IETF Logo Mail Archive

Re: [jose] #26: Allow for signature payload to not be base64 encoded

Richard Barnes <rlb@ipv.sx> Thu, 27 June 2013 22:24 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C144F11E8108 for <jose@ietfa.amsl.com>; Thu, 27 Jun 2013 15:24:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.976
X-Spam-Level:
X-Spam-Status: No, score=-4.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8xZv7RW78Qkn for <jose@ietfa.amsl.com>; Thu, 27 Jun 2013 15:24:15 -0700 (PDT)
Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by ietfa.amsl.com (Postfix) with ESMTP id C9EC511E80F2 for <jose@ietf.org>; Thu, 27 Jun 2013 15:24:14 -0700 (PDT)
Received: by mail-oa0-f54.google.com with SMTP id o6so1557613oag.27 for <jose@ietf.org>; Thu, 27 Jun 2013 15:24:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=+Ps6iTM0X+lWATMD5I8avej0RduouZf6DpvNuyQhFME=; b=lSt0bgfs07xh70E/4O/hULRLyiGcWlJEgCTJAhVCLSPg5DjQlDhhCehhsNSLAph9OF mc0w6cABgrA5F5+wWVkPvRbfQ5XAG+ajSiH7j52Xamgim/Ovrb5Hs0kM0dJyUVKrNJ61 21+pg/WBvfCjx4tYAUmrvo1fyTENML+i+ZArDDutADF4oP6LJqU74GfcWOrD6ROI+S+v YNZRz8rERJuyxjdmn1PYUjDhHTOUL3ANaMR9NvVp3dhA1NN2AcTVjbeqlBAerU6NMR6m W3b9HMhURLE3tDs6x3AEdDIqB62P9HkHQzXheiR32VNzSbPH0lVGETVsH/A7xsU5ISsN SVTQ==
MIME-Version: 1.0
X-Received: by 10.60.43.226 with SMTP id z2mr3981799oel.76.1372371846728; Thu, 27 Jun 2013 15:24:06 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 27 Jun 2013 15:24:06 -0700 (PDT)
X-Originating-IP: [192.1.51.93]
In-Reply-To: <04bf01ce7359$5ab862c0$10292840$@augustcellars.com>
References: <061.c2fcfec0a75d48eb8b194991ce56157e@trac.tools.ietf.org> <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org> <033a01ce729b$26bc3910$7434ab30$@augustcellars.com> <51CBA981.4050006@nri.co.jp> <048f01ce7355$19f05bc0$4dd11340$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943678A0114@TK5EX14MBXC283.redmond.corp.microsoft.com> <04bf01ce7359$5ab862c0$10292840$@augustcellars.com>
Date: Thu, 27 Jun 2013 18:24:06 -0400
Message-ID: <CAL02cgTkUrQptGqOfQyhCembS1e3Qxw3peRFnO5QjswUW=XR-w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="001a11333dce6ca1fd04e02a38c2"
X-Gm-Message-State: ALoCoQnPcpOIA5s3ln9p/9Uz0l9lEVY+IAUFdhJfgJbuSwcM78EhtTiwLZABti2IgxMRB4Qbl1R/
Cc: Mike Jones <Michael.Jones@microsoft.com>, n-sakimura <n-sakimura@nri.co.jp>, "jose@ietf.org" <jose@ietf.org>, draft-ietf-jose-json-web-signature@tools.ietf.org
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 22:24:19 -0000

I think there are two separable issues here, both of which Mike and I
probably have divergent opinions on :)
1. Syntax: Should it be possible for the "payload" field JWS to be a JSON
string (instead of base64) when the payload is simply a UTF-8 string?
2. Crypto: Must the JWS Signing Input be base64url encoded.

The current answers to these questions are:
1. It is not possible.  Payload is always base64url encoded.
2. It is always base64url encoded.

The answers should be:
1. The payload should not be base64url encoded unless it cannot be
represented as a JSON string.
2. The JWS Signing Input should not be base64url encoded unless there is a
JWS Protected Header

Neither of these are complicated changes:
1. Add a "b64" header parameter that indicates that the payload is
base64url-encoded binary, as opposed to a UTF-8 string.  Specify that this
parameter is on by default in compact-formatted JWS objects.
2. Modify the signing/verification instructions to switch based on the
presence of a JWS Protected Header: "If the JWS Protected Header is absent
or empty, then the JWS Signing Input is simply the JWS Payload (not
encoded).  If the JWS Protected Header has a non-empty value, then the the
JWS Signing Input is the concatenation of the Encoded JWS Header, a period
('.') character, and the Encoded JWS Payload"

There are two reasons for these, both of which are important to make sure
that this spec is applicable to a broad variety of use cases:
1. Compactness.  As Jim notes, quoted strings are shorter than
base64url-encoded strings
2. Crypto-compatibility: Avoiding base64-encoding means that there's
nothing JWS-specific about the signature value.  So for example, you could
translate a JWS with no protected attributes to a CMS SignedData object
with no protected attributes.

This email brought to you by the number 2 and the letters J, W, and S :)

--Richard

[1] Note that the default value for this header must be false, or else you
lose the compactness advantage!
[2] You could also do this as a "Content-Encoding" equivalent, "cenc":
"b64".  That would give you "base64 agility", as some folks have asked for,
since you could have "b64" and "b64u" values.
[3] You could also do this like CMS, and have the JWS Signing Input in the
latter case be "the concatenation of the Encoded JWS Header, a period ('.')
character, and the Encoded JWS Payload Hash".  Where the Encoded JWS
Payload Hash is the base64url-encoded version of the hash you would
otherwise be signing.  This seems simpler to code, since you just digest
the body, then if there's a protected header, you digest again.  But it
also breaks with existing code.





On Thu, Jun 27, 2013 at 1:11 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> No, my motivation is to allow for a smaller version of the payload string.
>  In some cases quoting it will generate a smaller string than doing the
> base64 conversion on the string.
>
>
>
> > -----Original Message-----
> > From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> > Sent: Thursday, June 27, 2013 9:49 AM
> > To: Jim Schaad; 'n-sakimura'
> > Cc: draft-ietf-jose-json-web-signature@tools.ietf.org; jose@ietf.org
> > Subject: RE: [jose] #26: Allow for signature payload to not be base64
> encoded
> >
> > Jim, you wrote "If I am not transporting the base64url encoded content,
> > because it is not in the "payload" field, then why should I need to
> base64
> > encode it just to validate the signature.  This is the alto case."
> >
> > So am I correct then, in thinking that your motivation for #26 is
> actually #25 -
> > Detached content for the ALTO use case?  As John and Nat had written,
> this
> > could be handled by the specs as they are today by signing a hash of the
> > detached content and including a compact JWS representing that signature
> as
> > an x-alto-signature header.  That doesn't require changing the signature
> > calculation.
> >
> >                               -- Mike
> >
> > -----Original Message-----
> > From: Jim Schaad [mailto:ietf@augustcellars.com]
> > Sent: Thursday, June 27, 2013 9:41 AM
> > To: 'n-sakimura'
> > Cc: draft-ietf-jose-json-web-signature@tools.ietf.org; Mike Jones;
> > jose@ietf.org
> > Subject: RE: [jose] #26: Allow for signature payload to not be base64
> encoded
> >
> > Nat,
> >
> > The only thing that can be signed or encrypted is an octet string. (A
> slight over
> > generalization. GOST for example hashes an integer, tree hashes can do
> > strange things but a sufficiently true statement for our purposes.)
> >
> > A that being said - yes case 1 would be something you can do.  Case #2
> would
> > not be something that you can do because it is not an octet string.
> >
> > If you are looking at JavaScript, in order to hash something as an octet
> string it
> > can be one of three things.  A UInt8Array, an Int8Array and, due to
> > convention, a string where the top byte of all of the code points in the
> string is
> > zero.
> >
> > We currently don't have an efficient way to encode the Uint8Array case,
> > although that might not be true if we are looking at new ECMA
> specifications
> > which apparently are adding more defined types and serialization methods
> for
> > those types.
> >
> > > -----Original Message-----
> > > From: n-sakimura [mailto:n-sakimura@nri.co.jp]
> > > Sent: Wednesday, June 26, 2013 7:55 PM
> > > To: Jim Schaad
> > > Cc: draft-ietf-jose-json-web-signature@tools.ietf.org;
> > > michael.jones@microsoft.com; jose@ietf.org
> > > Subject: Re: [jose] #26: Allow for signature payload to not be base64
> > > encoded
> > >
> > > Let me understand the problem.
> > >
> > > Are you suggesting that we should be able to do something like:
> > >
> > > Case 1:
> > >
> > >       {"protected":<integrity-protected shared header contents>",
> > >        "unprotected":<non-integrity-protected shared header contents>",
> > >        "payload":"this is a multi\nline text payload of which a line
> > > can be very very very long and wrapped during transmission. "
> > >        "signatures":[
> > >         {"header":"<per-signature unprotected header 1 contents>",
> > >          "signature":"<signature 1 contents>"},
> > >         ...
> > >         {"header":"<per-signature unprotected header N contents>",
> > >          "signature":"<signature N contents>"}],
> > >       }
> > >
> > > or even
> > >
> > > Case 2:
> > >
> > >       {"protected":<integrity-protected shared header contents>",
> > >        "unprotected":<non-integrity-protected shared header contents>",
> > >        "payload":{
> > >     "this":"is a json",
> > >     "payload":"which is not base64url encoded"
> > >        }
> > >        "signatures":[
> > >         {"header":"<per-signature unprotected header 1 contents>",
> > >          "signature":"<signature 1 contents>"},
> > >         ...
> > >         {"header":"<per-signature unprotected header N contents>",
> > >          "signature":"<signature N contents>"}],
> > >       }
> > >
> > > Then, I am worried about allowing them because in general we would not
> > > know what would a transmission mechanism and user agents (including
> > > text
> > > editors) would do to them, like Mike mentioned. I do not think we
> > > should assume the property of the transmission mechanism in JOSE level.
> > > Assuming that would cause brittleness in the implementations.
> > >
> > > For detached signature, I do not understand why you would want non-
> > > base64url encoded payload. The application should define how to hash
> > > the octet stream that it wants to calculate signature over it, and we
> > > can just include the base64url encoded hash in the "payload".
> > > Why would you like to do other encoding for the hash?
> >
> > If I am not transporting the base64url encoded content, because it is
> not in
> > the "payload" field, then why should I need to base64 encode it just to
> > validate the signature.  This is the alto case.
> >
> > Jim
> >
> > >
> > > --
> > > Nat Sakimura (n-sakimura@nri.co.jp)
> > > Nomura Research Institute
> > >
> > > PLEASE READ:
> > > The information contained in this e-mail is confidential and intended
> > > for the named recipient(s) only.
> > > If you are not an intended recipient of this e-mail, you are hereby
> > > notified that any review, dissemination, distribution or duplication
> > > of this message is strictly prohibited. If you have received this
> > > message in error, please notify the sender immediately and delete your
> > copy from your system.
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.39.1 | Report a Bug | By Email | System Status