Re: [jose] Can you extend json-web-signature to bind a list of mixed objects under one signature?
Mike Jones <Michael.Jones@microsoft.com> Thu, 14 February 2013 01:30 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EEA721E80C3 for <jose@ietfa.amsl.com>; Wed, 13 Feb 2013 17:30:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.584
X-Spam-Level:
X-Spam-Status: No, score=-2.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07fgLKiNiIZL for <jose@ietfa.amsl.com>; Wed, 13 Feb 2013 17:30:22 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.31]) by ietfa.amsl.com (Postfix) with ESMTP id 8197C21E80C0 for <jose@ietf.org>; Wed, 13 Feb 2013 17:30:22 -0800 (PST)
Received: from BY2FFO11FD020.protection.gbl (10.1.15.203) by BY2FFO11HUB005.protection.gbl (10.1.14.163) with Microsoft SMTP Server (TLS) id 15.0.620.12; Thu, 14 Feb 2013 01:30:14 +0000
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD020.mail.protection.outlook.com (10.1.14.137) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Thu, 14 Feb 2013 01:30:13 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.232]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0318.003; Thu, 14 Feb 2013 01:28:50 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Steffen Yount <syount@wideorbit.com>, John Bradley <ve7jtb@ve7jtb.com>, Nat Sakimura <sakimura@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Can you extend json-web-signature to bind a list of mixed objects under one signature?
Thread-Index: Ac4KT8+PM3Tg1XawQHW9gWltWQ4HowAAZU3w
Date: Thu, 14 Feb 2013 01:28:49 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943674478BC@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <397B382EC2E6D9479F9A5D6D050FB70747A84A70@WO-SFOEXCH-02.wideorbit.com>
In-Reply-To: <397B382EC2E6D9479F9A5D6D050FB70747A84A70@WO-SFOEXCH-02.wideorbit.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(13464002)(189002)(199002)(33656001)(46102001)(65816001)(59766001)(5343655001)(66066001)(23726001)(54316002)(53806001)(47446002)(54356001)(44976002)(55846006)(80022001)(31966008)(74502001)(74662001)(56776001)(47976001)(50986001)(63696002)(56816002)(46406002)(49866001)(47776003)(16406001)(47736001)(4396001)(20776003)(76482001)(51856001)(77982001)(50466001)(79102001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB005; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0757EEBDCA
Subject: Re: [jose] Can you extend json-web-signature to bind a list of mixed objects under one signature?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2013 01:30:23 -0000
Hi Steffen,
Rather than putting this in the header, I'd put it in the payload. I'd do that by using a JSON array or object as the payload, with array elements for each of the objects that you want to include under the signature. Those that are binary would need to be base64url encoded in the JSON object. You might also want metadata about each member to say what it is.
I'm imagining a payload something like this:
[
{"type":"number", "value":123},
{"type":"binary", "value":"A-z_4ME"},
{"type":"string", "value":"Live long and prosper."}
]
The only thing I might do in the header is define a "cty" value to say that the content-type is one of these arrays.
Hope this is useful...
-- Mike
-----Original Message-----
From: Steffen Yount [mailto:syount@wideorbit.com]
Sent: Wednesday, February 13, 2013 5:19 PM
To: Mike Jones; John Bradley; Nat Sakimura; jose@ietf.org
Subject: Can you extend json-web-signature to bind a list of mixed objects under one signature?
Hi,
I'm looking for a standard way to bind a list of mixed objects (some are json and some are binary) in a token under a single signature.
I looked at the draft-ietf-jose-json-web-signature to see if JWS could work.
Unfortunately, the draft doesn't provide a standard way to pack a list of mixed objects into a JWS token.
I could do something like tar these objects together beforehand, but building the untar handler for that in JavaScript seems like it'll be a pita...
My preferred JWS based solution could be to extend the JWS header to describe the list of mixed objects, then concatenate their base64url encoded outputs together with the dot separator, and the ship this concatenation to the signing engine.
The header describing this payload could look something like:
{
"typ":"JWS",
"alg":"RS256",
"pld":[
{"id":"oauth2",
"cty":"JWT"},
{"id":"saml2",
"cty":"application/samlassertion+xml"},
{"id":"myauthz-claims",
"cty":"application/vnd.myauthz-claims+json"}
]
}
The signed token in this example would be output with 5 parts: HEAD.PLD0.PLD1.PLD2.SIG
Do you agree that multi-object support in JWS is worthwhile?
Can you outline of a better solution?
Will you update JWS to provide a standard way to pack a list of mixed objects into a JWS token?
Thanks for your consideration,
-Steffen
- Re: [jose] Can you extend json-web-signature to b… Mike Jones
- Re: [jose] Can you extend json-web-signature to b… John Bradley