[jose] Re: Do you need the JWP JSON Serialization?

Carsten Bormann <cabo@tzi.org> Wed, 07 August 2024 14:21 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 772F3C169402 for <jose@ietfa.amsl.com>; Wed, 7 Aug 2024 07:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kKth38_wS-Ei for <jose@ietfa.amsl.com>; Wed, 7 Aug 2024 07:21:52 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AE6CC15155A for <jose@ietf.org>; Wed, 7 Aug 2024 07:21:50 -0700 (PDT)
Received: from clients-pool3-0220.vpn.uni-bremen.de (clients-pool3-0220.vpn.uni-bremen.de [134.102.69.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4WfC6L306DzDCcR; Wed, 7 Aug 2024 16:21:46 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CAN8C-_L1QWtexH9N1mbSMCDFFaJnNoV_6SY-TxaRjLFgPJngMg@mail.gmail.com>
Date: Wed, 07 Aug 2024 16:21:45 +0200
X-Mao-Original-Outgoing-Id: 744733305.92228-6b0582af358bee514658c5a11a517c0e
Content-Transfer-Encoding: quoted-printable
Message-Id: <B421E0DF-9951-4CF4-911C-72F796850DAA@tzi.org>
References: <SJ0PR02MB74391ECC2D8130E1F0994C1AB7BF2@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+6xXS8_A4_MjkTgT9FotSpQyqqs_doftrdvG045P-1VTAgs6Q@mail.gmail.com> <SJ0PR02MB7439FB0D4FAF496C26DA2324B7B82@SJ0PR02MB7439.namprd02.prod.outlook.com> <CAN8C-_L1QWtexH9N1mbSMCDFFaJnNoV_6SY-TxaRjLFgPJngMg@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Message-ID-Hash: F7NIVY3FGSA5I7HUNMC3YXNLNZWDHMKM
X-Message-ID-Hash: F7NIVY3FGSA5I7HUNMC3YXNLNZWDHMKM
X-MailFrom: cabo@tzi.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Jones <michael_b_jones@hotmail.com>, Bret Jordan <bret.jordan.sdo@gmail.com>, "jose@ietf.org" <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Do you need the JWP JSON Serialization?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/XoVhdtd8IyOrrauR8UvRotOOtnU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On 2024-08-07, at 15:55, Orie Steele <orie@transmute.industries> wrote:
> 
> JSON serializations might be better stored in databases, since the base64 encoded components can often be stored as binary instead of text... but CBOR would be even better.

It is trivial to define a CBOR-based serialization of the JWP compact form, replacing the base-64 armor by a CBOR sequence of strings (or arrays of strings for ~).  Having both means that one can have a URL-safe form (base64url + ./~) and a media-type (CBOR sequence).

I didn’t manage to write the document yet, but it’s really trivial (and, like, three lines of code).

A true CWP would also get rid of base64 throughout the building of inputs for the cryptography.

Grüße, Carsten