[jose] Activities outside of the IETF dealing with "Signed JSON"
Anders Rundgren <anders.rundgren.net@gmail.com> Sat, 15 April 2017 03:35 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D16E12940F for <jose@ietfa.amsl.com>; Fri, 14 Apr 2017 20:35:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFF2gw4DCrip for <jose@ietfa.amsl.com>; Fri, 14 Apr 2017 20:35:35 -0700 (PDT)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A11A126CC7 for <jose@ietf.org>; Fri, 14 Apr 2017 20:35:35 -0700 (PDT)
Received: by mail-wr0-x231.google.com with SMTP id z109so58263373wrb.1 for <jose@ietf.org>; Fri, 14 Apr 2017 20:35:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=Sw9WGd7Wrocg9J0wK9TVpw40ghSs9J6dd2V+cUdEVbg=; b=N6C1un2z51bcVB5dBYSKJ1ahZXa7uqQjzVTbheEtGE1fHZsXCkYv6M1KlEv5FwXqgM ZkOUsdqgQ8518/YC6GEUmtl2HinPbYXsaZ3vq9dz+Raw6XNSG4Ou5RUvo3F6pC4nevEb keR+fOIMFr6gnqOMkH0QbhlQVQRPrjLhquLz2Eyo7lIuZm5waTfb28ahVkLyyo15MpLn IIbBG6YlWzckQfFRdvetW1mYrNLGtzC8ZS9AK9a3NwXvJTMiUng9cH5KTWO2MZinYKav eIt0t6r8UPyOpNPuSD1szLxnXEdGl8Q3ZH6DTZRY5xLfcv1Dm99gkBjQpXhFO+V+vmkr 0lDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=Sw9WGd7Wrocg9J0wK9TVpw40ghSs9J6dd2V+cUdEVbg=; b=bz2QVbBIcZdjrg7Iht+X3i+C8efV2jmbJu6HsYS5+V0vBHU97F4lLBP2O4pcxyXgsv DCDOtX6Lu9nAKwmyqTn7iXWomsInFVg4Z6GE94pYMarIUwlY+9I2bdTPGWNMbkVYGsXl qRZ1PKriU+s8r0mAqfRcxcrOOQVBWTCQsYMk2PaoO8uENpwHAFh9Xht3n+/NXtel/9Tr rVN3acEyWRsVb+Xd/N89d5W5aAQcR8mmj2Dop6JHZUub459u74w3ctU5eIfwauBnRyNM yJrp957qRLLk/D7ErxBzfNjtlL88ARcIT27g9GoZ9Xv9mO7iKsLVgPVrsjM9nk+EUFMd Qw2w==
X-Gm-Message-State: AN3rC/6XYUwJ0JD+b3LfvzNwnnPR/tYDiXklWGuuQvQ8HWPvwdg8PkOU gnIWUQYRKAKjAA==
X-Received: by 10.223.151.80 with SMTP id r74mr9681993wrb.6.1492227334197; Fri, 14 Apr 2017 20:35:34 -0700 (PDT)
Received: from [192.168.1.79] (124.25.176.95.rev.sfr.net. [95.176.25.124]) by smtp.googlemail.com with ESMTPSA id o123sm898767wmg.16.2017.04.14.20.35.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Apr 2017 20:35:33 -0700 (PDT)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Message-ID: <26f4c52e-ff8c-a56c-6d9b-a615b8124ad5@gmail.com>
Date: Sat, 15 Apr 2017 05:35:30 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/PT_3Wf75aN41l_O391zCaTgvVDU>
Subject: [jose] Activities outside of the IETF dealing with "Signed JSON"
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2017 03:35:37 -0000
Hi All, As predicted the "Market" (or whatever we like to call it), working with applications like payments [1] have begun testing alternatives to JWS [2] in order to avoid dressing their precious messages in Base64. Yes, there are specifications [3,4,5] adapting JWS for such uses by moving parts of the signature generation and validation processes into the application space. Now, if you actually have a working JSON "Canonicalization" scheme [6], does it really make sense only using it for "Data" when it (by definition) should be equally applicable to "Headers"? In addition, these applications typically rely on "Enveloped" signatures (for keeping message structure intact also after signing), making it straightforward providing "Human readable" header information as a part of an embedded signature object. However, the JOSE stack of standards represents a truly amazing piece of work so it would of course be extremely cool if you could re(use) the JOSE "Core" rather than reinventing the wheel. What's then the core of JOSE? That's for sure debatable, but IMO, based on related work performed on multiple and quite different platforms, implementing support for the cryptographic algorithms (JWA) including JWK is the by far most difficult [7] part of JOSE. Yes, "Input validation" (as recently mentioned on this list) is also crucial. Creating a clear text signature container OTOH, is close to trivial. Here is a revised attempt combining the best of two worlds: https://cyberphone.github.io/doc/research/jwa.jwk.es6-signature.html Thanx, Anders Rundgren 1] French Payment Standards proposal: https://api.scailine.org/ext/useCaseOnlinePisp.pdf using the LDS scheme [2]: 2] Linked Data Signatures: https://w3c-dvcg.github.io/ld-signatures/ 3] JWS Unencoded Payload option: https://tools.ietf.org/html/rfc7797 4] JWS Detached Content: https://tools.ietf.org/html/rfc7515#appendix-F 5] Signature scheme using an "Implicit" JWS container: https://w3c-dvcg.github.io/lds-rsa2017/ 6] ES6 Serialization appears to be a good candidate since it is already featured in billions of devices 7] Cryptographic subsystems differ quite a bit in capabilities and usage between platforms like .NET, Java, Python, Node.js, etc.
- [jose] Activities outside of the IETF dealing wit… Anders Rundgren