Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
Mark Watson <watsonm@netflix.com> Thu, 29 October 2015 07:16 UTC
Return-Path: <watsonm@netflix.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDF981AC426 for <jose@ietfa.amsl.com>; Thu, 29 Oct 2015 00:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsFwD2W2dqJm for <jose@ietfa.amsl.com>; Thu, 29 Oct 2015 00:16:23 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4FAD1AC422 for <jose@ietf.org>; Thu, 29 Oct 2015 00:16:22 -0700 (PDT)
Received: by wicll6 with SMTP id ll6so33851492wic.1 for <jose@ietf.org>; Thu, 29 Oct 2015 00:16:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netflix.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=r1tCFylkUp71LHmmq1ESyT15gFQJxekJK4VPFJYCau0=; b=bA1vCzjxyg4Wy+UHCcXpl6VmDS+5Aqxh9F5fF3TqIVFUeh8OsSzlnTwFcJ/gLoUDh8 LzAgCBVw2EqMNYWPPvwKIlQ3s4IJQ/Rcz5+QYYE/sRh2LGPtWW/FWBPQbai2Yutp87A9 pJ7pOAPvYfGGxfH5p+A0VG4AZL1AsGxWvgvk4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=r1tCFylkUp71LHmmq1ESyT15gFQJxekJK4VPFJYCau0=; b=ji1QmINg4wP2+23MWvvOax1A3D5YBKzrXFM78XlPVvkNFDrft9gCVsmz/Td4a30W4R 5RsHQ1/5ggo3pOt2cs7qdVz4kb70xIeSm73RrvQqmSM0HzMa0w/yBleQfEGUDoI/d1pW EH4JkYhaDuu1efACKXJ8YGeRtmjcCX+G2CyliwhgQ/eTmUEODBDFI2pihmk8/D7mNPUy 84GZ/xLF3trLXgnoSmqXE2dJBkxwnaL7RYoZAjQYWOpeczapCqMu88/TEX9JTLfLAaiM N99Kc3YWauZ4YvQEg//wANcVwh3FUL4vH4L4IpjcUtUFyQzTcIg+UDR+SgIGvzJ/HQNN Yyag==
X-Gm-Message-State: ALoCoQmAzVDYsShSvWc3ZIvBKS6bRfGRd5WTO2e53cXPtcvhCqQB9U9JdEi/KAdRRWd+Y6FPkjGd
MIME-Version: 1.0
X-Received: by 10.194.185.211 with SMTP id fe19mr279876wjc.80.1446102981193; Thu, 29 Oct 2015 00:16:21 -0700 (PDT)
Received: by 10.27.143.2 with HTTP; Thu, 29 Oct 2015 00:16:21 -0700 (PDT)
In-Reply-To: <5631C5CE.7030807@gmail.com>
References: <5631BF2A.70109@gmail.com> <BY2PR03MB442AAE04D574F870B1C3D77F5200@BY2PR03MB442.namprd03.prod.outlook.com> <5631C5CE.7030807@gmail.com>
Date: Thu, 29 Oct 2015 16:16:21 +0900
Message-ID: <CAEnTvdBOGbRTeebiYoNRRB1nHT=-fD71tWcOU8P-dmA_R+57QA@mail.gmail.com>
From: Mark Watson <watsonm@netflix.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bb04d8880d2a405233916a9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/R3e3Hjz0amSm9mFYiqG9jqpzyMU>
Cc: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2015 07:16:25 -0000
On Thu, Oct 29, 2015 at 4:07 PM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > On 2015-10-29 07:44, Mike Jones wrote: > >> This may be just my personal opinion, but preserving member creation >> order is only one small part of producing canonical JSON, which would be >> what would be required for such a scheme to be guaranteed to work. For >> instance, if the value 1e3 is part of the JSON input, will JSON.stringify() >> be guaranteed to emit it as 1e3, or might it be 1E3 or 100? Unless it's >> deterministic, different serializers will produce different results, and >> therefore different signatures. Without a canonical JSON being both >> defined and widely deployed, I can't recommend doing any work that requires >> a canonical JSON representation to deterministically succeed. >> > > Mike, > There is no absolute need for a canonical format, but normalization of > numbers is as you mention not without challenges. > Also strings. Any character in a JSON string can be replaced with the \uxxxx format, changing the serialization without changing the string. Unless you have canonical serialization you are going to need to insert / extract the signature member "manually" (without really parsing) to convert to / from the object-with-signature and the object-to-be-signed. ...Mark > However, as described in the linked document there is a pretty simple > "workaround" which I believe is fully ES6-compatible. > > It certainly isn't ideal building standards on workarounds but pragmatism > apparently ruled when Ecma specified ES6 property order so why couldn't the > same thinking be used for signatures? The workaround could maybe even go > away with a future ES iteration if the Ecma ES committee is notified of the > issue. > > Anyway, this is not [at all] about dismissing JWS, it is about offering an > alternative which has some pros and cons versus JWS. The in-object scheme > cannot easily deal with multiple signature for example. > > Regarding non-ES parsers, I don't see that as a showstopper; JavaScript is > the origin of JSON and now it has changed. > > Cheers, > Anders > > > >> -- Mike >> >> -----Original Message----- >> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren >> Sent: Wednesday, October 28, 2015 11:40 PM >> To: jose@ietf.org >> Subject: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures >> >> ES6-compliant in-object JS/JSON signature: >> >> var inObjectSignedData = >> { >> // Object data expressed as JS properties >> "device": "Pump2", >> "value": 1e-18, >> >> // Object signature >> "signature": { >> ...Protected headers + Signature value expressed as JS >> properties... >> } >> }; >> >> JavaScript's JSON.parse() and JSON.stringify() suffice for >> "canonicalization" purposes. >> >> >> Converting the above to JWS JSON Serialization you would get: >> >> var signedData = >> { >> // Object data in a coded format >> "payload":"<payload contents>", >> >> // Protected headers wrapped in Base64URL >> "protected":"<integrity-protected header contents>", >> >> // Signature in a unique format >> "signature":"<signature contents>" >> } >> >> ES6 was released in June 2015 so this opportunity is actually quite new. >> >> Cheers, >> Anders >> >> >> http://webpki.org/ietf/draft-rundgren-predictable-serialization-for-json-tools-00.html#rfc.section.3.3 >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] At a glance: JWS vs "in-object" ES6/JSON s… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mike Jones
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mike Jones
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mark Watson
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Jim Schaad
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren