Re: [jose] Signed HTTP Requests @ IETF-104

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 26 March 2019 06:16 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5F90120286 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2019 23:16:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MpGMAnPNps-U for <jose@ietfa.amsl.com>; Mon, 25 Mar 2019 23:16:12 -0700 (PDT)
Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com [IPv6:2a00:1450:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4D83120287 for <jose@ietf.org>; Mon, 25 Mar 2019 23:16:11 -0700 (PDT)
Received: by mail-wr1-x441.google.com with SMTP id w10so12840601wrm.4 for <jose@ietf.org>; Mon, 25 Mar 2019 23:16:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=LCF8K9Yu+9S9Nx5lzmVx6Nz26+qoUQB+cBAQKGVZRLA=; b=hqBz4l0QrDhep7UP6qtLBt2uIC8snQB1vcbQWx4tLB1BODsf2pSq0GdgaQIpFYpmFC T6BqHbXE9noWAaFMU5GDww+eRUKAstD7alJx5qxaLzp9FuQUe0fmzGLVhKPlqJP9FXuM c/JOGa0BaBFQjiU2156SywMxodbRH3mPh3pdhCHjQCHnRBid15hejgXH0MWbCDdVLme1 9CV8U5hpe5lecvmbuZv8TOJfDODLa6zz+hQ3gulvySyVklDQMzg1RhzcgVr6VeKIsPMw LAL+JTcQDtkq60LTQFNbkDu6l/ALlYgqqzLS/vbcHxBfLm8AVdlzjphOAGeLwrF0Vnyx e87w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=LCF8K9Yu+9S9Nx5lzmVx6Nz26+qoUQB+cBAQKGVZRLA=; b=M1Z7X2LYKVazPZR/mNTmYPxd4q8idxFoQ5YY8lckJiVm16y5NWpKmR8cuHD81Sn0po dVunTSnJrk+U8eoY8FM7s41W3x6DAfEMkYrjVVAM2Ygopbgzvhi6CgCkIVc+73AeseEp q2TGq9LDnNaFtFqPcgTJL/p/toXxR0DjQoAmuH5nijxHWVIXBV/RUmnHWDaHdQQpkJrX p3SnriVrsV7MztGq4M1i+l5ZVXEGifBAp3JvImBC5+o2OTlQ4IpybQLMA4a/y0elQLyo 2fpIZE5iiHjKNV+DVxRs4+dqgfv2OJcz/c7e0cwPxWyXDrZGzJMgF7Fwh/y8Ei82THSN aW7g==
X-Gm-Message-State: APjAAAUQZn77s0UNBQ2x3dCLmOsKJ7MQ58NRoSoW5Q2TMpmuU12m9Hhc Gkq4+zh/X07wH0o+DzU5aci7iiVMzfo=
X-Google-Smtp-Source: APXvYqzx79JwLN0fDRXa0PhAbmEtI0TVCmuBng9MQDn3DYhsS0AIIogw/HUrL7D4f0ZWous8G960EA==
X-Received: by 2002:adf:f80d:: with SMTP id s13mr17098183wrp.38.1553580969740; Mon, 25 Mar 2019 23:16:09 -0700 (PDT)
Received: from [10.0.0.58] ([194.228.79.73]) by smtp.googlemail.com with ESMTPSA id h2sm33620512wro.11.2019.03.25.23.16.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Mar 2019 23:16:08 -0700 (PDT)
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Bret Jordan <jordan.ietf@gmail.com>
Cc: Anthony Nadalin <tonynad@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
References: <3afd27b3-c095-3188-89d3-58d8be177c5e@gmail.com> <DM5PR00MB0391CF9D87A9CE6F9CC36FF0A64A0@DM5PR00MB0391.namprd00.prod.outlook.com> <194bf99a-d5aa-d342-d110-3d66daf50d6e@gmail.com> <05237AAD-FB1F-4A06-A2BF-D4020B1F2799@gmail.com> <D6152153-D4B4-4EA5-B02C-CD01870EE4B2@lodderstedt.net>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <86b31b82-9b3f-e441-efc6-9d260a522832@gmail.com>
Date: Tue, 26 Mar 2019 07:16:00 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0
MIME-Version: 1.0
In-Reply-To: <D6152153-D4B4-4EA5-B02C-CD01870EE4B2@lodderstedt.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/JnYuPT1z3ctNqgssVhDldKCUzPA>
Subject: Re: [jose] Signed HTTP Requests @ IETF-104
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 06:16:15 -0000

On 2019-03-25 15:31, Torsten Lodderstedt wrote:
> Will there be a side meeting on Wednesday?

I can try to arrange that.

I'm still curious to hear what for example FAPI suggest for the future.  https://openid.net/specs/openid-financial-api-part-2.html#request ?
Convincing all open banking system developers out there to dress their precious business messages in base64 as an alternative to their current clear text solutions including the-not-as-bad-as-claimed https://tools.ietf.org/html/draft-cavage-http-signatures-10 may turn out bad.

JSON canonicalization as described in the current 05 draft is based on a concluded (and technically pretty successful) research effort verified by multiple implementations including one made externally [1].  There is a single fully documented issue [2] which do requires some considerations by clients to work.

Number serialization have been addressed by true specialists in this field (=not me).  Recently I verified my original algorithm (copied from V8) with 5 billion random values against a new algorithm developed by Google which Microsoft intends to use in a coming updates to their C# tool chain.

No such information was available during the operational time of the JOSE WG which is a rather important thing to keep in mind.

A bunch of people at the IETF meeting privately propose that new developments should drop JSON/JWS and rather go for CBOR/COSE.  That's actually quite logical since with Base64-encoded messages, you anyway need a decoder to make messages human readable. Personally I'm doing the opposite namely applying canonicalization to the JWS itself [3]

Anders

1] https://github.com/dryruby/json-canonicalization

2] https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-05#appendix-E

3] User payment authorization in "Saturn".  Similar to XML DSig but at 10% of the complexity:
{
   "requestHash": {
     "alg": "S256",
     "val": "cA-QNdJHcynjuM44ty-zXgXwx100AZVRFLmYx1So0Xc"
   },
   "domainName": "demomerchant.com",
   "paymentMethod": "https://bankdirect.net",
   "accountId": "8645-7800239403",
   "timeStamp": "2019-03-23T10:33:02+01:00",
   "signature": {
     "alg": "ES256",
     "jwk": {
       "kty": "EC",
       "crv": "P-256",
       "x": "rQ4WXMB6_wQKHSiY_mbJ4QkGpfWLssF7hvIiiFpDEx8",
       "y": "Fh2rl0LGTtvaomOuhuRNo9Drz9o0--WXV2ITvdVQFRY"
     },
     "val": "j2LL9pr2RyrPxvFlj8IzMhno5vvgGIgf2xi23dA5u_XwjYlIvT9qwIVKaCKYwjb26J5mMUL5zV02lqQGjZRClw"
   }
}


> 
> Am 13.03.2019 um 06:36 schrieb Bret Jordan <jordan.ietf@gmail.com <mailto:jordan.ietf@gmail.com>>:
> 
>> We should for sure setup a side meeting on Wednesday to talk about JCS.  That would be good.  We could also talk a bit after the HotRFC session.
>>
>>
>> Thanks,
>> Bret
>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>>
>>> On Mar 12, 2019, at 11:03 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>>>
>>> On 2019-03-13 04:46, Anthony Nadalin wrote:
>>>> I'm not sure why you say that FAPI is rolling it's own as we are not, please explain
>>>
>>> I was referring to this part of FAPI/OpenID:
>>> https://openid.net/specs/openid-financial-api-part-2.html#introduction-3
>>>
>>> Is that a proposed standard?  It claims to be RESTFul but does not deal with HTTP Method and URI which are fundamental parts of REST.
>>>
>>> In addition, one of the major interested parties behind FAPI, Open Banking in the UK, have selected another method (https://tools.ietf.org/html/draft-rundgren-signed-http-requests-00#appendix-B.3), while other players in this field including French banks and the Berlin group are betting on: https://tools.ietf.org/html/draft-cavage-http-signatures-10
>>>
>>> This is the motivation behind this work.  If you are in Prague, maybe we can talk about this?
>>>
>>> regards,
>>> Anders
>>>
>>>
>>>> -----Original Message-----
>>>> From: jose <jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>> On Behalf Of Anders Rundgren
>>>> Sent: Monday, March 11, 2019 8:57 AM
>>>> To: jose@ietf.org <mailto:jose@ietf.org>
>>>> Subject: [jose] Signed HTTP Requests @ IETF-104
>>>> I will be there Saturday evening - Thursday 13.00 in case you are interested in this topic.
>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-rundgren-signed-http-requests-00&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&amp;sdata=gXhXwQOm0vwPvXbQUQj%2FwD3%2FrsDU%2BB95SF6CjfR80CA%3D&amp;reserved=0
>>>> 4 minute "lightning" talk: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcyberphone.github.io%2Fietf-signed-http-requests%2Fhotrfc-shreq.pdf&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&amp;sdata=Al4bQN9BkM8ESKwqIZD6q1ZeQhYc5PrlXDR7vuRy6JQ%3D&amp;reserved=0
>>>> On-line "laboratory":
>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmobilepki.org%2Fshreq%2Fhome&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&amp;sdata=bLjKK%2FcGsB54%2B%2FVbbQQDrrgxdCooQp0%2BfJDBBsRIg8M%3D&amp;reserved=0
>>>> thanx,
>>>> Anders
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org <mailto:jose@ietf.org>
>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fjose&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&amp;sdata=Ah7rSZOWkkeTs%2Byi76vkqK1O5iN%2FckkCRoGvtsUDWYc%3D&amp;reserved=0
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org <mailto:jose@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/jose
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org <mailto:jose@ietf.org>
>> https://www.ietf.org/mailman/listinfo/jose