[jose] Re: Do you need the JWP JSON Serialization?

David Waite <david@alkaline-solutions.com> Wed, 07 August 2024 16:20 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5E69C14F5E4 for <jose@ietfa.amsl.com>; Wed, 7 Aug 2024 09:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MExJimqjXoVC for <jose@ietfa.amsl.com>; Wed, 7 Aug 2024 09:20:01 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43D9DC169432 for <jose@ietf.org>; Wed, 7 Aug 2024 09:20:00 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
Content-Transfer-Encoding: quoted-printable
From: David Waite <david@alkaline-solutions.com>
Mime-Version: 1.0
Date: Wed, 07 Aug 2024 10:19:47 -0600
Message-Id: <80D19F1D-0FCE-43B4-98E5-5D0A8225A174@alkaline-solutions.com>
References: <B421E0DF-9951-4CF4-911C-72F796850DAA@tzi.org>
In-Reply-To: <B421E0DF-9951-4CF4-911C-72F796850DAA@tzi.org>
To: Carsten Bormann <cabo@tzi.org>
X-Spamd-Bar: /
Message-ID-Hash: H5SUNQGHKPOYVKATBC77QCCTVI6HRHPO
X-Message-ID-Hash: H5SUNQGHKPOYVKATBC77QCCTVI6HRHPO
X-MailFrom: david@alkaline-solutions.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Orie Steele <orie@transmute.industries>, Michael Jones <michael_b_jones@hotmail.com>, Bret Jordan <bret.jordan.sdo@gmail.com>, jose@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Do you need the JWP JSON Serialization?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/WqeRv2g7b5jbJYV1EJWq859F8h4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

Sent from my iPhone

> On Aug 7, 2024, at 8:22 AM, Carsten Bormann <cabo@tzi.org> wrote:
> 
> On 2024-08-07, at 15:55, Orie Steele <orie@transmute.industries> wrote:
>> 
>> JSON serializations might be better stored in databases, since the base64 encoded components can often be stored as binary instead of text... but CBOR would be even better.
> 
> It is trivial to define a CBOR-based serialization of the JWP compact form, replacing the base-64 armor by a CBOR sequence of strings (or arrays of strings for ~).  Having both means that one can have a URL-safe form (base64url + ./~) and a media-type (CBOR sequence).

Somewhat off topic, but the latest draft is beared toward expressing the serialized parts as either octet strings (each protected header) or arrays of octet strings (payloads, proofs). BASE64URL encoding is a serialization concern and a detail of dropping binary data (like public key data) into JSON. 

> I didn’t manage to write the document yet, but it’s really trivial (and, like, three lines of code).
> 
> A true CWP would also get rid of base64 throughout the building of inputs for the cryptography.

The discussion points I anticipate will be whether to make the protected headers JSON or CBOR (more likely, if both should be defined e.g. a compressed JWP serialization as well as a true CWP), and whether to make the serialized form based on an overarching array or map. 

I’d certainly prefer to have CWP be part of the same effort, rather than replicate the effort in another group. I think we have seen how that leads to having differing capabilities, split attention for reviews and feedback, and multiple registries. 


-DW