[jose] Rethinking Clear Text JSON Signatures
Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 24 May 2018 19:56 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68F2012EB1D for <jose@ietfa.amsl.com>; Thu, 24 May 2018 12:56:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YB-xQ__BRTvB for <jose@ietfa.amsl.com>; Thu, 24 May 2018 12:56:00 -0700 (PDT)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3862E1275F4 for <jose@ietf.org>; Thu, 24 May 2018 12:56:00 -0700 (PDT)
Received: by mail-wr0-x231.google.com with SMTP id j1-v6so5260064wrm.1 for <jose@ietf.org>; Thu, 24 May 2018 12:56:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:cc:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=VbIaBp26KWnnuvzbYche5ZoFhkAp2LB75sVhFsMm2nA=; b=UP5Hl0SL6qeZW5ZqsMyceyDwH/6BilyXzpyR22cax5LjAdLYXjq9GB9u4AdYgRnxRQ jpJHA8/LX74bhRIHyvQCkNyEHYce6s4n4i5NhgIcNIdBJcSQLQkUvOuqOYJJiGfzDXlm iCG35S6W2lJSM473faBRZ4z854JOhyKcwPhMn7HfHkbjj9Qo95qQHCUHvUoQdsqo5DCk moq01vZDcTchB1+FqhTpv6tbl9uhyB/UDXrWgM+pT0S3zGU6HbOQetC2E6KAf3DV9QpP IK3FelUj4USlVxhjjEXLxvJsgJLVOQ5dybNYKdmArzfmwhWS/VQAFmIz4vQ76qry1Xhw 8xag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=VbIaBp26KWnnuvzbYche5ZoFhkAp2LB75sVhFsMm2nA=; b=e25bQ+GnjpuC6uMmaFSBFd6C/JgQH3VaSapKsCnR1rjEqu1TdJ2XjHRPQqc7fPrifB EXJa0hlLDnxb49cRx2pk80RA2Sd4T6m/UDN78iHMr1D3wtqWX950+w8cWC7O0AbCVcRC orZfuEx60u/33L0klHaejdF2aY7BFofBCp+Z8HLehXjPbs4gvP8YLS4Gp37Bua5u4XQg bvrm6H6neIDV3MwEIsaj1LrhwF9T9H2ri8hPzzMqUU0jBocIuQHEl6Djc8dlqv3DrLg3 EpszRseyiRb3MGASHZxqFO8z9yBDjaHnAerJ709qt7LY1sB0yL5J+krfCdF4t6V5gCrJ x+rw==
X-Gm-Message-State: ALKqPwdB0LEEHPWqU8Fl94tBqyNrO5nR7moOelUDu8zRxvSWkKViygQx 4RRYb8SQnhglhB7VgmY2pyA=
X-Google-Smtp-Source: AB8JxZouYF9SUECAPpHve6l8xVyN0J68MjAsjpF4c7qy2EyxujCXLXNCzM37CfRwpy392l4ZXZZp4w==
X-Received: by 2002:adf:c4b6:: with SMTP id m51-v6mr1871434wrf.103.1527191758751; Thu, 24 May 2018 12:55:58 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id 135-v6sm10363966wmx.21.2018.05.24.12.55.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 May 2018 12:55:57 -0700 (PDT)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Cc: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <c0d3d484-cc06-7f7d-5760-f9771c6f666c@gmail.com>
Date: Thu, 24 May 2018 21:55:54 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/Se0C2V-CCEQn06L57A0WdaEzoD0>
Subject: [jose] Rethinking Clear Text JSON Signatures
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 19:56:03 -0000
As you probably know there is a published clear text JSON signature proposal (https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-00), which though haven't received much attention. Although being a co-author, I have recently gotten second thoughts about this proposal due to a couple of issues which keep popping up: 1. There already is a firmly established JSON signature standard (JWS) making it difficult getting traction on the "developer market" for yet another standard, irrespective of its possible merits. 2. The Cleartext JWS I-D builds on a JSON property order preserving scheme defined in ECMAScript. However, the vendors of JSON tools for other platforms have shown no interest whatsoever in this mode of operation. If you look closer that's understandable since it could ultimately even affect compilers and class reflection mechanisms. Fortunately, all is not doom and gloom. I have been investigating another approach for dealing with JSON property ordering (and more), recently published at: https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-00. This filter-like process can be used together with existing JSON tools. Regarding the "marketing" problem, it is obvious that for addressing the core enhancement (keeping JSON data "as is" rather than shrouding it in Base64Url encoding), simply using the JWS standard in detached mode (https://tools.ietf.org/html/rfc7515#appendix-F), would cause considerably less fuzz and objections than a brand new package and associated library support. Such a combination has progressed well beyond the slideware state: https://mobilepki.org/jws-jcs/home The idea is not only getting something useful out of the door quicker, but paving the way for features outside of the JWS standard. When the time is right. I would appreciate any feedback on how you think we should proceed. Cheers, Anders
- [jose] Rethinking Clear Text JSON Signatures Anders Rundgren