8A3D for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 22:07:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.248
X-Spam-Level:
X-Spam-Status: No, score=-3.248 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UIdmAS7Scwx for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 22:07:30 -0800 (PST)
Received: from tcmail13.telekom.de (tcmail13.telekom.de [80.149.113.165]) by ietfa.amsl.com (Postfix) with ESMTP id 9933221F8955 for <jose@ietf.org>; Tue, 19 Feb 2013 22:07:28 -0800 (PST)
Received: from he111528.emea1.cds.t-internal.com ([10.125.90.87]) by tcmail11.telekom.de with ESMTP/TLS/AES128-SHA; 20 Feb 2013 07:07:26 +0100
Received: from HE111541.emea1.cds.t-internal.com ([10.125.90.94]) by HE111528.EMEA1.CDS.T-INTERNAL.COM ([2002:7cd:5a57::7cd:5a57]) with mapi; Wed, 20 Feb 2013 07:07:25 +0100
From: Axel.Nennker@telekom.de
To: jose@ietf.org
Date: Wed, 20 Feb 2013 07:07:19 +0100
Thread-Topic: [jose] canonical JSON
Thread-Index: Ac4O4siw9Q0FzpMvRMuxZ5VQpfkpMQATYoZA
Message-ID: <CE8995AB5D178F44A2154F5C9A97CAF40255110B3B4D@HE111541.emea1.cds.t-internal.com>
References: <CAG8k2+4xaAUBPs=Kw-=eBHZNyOMs6VYByPEb1jnAv1aGjLupng@mail.gmail.com> <CABkgnnWzdoo6b0ZymF0cv_v9zOjJKTWuUhkWuxiA-cM9qgu0jg@mail.gmail.com> <CAG8k2+47GQXHhWBdqd82UEAPZUfAigYE-vwxpaMJm4F5i8098A@mail.gmail.com> <CAL02cgQ3Oh1D9qHW7XWAZqzmfnE5T6-FjNydjpMEMhaHf2d7Xw@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150757902D@WSMSG3153V.srv.dir.telstra.com> <CAG8k2+5mVYJ6TgQHJ9juXEaWkfMteG6gV8w_dCoShP4-9fPqMA@mail.gmail.com> <CAL02cgRZkf8rR=gAuR6ZT61WCah3aWQNAq8d+GLWweehH7jN6A@mail.gmail.com> <BF7E36B9C495A6468E8EC573603ED9411513E85D@xmb-aln-x11.cisco.com> <4E1F6AAD24975D4BA5B1680429673943674774DA@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAHBU6iu3soqk92j3tKpXNErFsgLm6SZ8V30A=Gf7DcbZCYFqkA@mail.gmail.com>
In-Reply-To: <CAHBU6iu3soqk92j3tKpXNErFsgLm6SZ8V30A=Gf7DcbZCYFqkA@mail.gmail.com>
Accept-Language: de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE
Content-Type: multipart/alternative; boundary="_000_CE8995AB5D178F44A2154F5C9A97CAF40255110B3B4DHE111541eme_"
MIME-Version: 1.0
Cc: dholth@gmail.com, rlb@ipv.sx, Michael.Jones@microsoft.com, tbray@textuality.com, mamille2@cisco.com, James.H.Manger@team.telstra.com
Subject: Re: [jose] canonical JSON
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 06:07:36 -0000

Mike is right. Canonicalization is "evil".
Axel

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Tim Bray
Sent: Tuesday, February 19, 2013 9:50 PM
To: Mike Jones
Cc: Richard Barnes; Daniel Holth; Manger, James H; jose; Matt Miller (mamille2)
Subject: Re: [jose] canonical JSON

My instinct, as the author of a reasonably popular library that generates canonical XML, is that JSON ought to be quite a bit easier.  But that's only interesting if Mike is wrong and there aren't better alternatives. -T

On Tue, Feb 19, 2013 at 12:48 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
[Repeating this on the correct thread...]

I'm strongly against canonicalization.  The XML canonicalization experience was horrible and resulted in more interop bugs than any other aspect of XML DSIG, XML ENC, etc.  Let's not repeat the mistakes of our elders. ;-)

I also haven't seen a clear use case that canonicalization solves that can't be more easily solved another way.

                                -- Mike

-----Original Message-----
From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of Matt Miller (mamille2)
Sent: Tuesday, February 19, 2013 12:35 PM
To: Richard Barnes
Cc: Daniel Holth; Manger, James H; jose
Subject: Re: [jose] canonical JSON

I know I'm still reeling from canonicalization (c14n) issues in XML, but I can put that aside.  It would be nice to have JWK fingerprinting.

I can see value in each JWK type defining what is canonical; I'm less thrilled limiting metadata to a specific place, but could live with that.  I can see where excluding metadata can get us in trouble later, but I think that would mean having a much more robust c14n approach.

By the way, there is going to be a JSON BoF in Orlando, and c14n seems like a good thing to bring up there.


- m&m

Matt Miller < mamille2@cisco.com<mailto:mamille2@cisco.com> >
Cisco Systems, Inc.

PS: 42 vs 4.2e0 vs 4.2e1

On Feb 19, 2013, at 7:59 AM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:

> So your fingerprint algorithm would be something like the following?
>
> INPUT: JWK
> 1. Remove "metadata" fields.  So, for RSA, you would be left with
> {"kty", "n", "e"} 2. Convert stripped JWK to canonical form 3. Compute
> digest over canonical form
>
> That seems generally agreeable to me.
>
> For (1) to be possible, you would need to define which fields are
> covered in the fingerprint for each key type ("kty" value).  Or,
> alternatively, you could restructure JWK so that metadata fields are grouped into a "meta"
> sub-dict.  Which might be nice anyway.
>
> For (2), I agree that there is probably a better canonicalization than
> CJSON.  The code I pasted earlier implements the following changes
> from RFC
> 4627:
> -- Object fields must be in lexicographic order, sorted by field name
> -- No white space allowed
> -- Numbers: Exponent part must use 'e'
> -- Numbers: Exponent part must not use '+'
> -- Numbers: Fraction part must not have trailing zeros
> -- Strings: All characters must be escaped ISTM that those changes are
> fairly minimal, and avoid some of the CJSON problems that have been
> discussed above. Reasonably people can disagree over the string
> aspect; if you want less expansion, you could do things like exempt
> printable ASCII.
>
>
>
>
> On Tue, Feb 19, 2013 at 8:56 AM, Daniel Holth <dholth@gmail.com<mailto:dholth@gmail.com>> wrote:
>
>> On Tue, Feb 19, 2013 at 1:57 AM, Manger, James H <
>> James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote:
>>
>>> A canonical form of JSON might be fairly easy, but the one you quote
>>> (
>>> http://wiki.laptop.org/go/Canonical_JSON) can't handle floating
>>> point numbers (or very large integers), and produces invalid JSON if
>>> a string includes a tab! Fix those (escaping control chars
>>> [\u0000-\u001f]; use normalized scientific notation for numbers) and
>>> it might be worth
>>> considering.****
>>>
>>> ** **
>>>
>>> Defining JOSE calculations in terms of 1 or more byte arrays, the
>>> first of which is a UTF-8-encoded JSON header, would be useful. It
>>> can then be packaged as dot-separated base64url-encoded segments to
>>> be HTTP-header-friendly, or packaged as a single JSON object to be
>>> programmer-friendly, or packaged as raw bytes to be efficient.
>>>
>>
>> I am only proposing a key fingerprinting specification that does not
>> employ DER encoding. JWKs do not contain tabs or floating point numbers.
>>
> _______________________________________________
> jose mailing list
> jose@ietf.org<mailto:jose@ietf.org>
> https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email