Re: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)

Mike Jones <Michael.Jones@microsoft.com> Fri, 10 July 2020 20:21 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82FF83A0928 for <jose@ietfa.amsl.com>; Fri, 10 Jul 2020 13:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I7mAqOKe9AZc for <jose@ietfa.amsl.com>; Fri, 10 Jul 2020 13:21:56 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650115.outbound.protection.outlook.com [40.107.65.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63EB93A092B for <jose@ietf.org>; Fri, 10 Jul 2020 13:21:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fY8lbmYOWiyzKD0HLdvhxAMqpzbQpwzxlWUHx0yP1ifJIYtfgpihrjDhjdWCEXk7hHK9EELfObJrrckCGjSKJBjb3ND26PfMdm15g3j0c8NZsdASstXrXB3Fh3k+Z2xmfT0Ge+t7HV4DMcS1pefMREFL1TydYwDCyGB4ln/EvgDkdrxPDjMEszYiYk/BrxccSvWEro0hXD8Ff6Tp0nQZUhO1p5FtDNHL1w/Qi/W2BYMmR8sVj9MQOFpDVu0fFpVnH6HymQHsD4WCFrR6rGUZb+X3DaMTWX6x2W9WvkqT7rnGkzJje+suABkhHHLaG7/9Y9KgGouZ0Ppb5Cr01T/CfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t4L/TF++YCu85Ulv6Sryuaf8/LE6eQR2xdYRCaW7jX0=; b=Afc6Jdu5cwHBUcnXkNCFoBSPHyYyRaLh77Ey7ZJ9Ga40rBD+CysRFJXWL4fwHqv1ZOKJ1IbNmi5FO2XzUy1NJ4BlsnoGrZ9Z88O8J+Mh2j14aKNgztG+ghjQFySukDSo8arZLRSbYxfvXxPnaWyu8jGqOtOmylTxuFab/yDVBkx8lZXvTdWlRzjbufwoOo7ISbiVXD4Bay0dSxlz4sSrKnwUE4UhqxjYxqlharDy/F6jkElU96FdxH1h1FsCgs0Z4EpxUw3NwREaJFKlxcZHyKsIW9RM66/9zxclOwrTd9RJAb4X8p+u6yFnmVsIEDlWLNXkAiiCZ2v6Qqa6zI+5dA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t4L/TF++YCu85Ulv6Sryuaf8/LE6eQR2xdYRCaW7jX0=; b=Y3sbbLgT198FPKbbxEH/S/bfUaS3LFvXWLEK1K+OFVIG2qzrKlap6qL1SSsCSnpO2VSDJbOTTWzrlbVqbM8H2CS06yPfJp4rG4XNk4HJXXJgBmWb0Q2dqW6GukfXbQjeb6riFMi7EFoBY1kxOOwMzQcsIbaYRDmcUgjAa4xjWDk=
Received: from MN2PR00MB0688.namprd00.prod.outlook.com (2603:10b6:208:199::23) by BL0PR00MB0385.namprd00.prod.outlook.com (2603:10b6:207:1f::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3220.0; Fri, 10 Jul 2020 20:21:54 +0000
Received: from MN2PR00MB0688.namprd00.prod.outlook.com ([fe80::2834:4ff8:111f:c308]) by MN2PR00MB0688.namprd00.prod.outlook.com ([fe80::2834:4ff8:111f:c308%9]) with mapi id 15.20.3213.000; Fri, 10 Jul 2020 20:21:54 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)
Thread-Index: AdZW970AVA4vUs7nSvagNvYBFQI1jw==
Date: Fri, 10 Jul 2020 20:21:53 +0000
Message-ID: <MN2PR00MB06880AA5E91B9DC72AF93D25F5650@MN2PR00MB0688.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=f1dda296-706d-49dc-96b8-40be7d6f88d5; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-10T19:50:04Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 6945f4b6-7307-4df0-ce45-08d8250ee325
x-ms-traffictypediagnostic: BL0PR00MB0385:
x-microsoft-antispam-prvs: <BL0PR00MB03856A278E9945ED09A288CAF5650@BL0PR00MB0385.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0pMoBADrx07+8cUz2+60uFOZzfkF7o92eJJfv6xQewYWNSCyMdjWS7S5QT2JGXgjBqHqnuLDXk/DNzGxREScRrll/6Ck/r6PbIcOb7QsyrLmjfnNXrcfD59mo0k6fNvjh0j1xERNjSpCl4A09tWwjDQahGhWfo78iv7vFti6fkFPJSXw8z+CjgBQt3lUsylLMZIdKcNbAgnyAiy1k+uaxcTSCCGMRZA10BYVp6cU1EdtBtZJGMMQvXCS6ZXQHuE+w96Ru26mUszbCcbiqP5tqVqpWy9WW0+/E+0xP6wDsj7+JlE602ZQZ08Y5dNZ6Bre0Eutq5G9LiGip0lTC+BchEKCrWIguWpVVku6bW5Z6IwhYFUWooWu3by9AqwFgVLNiUZOWjEqAOgJJZpAgr4Npg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0688.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(136003)(366004)(39860400002)(396003)(10290500003)(83080400001)(6506007)(110136005)(83380400001)(33656002)(82960400001)(82950400001)(478600001)(7696005)(26005)(55016002)(8936002)(8676002)(316002)(966005)(53546011)(86362001)(9686003)(76116006)(52536014)(66476007)(66946007)(66556008)(64756008)(186003)(66446008)(71200400001)(2906002)(8990500004)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: H2ySvYQjB0fOscNgheJ7bCDEc69LEQ7jywhoqJWq2iR4eYxa+8h5pTkUZhu3tIXZhs90SldIeDJec/VjcoiD4xMw3APLwWUGmL6Aj/8Xy6eLQCSmQFvs38oHNFr7s+EtRCaXcrR7DaNKxojzlt9fnEQhPQB428zFc3UU1qwNROWI2KN70i7+seAqEQ/irKhe6PE6WhoamoTkB/Dl0E0ff7RqhR7o/z+DGyqWZxj8L0Y85kcJDBNF93VAfBr5HKOD+4r0wvxDwC8fwLVGzFHs8E+mfrTcBB2f9OOROtNdId7eDSLa3hnV8Xq9kRPcWL4NvP1/TqT+d20a6/sDgGZdrUOrAZ/zZQ+iSs217lL26+wUn71TAeNxJwZLehxM5vTviu83DvYcweS/aOrXvrNdSdekVkLNOyNUIEQzeMAKOudbqBtA7Tu5hGYxDnQgcRxGrkWry/tudb8+w7tRbQJetrAUpfKNrFOeYQ/P4lebokk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0688.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6945f4b6-7307-4df0-ce45-08d8250ee325
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2020 20:21:54.0514 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mzpvELE7axiWzq1I4/lHlw4JDN/OG3yN6lhfWieIb4iqtUGtdeTXkbLJAaziVu/fLfAuD6tL9RZVuNbEo8hOeA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0385
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/KqMgysS2PQgUw7kN3MxPWwySMp0>
Subject: Re: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 20:21:59 -0000

I must admit, I was surprised to see this RFC, because very little discussion of it happened on the JOSE mailing list.  The last mention I can see of it was in February 2019 - the same time you were proposing to take this to SecDispatch.  I never heard of it again after that.

So that any future related efforts have an opportunity for widespread review, particularly if they are JOSE related, I'd request that you and others working on them also post drafts to the JOSE mailing list, even if you're working in the Independent Stream.

There are things I would have commented on in JCS if I'd seen intermediate drafts before it became an RFC.  (For instance, I would have asked for explicit serialization instructions for the one ASCII control character not in the range 0x00-0x1F - 0x7F (DEL).)

				Thanks,
				-- Mike

-----Original Message-----
From: jose <jose-bounces@ietf.org> On Behalf Of Anders Rundgren
Sent: Friday, July 10, 2020 11:41 AM
To: jose@ietf.org
Subject: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)

After virtually eons of time https://www.rfc-editor.org/rfc/rfc8785 has finally been published.
It wouldn't have happened without the input from the IETF community!

Since canonicalization in itself is fairly useless, there are several additional work-items building on JCS (RFC 8785) in the pipe-line:

On-line demo/test using JWS: https://mobilepki.org/jws-jcs On-line demo/test using an "unwrapped" JWS called JSON Signature Format (JSF): https://mobilepki.org/jsf-lab

A real-world implementation by OWASP using JSF: https://cyclonedx.org/use-cases/#authenticity

There is also an "unwrapped" JWE called JSON Encryption Format (JEF), currently published as an HTML document: https://cyberphone.github.io/doc/security/jef.html

If anybody out there would be interested in "RFC-ing" JWS-JCS, JSF, or JEF, please drop me a line.

The current plan is publishing the additional RFCs using the Independent Stream, rather than as IETF standards.

Anders

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose