IETF Logo Mail Archive

Re: [jose] Allow compression of plain and JWS too?

John Bradley <ve7jtb@ve7jtb.com> Mon, 04 June 2012 01:47 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF95821F8771 for <jose@ietfa.amsl.com>; Sun, 3 Jun 2012 18:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dy8oZZzhQXgE for <jose@ietfa.amsl.com>; Sun, 3 Jun 2012 18:47:46 -0700 (PDT)
Received: from mail-gh0-f172.google.com (mail-gh0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3DC9721F8750 for <jose@ietf.org>; Sun, 3 Jun 2012 18:47:45 -0700 (PDT)
Received: by ghbg16 with SMTP id g16so3337441ghb.31 for <jose@ietf.org>; Sun, 03 Jun 2012 18:47:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=J60Qx4dWewMs6Kr8TcooOzz2sMzsSu3mNt1bf3L8nAM=; b=VwoSfzB+BQyYMNOw20KB9qsNQ9KlLokvGR1ek7RPqtUzEX57PhWMZTFxS+ubN6HxOe nTWWmjhSTTg/nB993ZtFJ+AWmBYPler04b4egkZTCjXXB50sTXBtESW9ctJo7PvLOs8d nU2HfSpj6J3J93kB+wqBx0GStzWsq2EPsFCkrKVL/om7rhnHq9jc6VFf4QQC2yFvpOY3 bb0MdSmDQQYUSLV0vuU/GtL/7CgtoPmeqrY/jfdTnTW6wr0br7ZkMayJqVsOwDRI0jaI Qry0Zs84JfGN/K9mzj6yuSg/HpxmXxQahQsPI5+heunidbfZETDkZLJpmg4sgZiEM5z6 8MHQ==
Received: by 10.236.177.1 with SMTP id c1mr5323928yhm.41.1338774465635; Sun, 03 Jun 2012 18:47:45 -0700 (PDT)
Received: from 201-188-162-56.bam.movistar.cl ([201.188.162.56]) by mx.google.com with ESMTPS id t11sm2379418anm.5.2012.06.03.18.47.43 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 03 Jun 2012 18:47:44 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_6BE59AD7-21D3-44EB-B5F0-40C112DA3E55"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114F51D2712@WSMSG3153V.srv.dir.telstra.com>
Date: Sun, 03 Jun 2012 21:47:40 -0400
Message-Id: <BC265961-C355-4017-86A1-356BF12DC11C@ve7jtb.com>
References: <20120531050148.cc40c4f3d92d2001859047cd8cabb9ab.af6dca8411.wbe@email07.europe.secureserver.net> <BF44F421-BA42-445B-8AC8-DA5BDDAB8F2D@ve7jtb.com> <255B9BB34FB7D647A506DC292726F6E114F51D2712@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQn15DWUEjN2WmafYW+hBeyOh7fLLZVihcL1mvHZ3LQlz2DZfar8AaqllEMNVJTOCPoM6Cip
Cc: "jose@ietf.org" <jose@ietf.org>, Vladimir Dzhuvinov / NimbusDS <vladimir@nimbusds.com>
Subject: Re: [jose] Allow compression of plain and JWS too?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2012 01:47:47 -0000

On 2012-06-03, at 9:38 PM, Manger, James H wrote:

>> Compression is required before encryption as your can't encrypt after
>> (if your encryption is any good).
>> 
>> With signing you can always leave it to transport or some other process
>> to compress it if required.
> 
> Compressing text after base64url-encoding (eg by the transport) is not nearly as effective as compressing the actual text.

I can't argue that, but it is much better than compressing after encryption.

> 
>> We did note that the http layer supports compression as well.
>> 
>> We previously came to the conclusion that compression for signing is
>> unnecessary and only adds extra code to be tested.
>> 
>> I actually had to argue quite strongly at the time to get compression
>> as a option with encryption due to the additional complexity.
> 
> If you support compression with encryption, there is no additional complexity to support compression with signing.
> Only scenarios that will only ever do signing -- with no possibility of ever needing encryption -- can potentially save some complexity. I doubt those scenarios will be common.

Again compression with encryption was a hard sell to many of the original participants like Facebook.  

Many libraries and use cases will be signing only, and they will balk at compression as a MTI.  

Making it optional will cause more interop problems than it is worth.

I honestly originally wanted compression available for both.  I have been convinced subsequently that for adoption it is better to leave it out of signing.

John B.
> 
>> So on the basis that the more mandatory to implement things we add, the
>> less likely we are to get adoption, and previous discussions around
>> some of the input documents, I am opposed to adding compression for
>> signing.
> 
> The JWS spec starts by saying it is a compact format intended for space constrained environments. It chooses terse 3-letter header element names. It defines it own alg names, partly because they are shorter than existing names.
> I am strongly in favour of including compression consistently across all the modes that a JOSE message supports (encrypted, signed, unprotected...).
> 
> --
> James Manger

v2.23.0 | Report a Bug | By Email