IETF Logo Mail Archive

Re: [jose] canonical JSON

Mike Jones <Michael.Jones@microsoft.com> Tue, 19 February 2013 20:48 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AEF521F8878 for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 12:48:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.582
X-Spam-Level:
X-Spam-Status: No, score=-2.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-yvgJsj7TRl for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 12:48:34 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.26]) by ietfa.amsl.com (Postfix) with ESMTP id EE45521F887F for <jose@ietf.org>; Tue, 19 Feb 2013 12:48:33 -0800 (PST)
Received: from BL2FFO11FD005.protection.gbl (10.173.161.200) by BL2FFO11HUB010.protection.gbl (10.173.161.112) with Microsoft SMTP Server (TLS) id 15.0.620.12; Tue, 19 Feb 2013 20:48:32 +0000
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD005.mail.protection.outlook.com (10.173.161.1) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Tue, 19 Feb 2013 20:48:32 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.96]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0318.003; Tue, 19 Feb 2013 20:48:02 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>, Richard Barnes <rlb@ipv.sx>
Thread-Topic: [jose] canonical JSON
Thread-Index: AQHODm6A6D/j5gtDMEa/+fG4zzAaRJiBNOgAgAARsYCAAF3PgIAAA2Pg
Date: Tue, 19 Feb 2013 20:48:01 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943674774DA@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CAG8k2+4xaAUBPs=Kw-=eBHZNyOMs6VYByPEb1jnAv1aGjLupng@mail.gmail.com> <CABkgnnWzdoo6b0ZymF0cv_v9zOjJKTWuUhkWuxiA-cM9qgu0jg@mail.gmail.com> <CAG8k2+47GQXHhWBdqd82UEAPZUfAigYE-vwxpaMJm4F5i8098A@mail.gmail.com> <CAL02cgQ3Oh1D9qHW7XWAZqzmfnE5T6-FjNydjpMEMhaHf2d7Xw@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150757902D@WSMSG3153V.srv.dir.telstra.com> <CAG8k2+5mVYJ6TgQHJ9juXEaWkfMteG6gV8w_dCoShP4-9fPqMA@mail.gmail.com> <CAL02cgRZkf8rR=gAuR6ZT61WCah3aWQNAq8d+GLWweehH7jN6A@mail.gmail.com> <BF7E36B9C495A6468E8EC573603ED9411513E85D@xmb-aln-x11.cisco.com>
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED9411513E85D@xmb-aln-x11.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.74]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(51444002)(24454001)(13464002)(52034002)(51704002)(189002)(199002)(46102001)(74662001)(66066001)(63696002)(55846006)(44976002)(15202345001)(74502001)(47736001)(31966008)(79102001)(47776003)(47446002)(80022001)(23726001)(76482001)(46406002)(47976001)(50986001)(4396001)(56816002)(54316002)(54356001)(53806001)(49866001)(33656001)(16406001)(5343635001)(5343655001)(65816001)(59766001)(77982001)(20776003)(56776001)(50466001)(51856001)(292474001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB010; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0762FFD075
Cc: Daniel Holth <dholth@gmail.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, jose <jose@ietf.org>
Subject: Re: [jose] canonical JSON
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2013 20:48:35 -0000

[Repeating this on the correct thread...]

I'm strongly against canonicalization.  The XML canonicalization experience was horrible and resulted in more interop bugs than any other aspect of XML DSIG, XML ENC, etc.  Let's not repeat the mistakes of our elders. ;-)

I also haven't seen a clear use case that canonicalization solves that can't be more easily solved another way.

				-- Mike

-----Original Message-----
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Matt Miller (mamille2)
Sent: Tuesday, February 19, 2013 12:35 PM
To: Richard Barnes
Cc: Daniel Holth; Manger, James H; jose
Subject: Re: [jose] canonical JSON

I know I'm still reeling from canonicalization (c14n) issues in XML, but I can put that aside.  It would be nice to have JWK fingerprinting.

I can see value in each JWK type defining what is canonical; I'm less thrilled limiting metadata to a specific place, but could live with that.  I can see where excluding metadata can get us in trouble later, but I think that would mean having a much more robust c14n approach.

By the way, there is going to be a JSON BoF in Orlando, and c14n seems like a good thing to bring up there.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

PS: 42 vs 4.2e0 vs 4.2e1

On Feb 19, 2013, at 7:59 AM, Richard Barnes <rlb@ipv.sx> wrote:

> So your fingerprint algorithm would be something like the following?
> 
> INPUT: JWK
> 1. Remove "metadata" fields.  So, for RSA, you would be left with 
> {"kty", "n", "e"} 2. Convert stripped JWK to canonical form 3. Compute 
> digest over canonical form
> 
> That seems generally agreeable to me.
> 
> For (1) to be possible, you would need to define which fields are 
> covered in the fingerprint for each key type ("kty" value).  Or, 
> alternatively, you could restructure JWK so that metadata fields are grouped into a "meta"
> sub-dict.  Which might be nice anyway.
> 
> For (2), I agree that there is probably a better canonicalization than 
> CJSON.  The code I pasted earlier implements the following changes 
> from RFC
> 4627:
> -- Object fields must be in lexicographic order, sorted by field name
> -- No white space allowed
> -- Numbers: Exponent part must use 'e'
> -- Numbers: Exponent part must not use '+'
> -- Numbers: Fraction part must not have trailing zeros
> -- Strings: All characters must be escaped ISTM that those changes are 
> fairly minimal, and avoid some of the CJSON problems that have been 
> discussed above. Reasonably people can disagree over the string 
> aspect; if you want less expansion, you could do things like exempt 
> printable ASCII.
> 
> 
> 
> 
> On Tue, Feb 19, 2013 at 8:56 AM, Daniel Holth <dholth@gmail.com> wrote:
> 
>> On Tue, Feb 19, 2013 at 1:57 AM, Manger, James H < 
>> James.H.Manger@team.telstra.com> wrote:
>> 
>>> A canonical form of JSON might be fairly easy, but the one you quote 
>>> (
>>> http://wiki.laptop.org/go/Canonical_JSON) can't handle floating 
>>> point numbers (or very large integers), and produces invalid JSON if 
>>> a string includes a tab! Fix those (escaping control chars 
>>> [\u0000-\u001f]; use normalized scientific notation for numbers) and 
>>> it might be worth
>>> considering.****
>>> 
>>> ** **
>>> 
>>> Defining JOSE calculations in terms of 1 or more byte arrays, the 
>>> first of which is a UTF-8-encoded JSON header, would be useful. It 
>>> can then be packaged as dot-separated base64url-encoded segments to 
>>> be HTTP-header-friendly, or packaged as a single JSON object to be 
>>> programmer-friendly, or packaged as raw bytes to be efficient.
>>> 
>> 
>> I am only proposing a key fingerprinting specification that does not 
>> employ DER encoding. JWKs do not contain tabs or floating point numbers.
>> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email