Re: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)

Anders Rundgren <> Sat, 11 July 2020 06:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A34463A09B5 for <>; Fri, 10 Jul 2020 23:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sol5FyKjHddv for <>; Fri, 10 Jul 2020 23:50:31 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::444]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DAB1E3A09B3 for <>; Fri, 10 Jul 2020 23:50:30 -0700 (PDT)
Received: by with SMTP id j4so7922359wrp.10 for <>; Fri, 10 Jul 2020 23:50:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=mW6ikYJZ//hx9yQwLZPcEpH5Akpp8rE0TPlZoqWndQ4=; b=CmMgbssFdPg5BvpIrucS0c52OpTGQLP9Di6BTrLq7+FXGZzxvn3lrdVtBebmZRJsJI GOpnKdZqZVUQq4nuak0ScKLgKzq78bb+lwwkJcjiYKemsNJnBjCSC/4253FMcoCNdqwl 0f+QkfBocvnXcAFYSiLuo14zmHIgHnpT/eSVpQxCYH/Y4lqKITccQUURqj/4CQD9H3Za CDGQ8BLqaN8CMbkQesAlTlZ1WH3/huQhrFg7hojijWHb55wTbL8j/P3LTPGkfZBdX2SW cDHA1HuQgRrodyISwlF6dXGsnybEnMKDlsTxUjHPzfkDxLcTv5Cx/j/QR1lEzk+TryxV gSdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=mW6ikYJZ//hx9yQwLZPcEpH5Akpp8rE0TPlZoqWndQ4=; b=lNFcPtFUoKhR08ybD9j6gMgDT3KS6oGSBciblvQd/6HFUJq5yfEm8kz/1ZeV9Rqlaf j4F0wAYYeGQCZrU4QnuSpdJYGhkfTv2ziLHwZEkODqnWboCYXjUJFrcjNyWdb7IclXcv yVER9Did+lChzk2WMV0G1qMS+xatQISdbe+AB64lhpbmilZlLtrZq2Kutzb/ZXdMsXqQ LGMmIPtm588InwtoZIRqDmikv2wrxPWIG9HYx8gH5ly1davSdpJipFkxEoTOCASMZzFR 4QqKC+xrcgD8WxFMuLABCkDvZ2BOt/XLNgJ8nxJMnx0OsCoWCAawdRm/FmeQyupLyhzU PXQw==
X-Gm-Message-State: AOAM530uTkDdqo43i+0wXw5ST230uJmrHZitESnqKmAVDjVnTsnUGuq6 nFOQwRNLTgUBZC7cK3FYEzyYcqE9AVU=
X-Google-Smtp-Source: ABdhPJyOow2WfE3myD9+DD8oJ6ahZvO0JIceufwpCn4BumODlZqUxoBYqF1e8+Nj6x5Yh5Fsydm4uA==
X-Received: by 2002:adf:e7c2:: with SMTP id e2mr75895476wrn.179.1594450228841; Fri, 10 Jul 2020 23:50:28 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id z63sm13565998wmb.2.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Jul 2020 23:50:27 -0700 (PDT)
To: Mike Jones <>, "" <>
References: <>
From: Anders Rundgren <>
Message-ID: <>
Date: Sat, 11 Jul 2020 08:50:25 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 11 Jul 2020 06:50:33 -0000

Hi Mike,

On 2020-07-10 22:21, Mike Jones wrote:
> I must admit, I was surprised to see this RFC, because very little discussion of it happened on the JOSE mailing list.  The last mention I can see of it was in February 2019 - the same time you were proposing to take this to SecDispatch.  I never heard of it again after that.

Well, it was mentioned that a separate mailing-list had been created for discussing the I-D.  This was done to not "spam" the JOSE list with things that were of no interest.  There were a few but useful topics discussed there which indeed are reflected by the RFC.

> So that any future related efforts have an opportunity for widespread review, particularly if they are JOSE related, I'd request that you and others working on them also post drafts to the JOSE mailing list, even if you're working in the Independent Stream.

Sure. If we stick to "features", the documents referred to should give you a pretty good idea of what to expect. is built directly on top of JOSE, while the other schemes [currently] are not.

With respect to JOSE, it seems that right now, the biggest challenge for the IETF is dealing with topic I presented in a SEC-DISPATCH session at IETF-104, that is, "Signed HTTP Requests".  Due to the lack of progress in this space, ETSI have recently published their take on the matter as well.  ETSI are targeting Open Banking so it may impact the entire "market".

FWIW, I have not given up this subject because "Signed and Serializable HTTP requests using JSON" seems be a unique feature.  Serialization enables counter-signatures which is a core component of a universal payment authorization system known as "Saturn".  For this particular system, counter-signatures are also used for simplifying state-holding and referencing by embedding preceding related messages (aka "Russian Doll").  Counter-signatures are also useful for digital contracts in block-chain systems.

> There are things I would have commented on in JCS if I'd seen intermediate drafts before it became an RFC.  (For instance, I would have asked for explicit serialization instructions for the one ASCII control character not in the range 0x00-0x1F - 0x7F (DEL).)

Serialization of JSON tokens follows ECMAScript to 100% so the string serialization algorithm is essentially just a copy.


> 				Thanks,
> 				-- Mike
> -----Original Message-----
> From: jose <> On Behalf Of Anders Rundgren
> Sent: Friday, July 10, 2020 11:41 AM
> To:
> Subject: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)
> After virtually eons of time has finally been published.
> It wouldn't have happened without the input from the IETF community!
> Since canonicalization in itself is fairly useless, there are several additional work-items building on JCS (RFC 8785) in the pipe-line:
> On-line demo/test using JWS: On-line demo/test using an "unwrapped" JWS called JSON Signature Format (JSF):
> A real-world implementation by OWASP using JSF:
> There is also an "unwrapped" JWE called JSON Encryption Format (JEF), currently published as an HTML document:
> If anybody out there would be interested in "RFC-ing" JWS-JCS, JSF, or JEF, please drop me a line.
> The current plan is publishing the additional RFCs using the Independent Stream, rather than as IETF standards.
> Anders
> _______________________________________________
> jose mailing list