IETF Logo Mail Archive

Re: [jose] Canonical JSON form

Bret Jordan <jordan.ietf@gmail.com> Wed, 10 October 2018 21:19 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A03128CE4 for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 14:19:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mk52viRuLOH4 for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 14:19:12 -0700 (PDT)
Received: from mail-yw1-xc36.google.com (mail-yw1-xc36.google.com [IPv6:2607:f8b0:4864:20::c36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20432128CB7 for <jose@ietf.org>; Wed, 10 Oct 2018 14:19:12 -0700 (PDT)
Received: by mail-yw1-xc36.google.com with SMTP id m127-v6so2775426ywb.0 for <jose@ietf.org>; Wed, 10 Oct 2018 14:19:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=bn45yjcbexCkd0EemANFspJTYxbL5ir4YCEcpXiGGVc=; b=h/GYOn9HK3Cq5CCGtEpsnlDkUYt4zf+a4tPcLyKSt2mLkCNa/Lnn3/oFqbnLUhaJJj MB5kzPNcsu8cxRhiTNgKjyvixNexcWy9AHoP0e95oIRKTg8guY+Zd1LACx/CrkEoBX0z yvwtC7hBDM994UKmOZj1G/XeVKGUYIuOz2ukvhma09R+0lqDyFHH8qTPH1PrRts1KB/P EreKETM3irDlaSV9Lle0lskrtHDGtDWaT7Kt1LzGDje+iKxGDjU+3IO/eZj6ZK/LE9f1 DQiPW8dAMWXIV9MYgviS20Ro8tLnuZBnboQKmiOlYrlVEsAOCZl7bRt8NstJiYjvlEr7 oZwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=bn45yjcbexCkd0EemANFspJTYxbL5ir4YCEcpXiGGVc=; b=q3jon6iskdTI6X54Ubx1JfCCoX5WUILn/wasiTSgEZj6qOV9MC9EF3X/jLfAtGUhVF x4F5Skd/8Y3MJCJSVkfnswV/P/50s0gD9eXMFfpjA6tipt36BuoRu4HHL02nMlHclbCn CWTrz413H5UaW2Z6tk51ffRIHRmnvSEFyssWNdWzAFE1BlfSnIct5NZlLqjshPRB+nWJ X5Ku+BPOSi7s50TcRfCrHTWUh70NgzepO9O3t9bpm3hDKG2kLO6iWxuWOcAwB4DseYe2 qibcBeY13P5Pu2bj7ZoksxSHZ4+D0Ay7aJ8/ZKKME+VlQA7bY6GOelmUx95IGYuzo9Xn cc8A==
X-Gm-Message-State: ABuFfojAJL8KVNvxLGyMnpUUyxIt0ShHBLozowimFBXdW7oPFSdqlnNh FB+cbQAL/hPF0uNay0VK87Q=
X-Google-Smtp-Source: ACcGV62lP03aQy4ZiXeSYBLhsyB367VsivXZsglLslVhnKPvrk77L0kJ+7nFU0gM98fkjasKOnuBlQ==
X-Received: by 2002:a81:34d1:: with SMTP id b200-v6mr19706450ywa.291.1539206351381; Wed, 10 Oct 2018 14:19:11 -0700 (PDT)
Received: from ?IPv6:2605:a601:3260:266:11d5:fada:d8f3:ba5c? ([2605:a601:3260:266:11d5:fada:d8f3:ba5c]) by smtp.gmail.com with ESMTPSA id x130-v6sm606534ywb.27.2018.10.10.14.19.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Oct 2018 14:19:10 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_76D9CCB0-7F7E-4BDB-99C0-746E68C135D5"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 10 Oct 2018 15:18:32 -0600
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com> <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com>
To: Nathaniel McCallum <npmccallum@redhat.com>, jose@ietf.org
In-Reply-To: <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com>
Message-Id: <0AE27224-DA55-49C7-ACE1-C11951A22836@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/DGZpVschf4eabue4QMA3dsEfgpQ>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2018 21:19:14 -0000

I am also needing the ability to have signatures embedded in the JSON and have multiple groups sign various individual or holistic parts of the JSON structure.

I found this page, and from a first read it looks like it gets me some of the way to what I am needing. 
https://cyberphone.github.io/doc/security/jcs.html <https://cyberphone.github.io/doc/security/jcs.html>


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 10, 2018, at 3:02 PM, Nathaniel McCallum <npmccallum@redhat.com> wrote:
> 
> I can't speak for the WG. However, I think such is unnecessary. It is
> long standing custom, when working with JSON (with or without JOSE),
> to serialize without whitespace and with sorted keys. Every single
> JSON implementation I've ever come across gives you the ability to do
> this.
> On Wed, Oct 10, 2018 at 4:49 PM Bret Jordan <jordan.ietf@gmail.com> wrote:
>> 
>> Would this WG be open to working on a solution to sign JSON (not a byte stream) and define a canonical representation for said JSON?
>> 
>> 
>> Thanks,
>> Bret
>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>> 
>> On Oct 10, 2018, at 1:15 PM, Nathaniel McCallum <npmccallum@redhat.com> wrote:
>> 
>> JWS signs a byte stream, not JSON. If you want to use a JWS to sign
>> JSON data it is your responsibility to ensure that both sides produce
>> an equivalent byte stream.
>> On Wed, Oct 10, 2018 at 3:04 PM Bret Jordan <jordan.ietf@gmail.com> wrote:
>> 
>> 
>> Dear WG,
>> 
>> I was reading through RFC 7515 to see if it would work for a project I am working on.  Basically the need to sign and resign a JSON object.  However, in RFC 7515 there does not seem to be any definition for serializing a canonical form of JSON. This means that two organizations that serialize it differently would produce two different signatures.
>> 
>> Super simple example
>> 
>> { “type” : “house”, “size” : “1000 sq feet” }
>> 
>> 
>> 
>> Or
>> 
>> {
>> “type” : “house”,
>> “size” : “1000 sq feet”
>> }
>> 
>> 
>> 
>> Or
>> 
>> {“type”:“house”,“size”:“1000 sq feet”}
>> 
>> 
>> 
>> Or (tabs not spaces)
>> 
>> {
>> “type” : “house”,
>> “size” : “1000 sq feet”
>> }
>> 
>> 
>> All four of these JSON structures would produce a different signature as defined by RFC 7515. What am I missing?
>> 
>> 
>> Thanks,
>> Bret
>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>> 
>>

v2.23.0 | Report a Bug | By Email