IETF Logo Mail Archive

Re: [jose] #26: Allow for signature payload to not be base64 encoded

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 04 July 2013 06:32 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F20AF21F9F1A for <jose@ietfa.amsl.com>; Wed, 3 Jul 2013 23:32:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7498baRsW6nL for <jose@ietfa.amsl.com>; Wed, 3 Jul 2013 23:32:39 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id EF9AF21F9F19 for <jose@ietf.org>; Wed, 3 Jul 2013 23:32:37 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.87,992,1363093200"; d="scan'208,217"; a="145102833"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipocvi.tcif.telstra.com.au with ESMTP; 04 Jul 2013 16:32:34 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7125"; a="142359845"
Received: from wsmsg3755.srv.dir.telstra.com ([172.49.40.196]) by ipcbvi.tcif.telstra.com.au with ESMTP; 04 Jul 2013 16:32:34 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3755.srv.dir.telstra.com ([172.49.40.196]) with mapi; Thu, 4 Jul 2013 16:32:33 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Mike Jones <Michael.Jones@microsoft.com>, John Bradley <ve7jtb@ve7jtb.com>, Richard Barnes <rlb@ipv.sx>
Date: Thu, 04 Jul 2013 16:32:32 +1000
Thread-Topic: [jose] #26: Allow for signature payload to not be base64 encoded
Thread-Index: AQHOcgNOsVoAPXc/s02k5Wh9HChUEZlIUkQAgACNH4CAAObIgIAAAUowgAAHOACAAFdeAIAAGdCAgAGB7wCAAAHbAIAGPQKAgAAf+ACAAQlpgIAAHumAgAA4CICAAAKLgIAAANTAgABJkoA=
Message-ID: <255B9BB34FB7D647A506DC292726F6E1151C19B4EA@WSMSG3153V.srv.dir.telstra.com>
References: <061.c2fcfec0a75d48eb8b194991ce56157e@trac.tools.ietf.org> <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org> <033a01ce729b$26bc3910$7434ab30$@augustcellars.com> <51CBA981.4050006@nri.co.jp> <048f01ce7355$19f05bc0$4dd11340$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943678A0114@TK5EX14MBXC283.redmond.corp.microsoft.com> <04bf01ce7359$5ab862c0$10292840$@augustcellars.com> <CAL02cgTkUrQptGqOfQyhCembS1e3Qxw3peRFnO5QjswUW=XR-w@mail.gmail.com> <CAD9ie-sZ+w_HADMTnnkTC8XRJmjZvwYOmA+AhvJGTNPhhK=Z4g@mail.gmail.com> <CAL02cgQbAQ8zhumdR_uvXjhbZM0iXpfPnmgcJrMUuh4+bj11NA@mail.gmail.com> <CAD9ie-sBGnv5QbjFeQiXiMJ0Git06LPsAkoNeN7KZxRNqukv3w@mail.gmail.com> <CAL02cgSFjiBUECdUoVbArdszRCPgsfLX_Yr11zDUjrrX3RTPaw@mail.gmail.com> <DED9A23D-E0C9-4498-B894-D2A461EA67C1@gmail.com> <CAL02cgQ2kiYJb2ucQLLHbYrQNg7_1nvuBoqyZKqWZiZoEmcjZA@mail.gmail.com> <CAD9ie-vs_Rv1bQFV6r-viNd9CLLOhY6Ty23PaJM7HQPGYu3ZEA@mail.gmail.com> <CAL02cgSEbk9OQ6ZJMnpXCdi9Tt7fLrFpwmLPAZYpx-MzVzNKRg@mail.gmail.com> <612E223E-64FA-44BC-9291-58FF7434BFF6@ve7jtb.com> <4E1F6AAD24975D4BA5B1680429673943678D935D@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943678D935D@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1151C19B4EAWSMSG3153Vsrv_"
MIME-Version: 1.0
Cc: Jim Schaad <ietf@augustcellars.com>, n-sakimura <n-sakimura@nri.co.jp>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jul 2013 06:32:46 -0000

Separate names to hold the payload as a base64url-encoding ("payload") or as a string ("verbatim") is a better approach than a "cenc" header field. At some point we might add a third name ("payload_uri") to identify the content without including it in the JSON.

One hassle we are having is that transmitting the payload in B64, or as a string, or externally, or by reference isn’t merely a serialization choice, but actually affects the bytes that are signed (so it potentially changes the security properties so it requires lots of care). Understandably, but unfortunately, many are reluctant to make changes to tackle this at this point.

A related issue is that the "alg" value is no longer sufficient to indicate the bytes that are signed. This is one reason why a “mode” concept would be helpful (along with a "mode" field, with defaults for compatibility with current drafts).

--
James Manger

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Thursday, 4 July 2013 7:33 AM
To: John Bradley; Richard Barnes
Cc: Jim Schaad; n-sakimura; jose@ietf.org; Dick Hardt
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded

As I’d written earlier, *if* the working group decides to also support a payload representation that is not base64url encoded (and I think that’s a big *if*), I believe that it should apply only to the JSON Serialization and use an alternative member name, so that the current JSON Serialization objects are unchanged.

For instance, these three alternative representations could all represent the same JWS Payload:
    "payload": "SGVsbG8gd29ybGQ"
    "verbatim": "Hello world"
    "verbatim": "Hello\u0020world"

As I see it, we shouldn’t change the meaning of “payload” at this point, without as Karen put it, “a strong rationale and a ground swell of working group support”.

                                                                -- Mike

v2.34.0 | Report a Bug | By Email | System Status