Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
Mike Jones <Michael.Jones@microsoft.com> Thu, 29 October 2015 06:44 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30C2A1A88A3 for <jose@ietfa.amsl.com>; Wed, 28 Oct 2015 23:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYAX-N8osoYV for <jose@ietfa.amsl.com>; Wed, 28 Oct 2015 23:44:17 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0147.outbound.protection.outlook.com [207.46.100.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF0C41A88A5 for <jose@ietf.org>; Wed, 28 Oct 2015 23:44:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OlIgWjRjan0Yofv4XTBuUKTNM2xtSeZeZY4yYxLfPHQ=; b=T+84v7JORgUAT4YQpGtPJBehOj4CSYiNX2OczQQMYmFu9VIwV/lmgaQdpSzdzJkajjUZSSs4s5PCQqdIbBHJEWYKNmATj85OMnsnPG9JK4KoqJtzevWg0pHtLAA5gotS7+IGsRm3vGQG4w/Zc9KKiLnBpAMEHwBTbjiklJWz1qI=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.306.13; Thu, 29 Oct 2015 06:44:16 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0306.003; Thu, 29 Oct 2015 06:44:16 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
Thread-Index: AQHREhSfPUc899doEUijvOIwpnQMWp6CBicQ
Date: Thu, 29 Oct 2015 06:44:16 +0000
Message-ID: <BY2PR03MB442AAE04D574F870B1C3D77F5200@BY2PR03MB442.namprd03.prod.outlook.com>
References: <5631BF2A.70109@gmail.com>
In-Reply-To: <5631BF2A.70109@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [64.134.220.65]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:Jc37aU6UQ0ZL93QvaR5DzRc4dZFBlTdKbLasTsNkCNVCkrlpWa2U0zM4gK1CGCDl6AK1V/IVeq7cvVm3do86BPIh08SD31w1fCdqMSi8xBQ9L1HfQTJfzO12/OPXURKwtGBv1bR8xYBRPXOszOiLWw==; 24:cGBzxXfBloE3nmRBi3anjgO47hwmy+b7dc0bEBD+CrIo0ADlldg8JJwLtDMMFithu3srHnLKhtyK0ULd7XScRGRyOtZKSnGWSQLHV3Ox3J0=; 20:rSnTBdjeApHzj56gxvV6BZxxjjm+XWHgR+Bw1wCb5pWh8ZeDzbDLwxaBFRxHj0RA3PnsMvo6zyxSNrkXK4r9Ug==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442;
x-microsoft-antispam-prvs: <BY2PR03MB442C91E2CA8D36ADD0B6ED2F5200@BY2PR03MB442.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(102215026)(61426024)(61427024); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442;
x-forefront-prvs: 0744CFB5E8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(13464003)(189002)(377454003)(76176999)(99286002)(66066001)(106356001)(97736004)(5001770100001)(2501003)(76576001)(15395725005)(5004730100002)(92566002)(8990500004)(5005710100001)(5007970100001)(10400500002)(11100500001)(10290500002)(81156007)(101416001)(77096005)(54356999)(87936001)(19580405001)(5003600100002)(5008740100001)(102836002)(50986999)(33656002)(15975445007)(2900100001)(86612001)(5001960100002)(2950100001)(40100003)(105586002)(122556002)(5002640100001)(10090500001)(106116001)(189998001)(19580395003)(107886002)(74316001)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2015 06:44:16.2412 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/QNqvINd8wIdB7LA1eUL2EtSNQzc>
Subject: Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2015 06:44:20 -0000
This may be just my personal opinion, but preserving member creation order is only one small part of producing canonical JSON, which would be what would be required for such a scheme to be guaranteed to work. For instance, if the value 1e3 is part of the JSON input, will JSON.stringify() be guaranteed to emit it as 1e3, or might it be 1E3 or 100? Unless it's deterministic, different serializers will produce different results, and therefore different signatures. Without a canonical JSON being both defined and widely deployed, I can't recommend doing any work that requires a canonical JSON representation to deterministically succeed. -- Mike -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren Sent: Wednesday, October 28, 2015 11:40 PM To: jose@ietf.org Subject: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures ES6-compliant in-object JS/JSON signature: var inObjectSignedData = { // Object data expressed as JS properties "device": "Pump2", "value": 1e-18, // Object signature "signature": { ...Protected headers + Signature value expressed as JS properties... } }; JavaScript's JSON.parse() and JSON.stringify() suffice for "canonicalization" purposes. Converting the above to JWS JSON Serialization you would get: var signedData = { // Object data in a coded format "payload":"<payload contents>", // Protected headers wrapped in Base64URL "protected":"<integrity-protected header contents>", // Signature in a unique format "signature":"<signature contents>" } ES6 was released in June 2015 so this opportunity is actually quite new. Cheers, Anders http://webpki.org/ietf/draft-rundgren-predictable-serialization-for-json-tools-00.html#rfc.section.3.3 _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] At a glance: JWS vs "in-object" ES6/JSON s… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mike Jones
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mike Jones
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mark Watson
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Jim Schaad
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren