Re: [jose] Canonical JSON form

Bret Jordan <jordan.ietf@gmail.com> Wed, 10 October 2018 23:59 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C4C129C6B for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 16:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lBvl0o6PHvPX for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 16:59:49 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AD791271FF for <jose@ietf.org>; Wed, 10 Oct 2018 16:59:49 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id w80-v6so2925121ybe.10 for <jose@ietf.org>; Wed, 10 Oct 2018 16:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=0O2OMPsvnl5kzuMxtX936cchMVH/ahFz3JZwxVggdRI=; b=ixMTT83lfKwIAcLm5MdxUW6XqJ82vxq7+cEiZErGvAfaqRqobHrJQzHvb1GC2NQtQM ItSihhSDbNTwlM5FMj7vwmd2APAEtVfs6nD+gMkiiykDkSSyV9s6a1noi+boKEBCzSjd HWLmDrjatKkyhVT6+s00wZW7uiPKVT9yuI57tHpP4EBCgWLt0ITi1degHGN57x751hY0 Jlfdf6jNLJc5OcXVOjCpIUJgtzXZI5JE+IGqbZh0eQZmU4jpS6dLNeLR6H3seun32j7W 1ByCU2d4TNtfHbbRWRSCCs92+Si1LxKo9BewRjDRvE9xKREJ+NQt8d0O3frAR+77ovqM nlTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=0O2OMPsvnl5kzuMxtX936cchMVH/ahFz3JZwxVggdRI=; b=QZLtJqjlxZCcRz3IAmR7QR5LD84dIOQNP5WB4/ZL+lL29P0JjosLK8/z9LMJOuKe9b ht8klucmSt81CaU7K0UZPbrUfcwuZU+9AyTsRJatvd6dEOFlstroWZbKZk6lTI2zvlbL MQVoRFYI1gwEt6es/VqHDpxT1zZyu3wCsr0bG0n1UNzkR+jpOWA9m8BSo1V/OhtlT4dN 4Jrm68esrDImgrH+VDAfqFpTIHvgKBHQtTwza/bgRCqHuM86VElXIZjQ9Pem/+156mg3 kqPC2ZSJeBPmg9q0lgCZMhAymPlZJ5jZSB6DBUs7bGV511FquAxFNhypvWYbmxpw+EK6 5h0w==
X-Gm-Message-State: ABuFfohlkfEnAGhPEKUuLWSucdIy9+de8INaHivzzzxfvCotsDMhVdbX EO+Emv/OI5q57tEjd9+unzA=
X-Google-Smtp-Source: ACcGV60/OSzlYObIVzw4pct2YJbYIRkDueWCnxwhdFc8s34spOQYAxuvHAqutas60bD3SCAdlTkjxA==
X-Received: by 2002:a5b:48e:: with SMTP id n14-v6mr19351007ybp.376.1539215988356; Wed, 10 Oct 2018 16:59:48 -0700 (PDT)
Received: from ?IPv6:2605:a601:3260:266:7534:8ac9:bb4c:ce9d? ([2605:a601:3260:266:7534:8ac9:bb4c:ce9d]) by smtp.gmail.com with ESMTPSA id b71-v6sm22014674ywa.48.2018.10.10.16.59.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Oct 2018 16:59:47 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <E32DED1D-9055-430A-8BAF-FCAF7BCD7726@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_321073A2-D65A-417E-8C56-DD21CCDCE7E9"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 10 Oct 2018 17:59:09 -0600
In-Reply-To: <00a801d460f4$494c7060$dbe55120$@augustcellars.com>
Cc: Nathaniel McCallum <npmccallum@redhat.com>
To: Jim Schaad <ietf@augustcellars.com>, jose@ietf.org
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com> <00a801d460f4$494c7060$dbe55120$@augustcellars.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/RB2_yGTaGL2Ca0syLbBK3vc_I2g>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2018 23:59:52 -0000

How many of you would be interested in helping open a new working group to work on this sort of thing?

Maybe I am missing something, but there has to be a way of dealing with this.  Maybe just treat the entire JSON object has a string to be passed in to a signing function ? 

Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 10, 2018, at 5:52 PM, Jim Schaad <ietf@augustcellars.com> wrote:
> 
> The working group has closed and is not entertaining any new work.  You would need to create a proposal for a new working group (could have the same name) to do this.  However, trying to canonicalize JSON is generally not considered to be doable without having some external constraints added.  Consider the problem with serializing {“int”: 3} which has a large number of possible ways to encode the number 3.
>  
> From: jose <jose-bounces@ietf.org> On Behalf Of Bret Jordan
> Sent: Wednesday, October 10, 2018 1:49 PM
> To: Nathaniel McCallum <npmccallum@redhat.com>om>; jose@ietf.org
> Subject: Re: [jose] Canonical JSON form
>  
> Would this WG be open to working on a solution to sign JSON (not a byte stream) and define a canonical representation for said JSON?
>  
>  
> Thanks,
> Bret
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
> 
> 
>> On Oct 10, 2018, at 1:15 PM, Nathaniel McCallum <npmccallum@redhat.com <mailto:npmccallum@redhat.com>> wrote:
>>  
>> JWS signs a byte stream, not JSON. If you want to use a JWS to sign
>> JSON data it is your responsibility to ensure that both sides produce
>> an equivalent byte stream.
>> On Wed, Oct 10, 2018 at 3:04 PM Bret Jordan <jordan.ietf@gmail.com <mailto:jordan.ietf@gmail.com>> wrote:
>> 
>>> 
>>> Dear WG,
>>> 
>>> I was reading through RFC 7515 to see if it would work for a project I am working on.  Basically the need to sign and resign a JSON object.  However, in RFC 7515 there does not seem to be any definition for serializing a canonical form of JSON. This means that two organizations that serialize it differently would produce two different signatures.
>>> 
>>> Super simple example
>>> 
>>> { “type” : “house”, “size” : “1000 sq feet” }
>>> 
>>> 
>>> 
>>> Or
>>> 
>>> {
>>>  “type” : “house”,
>>>  “size” : “1000 sq feet”
>>> }
>>> 
>>> 
>>> 
>>> Or
>>> 
>>> {“type”:“house”,“size”:“1000 sq feet”}
>>> 
>>> 
>>> 
>>> Or (tabs not spaces)
>>> 
>>> {
>>> “type” : “house”,
>>> “size” : “1000 sq feet”
>>> }
>>> 
>>> 
>>> All four of these JSON structures would produce a different signature as defined by RFC 7515. What am I missing?
>>> 
>>> 
>>> Thanks,
>>> Bret
>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>>> 
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org <mailto:jose@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/jose <https://www.ietf.org/mailman/listinfo/jose>