Re: [jose] canonical JSON

Daniel Holth <dholth@gmail.com> Thu, 21 February 2013 18:06 UTC

Return-Path: <dholth@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84C1D21F8F66 for <jose@ietfa.amsl.com>; Thu, 21 Feb 2013 10:06:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1DBRWXzIBAUg for <jose@ietfa.amsl.com>; Thu, 21 Feb 2013 10:06:13 -0800 (PST)
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) by ietfa.amsl.com (Postfix) with ESMTP id A698921F8F59 for <jose@ietf.org>; Thu, 21 Feb 2013 10:06:12 -0800 (PST)
Received: by mail-wg0-f47.google.com with SMTP id dr13so7429584wgb.2 for <jose@ietf.org>; Thu, 21 Feb 2013 10:06:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=xHHmr7wIn8TonaaC0dxDDpAGglcjyA0jE9+IOTNvOGQ=; b=K0cafB/1O0DiYMbd3uLriA3Jl4i0Dqa8aKFzxnadCO9E+ToFr+7rXDlKuYfdFJV80I sNVmDimvZK6UwmytSoI5HRzveaY7A7rEPhFYm2gQzbjqp4zFGBUe3yQ72BhboCHCPgJI bisvfLabzJyZnifqVBIDOmtGo02N4mJXanimvGnoTY8XTlZkby3aCZ5Sev4XpWSv1wWm fNa036bEHlbnwllUrdCKowHECW9Si/o9Op4pZdc7hf0kPokC4cdSzXlnPkSNngbEcTls FYvDB1Jq1FO0az1eJrwK74f/jaBZPjNgWFvohWefsZ33afQ8KwcTArQHIaS9qdRzf59H H50w==
MIME-Version: 1.0
X-Received: by 10.180.74.131 with SMTP id t3mr43817483wiv.23.1361469971871; Thu, 21 Feb 2013 10:06:11 -0800 (PST)
Received: by 10.194.122.67 with HTTP; Thu, 21 Feb 2013 10:06:11 -0800 (PST)
In-Reply-To: <CAL02cgQa438yvHCiWkEJ0xMafWYmTdm46uvEso_OBz2H5PbSHw@mail.gmail.com>
References: <CAG8k2+4xaAUBPs=Kw-=eBHZNyOMs6VYByPEb1jnAv1aGjLupng@mail.gmail.com> <CABkgnnWzdoo6b0ZymF0cv_v9zOjJKTWuUhkWuxiA-cM9qgu0jg@mail.gmail.com> <CAG8k2+47GQXHhWBdqd82UEAPZUfAigYE-vwxpaMJm4F5i8098A@mail.gmail.com> <CAL02cgQ3Oh1D9qHW7XWAZqzmfnE5T6-FjNydjpMEMhaHf2d7Xw@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150757902D@WSMSG3153V.srv.dir.telstra.com> <CAG8k2+5mVYJ6TgQHJ9juXEaWkfMteG6gV8w_dCoShP4-9fPqMA@mail.gmail.com> <CAL02cgRZkf8rR=gAuR6ZT61WCah3aWQNAq8d+GLWweehH7jN6A@mail.gmail.com> <BF7E36B9C495A6468E8EC573603ED9411513E85D@xmb-aln-x11.cisco.com> <7E415CBD-BA54-4E6A-8D16-2CE52C407260@ve7jtb.com> <4E1F6AAD24975D4BA5B1680429673943674777ED@TK5EX14MBXC284.redmond.corp.microsoft.com> <5123FF72.9060206@mitre.org> <4E1F6AAD24975D4BA5B168042967394367477DB7@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQa438yvHCiWkEJ0xMafWYmTdm46uvEso_OBz2H5PbSHw@mail.gmail.com>
Date: Thu, 21 Feb 2013 13:06:11 -0500
Message-ID: <CAG8k2+7ePFJC_r2y-JatTMVztRDABMDv+HB6GLLS1b515o_T0A@mail.gmail.com>
From: Daniel Holth <dholth@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="f46d043be1300bb77904d63fee23"
Cc: Mike Jones <Michael.Jones@microsoft.com>, jose <jose@ietf.org>, "Matt Miller (mamille2)" <mamille2@cisco.com>, John Bradley <ve7jtb@ve7jtb.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, Justin Richer <jricher@mitre.org>
Subject: Re: [jose] canonical JSON
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2013 18:06:13 -0000

On Thu, Feb 21, 2013 at 12:50 PM, Richard Barnes <rlb@ipv.sx> wrote:

> That doesn't solve the problem.  The point of a fingerprint is to have an
> identifier for the key that is shorter than the key itself. So a JWS with a
> JWK payload is irrelevant.  Likewise, any solution that requires
> base64-encoding is also irrelevant, since you would need to carry the
> encoded version along in order to interpret the fingerprint.
>

Impressed by the c14n can of worms. The one advantage of a bencode c14n
scheme is that it would obviously be crazy to rearchitect an entire JSON
crypto scheme around it. Subset-of-CJSON-only-defined-for-JWK is enough.

There is a system called The Update Framework that pre-dates JOSE and is
used to secure software updates. The root document is a very long list of
RSA key fingerprints trusted to sign some sub-document. Each sub-document
includes the entire RSA key. If the sub-document's signature is valid and
the key fingerprint matches then the sub-document can be trusted. The root
document would be too big if it had to include the whole keys instead of
fingerprints.