[jose] JWS Signing of HTTP attachments
Sergey Beryozkin <sberyozkin@gmail.com> Fri, 12 May 2017 13:05 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A3512E872 for <jose@ietfa.amsl.com>; Fri, 12 May 2017 06:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SuROSr54n7Uo for <jose@ietfa.amsl.com>; Fri, 12 May 2017 06:05:11 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4DBD129C2B for <jose@ietf.org>; Fri, 12 May 2017 05:59:24 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id b84so20938248wmh.0 for <jose@ietf.org>; Fri, 12 May 2017 05:59:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=77nimiclbEiUJxgMKakVZbFzyTtwQ9NkEgNo9MquJUY=; b=NkNcpjnxtgUOzaDkCIBveSURvN6XrOf4UA3Dxx20PSGMRv3vJIZacVtGlWtjDoyyyR AaPpDhB08oCpNqze20Jux11PGNonxendvwjDePk8Mch1yJ+La0U3k618B20fts+0tcXr QjEY+wKc4ucNK2RQ+C/lmE0r3MWqxiehCpIzYZNH798jlTbX+uKJfvr+rg1vC2yI9epw nRVsBjnqBlRxsGqh0Me5svyKjZWWGsqb+f7KR1oiFJXeqtZJZdJYWcaam4+QsB5QGqrv frO+lmDqBZuK/72o+Hx1NRTznf3dpP17zrxZA4PGXe7AFNZCNQSNpEBiHv1JrRIWlZfk +vWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=77nimiclbEiUJxgMKakVZbFzyTtwQ9NkEgNo9MquJUY=; b=pehE31UvBiZ71YtQj7nw7QcNdWLk539GUrrHvk429pVnAWtB9/myDE0e5gDgwnDkLN G9FOzkWGq5TizorE5AUafdyc3PcmhDz+xLsKoNFE6ZNPDkm9z9gwfxiNh/bH458aucWD zaR3maqHnHTYBEyESjPhB1xWEixePYTYQh/VJuEWhj8/dkLGOFDF24cJ5NfnGRGSWxz+ fpipjaOefhGPlkel0cWag/Wze20Zs938WEQkMEkclrLbx3HO+TWysk6mO1FGejKJLNr4 H9ioYhlfpBC2Jos397l0Rk5VpeAtdeOOed1WguuL9jhT41X2+avySW/AL2/j2FXkqRSI j4JA==
X-Gm-Message-State: AODbwcA68FUw2zkpd8UrQplRdYoxL+jZLgWuoNSZA8h66xSrYv+zIOrA DAJOon7RoXqfgS+QY3I=
X-Received: by 10.28.15.14 with SMTP id 14mr2874978wmp.51.1494593962958; Fri, 12 May 2017 05:59:22 -0700 (PDT)
Received: from [10.36.226.98] ([80.169.137.53]) by smtp.googlemail.com with ESMTPSA id l75sm3877115wmd.6.2017.05.12.05.59.22 for <jose@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 May 2017 05:59:22 -0700 (PDT)
To: "jose@ietf.org" <jose@ietf.org>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <33ea6034-2e07-59dc-0561-58b45dfeefe7@gmail.com>
Date: Fri, 12 May 2017 13:59:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/EEuqGxisFouXKPPp5ymT9kma80Y>
Subject: [jose] JWS Signing of HTTP attachments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 13:05:13 -0000
Hi All, I've experimented in our project with having HTTP attachment parts protected using JWS with Detached Content and Unencoded Payload options [1]. This approach appears to be quite effective to me. It also appears to me that the data as shown in the example at [1], can, in principle, be produced and processed by any HTTP stack that can work with multiparts, assuming a JOSE library supporting the detached and unencoded content is also available. I'd appreciate if the experts could comment on 1) do you see some weaknesses in the proposed approach and 2) can someone see a point in drafting some text around it (I can contribute if it is of interest) ? Thanks, Sergey [1] http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-SigningandVerificationofHTTPAttachments
- [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Ilari Liusvaara
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Ilari Liusvaara
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Jim Schaad
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin