Re: [jose] Can you extend json-web-signature to bind a list of mixed objects under one signature?
John Bradley <ve7jtb@ve7jtb.com> Thu, 14 February 2013 13:50 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EF5321F843A for <jose@ietfa.amsl.com>; Thu, 14 Feb 2013 05:50:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.363
X-Spam-Level:
X-Spam-Status: No, score=-3.363 tagged_above=-999 required=5 tests=[AWL=0.236, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzaFoMqlc7lp for <jose@ietfa.amsl.com>; Thu, 14 Feb 2013 05:50:13 -0800 (PST)
Received: from mail-qe0-f48.google.com (mail-qe0-f48.google.com [209.85.128.48]) by ietfa.amsl.com (Postfix) with ESMTP id B6D8A21F81FF for <jose@ietf.org>; Thu, 14 Feb 2013 05:50:12 -0800 (PST)
Received: by mail-qe0-f48.google.com with SMTP id 3so1050159qea.7 for <jose@ietf.org>; Thu, 14 Feb 2013 05:50:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=8yiw+a7TkWvCGleEV8tsu9LW5aa5tmZWivsm6NDWei4=; b=lHZgsipTK8zj0DhUzbSDq8nGCiWUNOtvsGiGIR14TJHfMVJiU9yr5GgIu127eq5uSf TaV1E1hopNy/TIJrMPVqMnlFIEFiusGfekRHFE8pxxaU8l7F32TfMdhRSt/pGLXmJTYR 7cE5qTpoasQ+xaw93LEa5iT7TkKYFGM8U0mX08qZM+a9cxh06wwxXWtSoHbn5mMIA1yz z1oS3F4jbCt3ydFXZZqZxr9WAFq5uTcNMP0sK8PGWlK5BQL9CU1G/GlcXsS9ibUExVwc iKI9zBbv9YZyWGwjwB3uPDkCATVRaUXawCqffEsW743dWXWw5wld8l8KW9UFTtxaeUJD B9/w==
X-Received: by 10.224.58.147 with SMTP id g19mr632532qah.22.1360849812086; Thu, 14 Feb 2013 05:50:12 -0800 (PST)
Received: from [192.168.1.213] (190-20-16-126.baf.movistar.cl. [190.20.16.126]) by mx.google.com with ESMTPS id hr3sm18459687qab.4.2013.02.14.05.50.06 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 14 Feb 2013 05:50:10 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <397B382EC2E6D9479F9A5D6D050FB70747A84AE4@WO-SFOEXCH-02.wideorbit.com>
Date: Thu, 14 Feb 2013 10:49:52 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <982C99EF-523E-4954-B3E0-70CCCEBF98A3@ve7jtb.com>
References: <397B382EC2E6D9479F9A5D6D050FB70747A84A70@WO-SFOEXCH-02.wideorbit.com> <4E1F6AAD24975D4BA5B1680429673943674478BC@TK5EX14MBXC285.redmond.corp.microsoft.com> <397B382EC2E6D9479F9A5D6D050FB70747A84AE4@WO-SFOEXCH-02.wideorbit.com>
To: Steffen Yount <syount@wideorbit.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQnZ0RJlw2eU3fZm+T5yQTwWv8zrzMekIsQ7RPrm6WOp0UJrsSPh/P7D7gRG6bcYc6xIY+rg
Cc: Mike Jones <Michael.Jones@microsoft.com>, Nat Sakimura <sakimura@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Can you extend json-web-signature to bind a list of mixed objects under one signature?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2013 13:50:15 -0000
The design if JWS is that you can do anything you like with the body as long as it winds up as a bas64url encoded segment. I don't think changing the header is the right answer. The best thing to do is define a "cry" value and then have the index as part of the body. You can make it a zip file or some other structure. John B. On 2013-02-13, at 11:42 PM, Steffen Yount <syount@wideorbit.com> wrote: > Hi Mike, > > Base64url encoding the binary parts to make them strings in a json document first would work. > > The down side to this scheme though is that these binary parts are then being doubly base64url encoded to form the JWS token. That means all the binary parts take up %178 (4/3 * 4/3) of their original space instead of just %133 (4/3) of their original space. > > Extending the definition of "cty" to allow for an array of values indicating multiple payload parts and their content-types would be better. > > I could then use the first of these payload parts to supply an index into the other parts if required. The JWS header could then look something like: > > { > "typ":"JWS", > "alg":"RS256", > "cty":[ > "application/vnd.myindex+json", > "JWT", > "application/samlassertion+xml", > "application/vnd.myauthz-claims+json"] > } > > The signed token in this example would then be output with 6 parts: HEAD.PLD0IDX.PLD1.PLD2.PLD3.SIG > > > Is that a design change you would be willing to include in the JWS spec? > > > Thanks, > -Steffen > > > -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Wednesday, February 13, 2013 5:29 PM > To: Steffen Yount; John Bradley; Nat Sakimura; jose@ietf.org > Subject: Re: [jose] Can you extend json-web-signature to bind a list of mixed objects under one signature? > > Hi Steffen, > > Rather than putting this in the header, I'd put it in the payload. I'd do that by using a JSON array or object as the payload, with array elements for each of the objects that you want to include under the signature. Those that are binary would need to be base64url encoded in the JSON object. You might also want metadata about each member to say what it is. > > I'm imagining a payload something like this: > > [ > {"type":"number", "value":123}, > {"type":"binary", "value":"A-z_4ME"}, > {"type":"string", "value":"Live long and prosper."} ] > > The only thing I might do in the header is define a "cty" value to say that the content-type is one of these arrays. > > Hope this is useful... > > -- Mike > > -----Original Message----- > From: Steffen Yount [mailto:syount@wideorbit.com] > Sent: Wednesday, February 13, 2013 5:19 PM > To: Mike Jones; John Bradley; Nat Sakimura; jose@ietf.org > Subject: Can you extend json-web-signature to bind a list of mixed objects under one signature? > > Hi, > > I'm looking for a standard way to bind a list of mixed objects (some are json and some are binary) in a token under a single signature. > > I looked at the draft-ietf-jose-json-web-signature to see if JWS could work. > > Unfortunately, the draft doesn't provide a standard way to pack a list of mixed objects into a JWS token. > > I could do something like tar these objects together beforehand, but building the untar handler for that in JavaScript seems like it'll be a pita... > > My preferred JWS based solution could be to extend the JWS header to describe the list of mixed objects, then concatenate their base64url encoded outputs together with the dot separator, and the ship this concatenation to the signing engine. > > The header describing this payload could look something like: > > { > "typ":"JWS", > "alg":"RS256", > "pld":[ > {"id":"oauth2", > "cty":"JWT"}, > {"id":"saml2", > "cty":"application/samlassertion+xml"}, > {"id":"myauthz-claims", > "cty":"application/vnd.myauthz-claims+json"} > ] > } > > The signed token in this example would be output with 5 parts: HEAD.PLD0.PLD1.PLD2.SIG > > > > Do you agree that multi-object support in JWS is worthwhile? > > Can you outline of a better solution? > > Will you update JWS to provide a standard way to pack a list of mixed objects into a JWS token? > > > Thanks for your consideration, > -Steffen > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- Re: [jose] Can you extend json-web-signature to b… Mike Jones
- Re: [jose] Can you extend json-web-signature to b… John Bradley