Re: [jose] issue #25 TEXT

Mike Jones <Michael.Jones@microsoft.com> Mon, 04 November 2013 18:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF0F721E808D for <jose@ietfa.amsl.com>; Mon, 4 Nov 2013 10:35:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.491
X-Spam-Level:
X-Spam-Status: No, score=-3.491 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T28edJinSL4b for <jose@ietfa.amsl.com>; Mon, 4 Nov 2013 10:34:59 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0151.outbound.protection.outlook.com [207.46.163.151]) by ietfa.amsl.com (Postfix) with ESMTP id 9F8CF21E8063 for <jose@ietf.org>; Mon, 4 Nov 2013 10:34:55 -0800 (PST)
Received: from BY2PR03CA034.namprd03.prod.outlook.com (10.242.234.155) by BY2PR03MB224.namprd03.prod.outlook.com (10.242.36.151) with Microsoft SMTP Server (TLS) id 15.0.800.7; Mon, 4 Nov 2013 18:34:51 +0000
Received: from BY2FFO11FD005.protection.gbl (2a01:111:f400:7c0c::194) by BY2PR03CA034.outlook.office365.com (2a01:111:e400:2c2c::27) with Microsoft SMTP Server (TLS) id 15.0.800.7 via Frontend Transport; Mon, 4 Nov 2013 18:34:51 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD005.mail.protection.outlook.com (10.1.14.126) with Microsoft SMTP Server (TLS) id 15.0.815.5 via Frontend Transport; Mon, 4 Nov 2013 18:34:51 +0000
Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.160]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0158.002; Mon, 4 Nov 2013 18:33:52 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augutscellars.com>
Thread-Topic: issue #25 TEXT
Thread-Index: Ac67uYs2YQOzlCuxQ0OV0iQkGne2gQdy8smw
Date: Mon, 04 Nov 2013 18:33:51 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394377E3A6D4@TK5EX14MBXC288.redmond.corp.microsoft.com>
References: <013501cebd4f$98fd82a0$caf887e0$@augutscellars.com>
In-Reply-To: <013501cebd4f$98fd82a0$caf887e0$@augutscellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394377E3A6D4TK5EX14MBXC288r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454003)(5383001)(199002)(189002)(16236675002)(31966008)(47446002)(77982001)(59766001)(74502001)(63696002)(80022001)(56776001)(54316002)(71186001)(65816001)(81342001)(66066001)(74662001)(76482001)(15202345003)(69226001)(79102001)(76786001)(55846006)(81542001)(76796001)(20776003)(84326002)(51856001)(46102001)(85306002)(44976005)(19580395003)(83322001)(19580405001)(80976001)(6806004)(50986001)(81816001)(47976001)(74366001)(81686001)(4396001)(33656001)(512954002)(77096001)(49866001)(15975445006)(56816003)(19300405004)(74706001)(54356001)(47736001)(74876001)(87266001)(83072001)(53806001)(2656002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB224; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0020414413
X-OriginatorOrg: microsoft.com
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] issue #25 TEXT
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 18:35:06 -0000

Per my action item from the last call, I propose the following text to address issue #25:

8.  Detached Content

In some contexts, it is useful integrity protect content that is not itself contained in a JWS object.  There are two suggested ways of accomplishing this using JWS objects.

One way is create a JWS object containing the payload in the normal fashion, but then delete the payload representation, and send this modified object to the recipient, rather than the JWS.  This method assumes that the recipient has access to the exact payload used in the JWS.  When using the JWS Compact Serialization, the deletion is accomplished by replacing the second field (which contains BASE64URL(JWS Payload)) value with the empty string; when using the JWS JSON Serialization, the deletion is accomplished by deleting the "payload" member.  To use the modified object, the recipient reconstructs the JWS by re-inserting the payload representation into the modified object, and uses the resulting JWS in the usual manner.  Note that this method needs no support from JWS libraries, as applications can use this method by modifying the inputs and outputs of standard JWS libraries.

Another way to accomplish this is to have the JWS Payload be or include a cryptographic hash of the detached content.  The application might also include an identifier for the hash algorithm used in the JWS payload.  To use this JWS, the recipient validates the JWS in the usual way and verifies that the hash value contained in the JWS payload matches a cryptographic hash of the detached content computed by the recipient.  This method also needs no support from JWS libraries.

                                                            -- Mike

From: Jim Schaad [mailto:ietf@augutscellars.com]
Sent: Sunday, September 29, 2013 1:08 PM
To: Mike Jones
Cc: jose@ietf.org
Subject: issue #25 TEXT

The following provides suggested text for addressing Issue #25

Jim


Text for the JWS document:

Section 7.2.1  Detached Content

Applications can do detached content with the JSON serialization.  Detached content has the benefit of allowing the content to be transmitted in a more natural format, and to avoid the expansion associated with applying the base64 transformation.  It has the downside that how the content is serialized into a text string is not preserved and therefore some type of canonicalization process may need to be applied by both the sender and the recipient.  In some circumstances this is not an issue (signing a binary file), while in other circumstances it can be problematic (end of line characters or ordering of JSON objects).  Applications cannot rely on this feature to be implemented by libraries but need to do it themselves.

On serialization, the application removes the payload value from the JSON structure before writing it out.  The contents of the signed field are then transmitted separately from the JWS structure.  For instance, the JWS serialized JSON structure could be transmitted as an HTTP header field, while the content is transmitted as  the content of the HTTP body.

On deserialization, the application obtains the to be signed value from where it is transferred, applies the necessary canonicalization and encoding to it before creating the "payload" member of the JSON structure and passing the resulting object to the library for processing.


Text for the JWE document:

Section 7.2.1 Detached Content

Applications can do detached content with the JSON serialization.  Detached content has the benefit of allowing the content to be transmitted in a more natural format, and to avoid the expansion associated with applying the base64 transformation.  Since the output of the encryption process is always an octet string, there are no canonicalization issues associated with transporting the encrypted string separately from the encryption header.

On serialization, the application removes the "ciphertext" field from the JSON structure before writing it out.  The contents of the "ciphertext" field then have the base64 encoding removed and it is transmitted separated from the JWE structure.  For instance, the JWE serialized JSON structure could be transmitted as an HTTP header field, while the cipher  text could be transmitted using binary transfer encoding as the HTTP body.

On deserialization, the application obtains the cipher text from where it was transferred, applies the base64 transfer encoding and places it in the "ciphertext" member of the JWE JSON structure.  The resulting object is then passed to the JOSE library for process.