IETF Logo Mail Archive

Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 29 October 2015 07:26 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA20F1AC3AC for <jose@ietfa.amsl.com>; Thu, 29 Oct 2015 00:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dbM2BkItzgx for <jose@ietfa.amsl.com>; Thu, 29 Oct 2015 00:26:14 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 767C31A9252 for <jose@ietf.org>; Thu, 29 Oct 2015 00:26:13 -0700 (PDT)
Received: by wikq8 with SMTP id q8so275419661wik.1 for <jose@ietf.org>; Thu, 29 Oct 2015 00:26:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type; bh=MaWGKn1FqNEBW9sFZWGCJ8z9m49U5Cgd5X8Cdzn9Xag=; b=wjkpvvCcLTtfLGBq0EQKL70jUj3TqvF8YrPkL7qX6Us1dmtnwiF3L1OIIMxV12UJVc l9FBiUPCfJp16vHrsuaQxMrcC00v/ajkIcaVZnyYfLthG4ncirvfkpGp4A42jsruQHSD VwRrFBlGo6P14EoecrTc4/PgYYYXeRPK3yVWDCMGVH/GvyM8w/VuDZkXMla+Pw/b8ej4 3RNX8cw7ITOMArwryLgWOSn2yIHsI6P1qEsC+0mTjyUaK1KNZzEebHgAXYv9oJbnMjak hNt3WiIp9tDA4vKuFGeg0SvlbgPYBY96Rm0Ybwy2aYaqF2LJj3HgfqmQHA3c0HU221b4 z2uA==
X-Received: by 10.194.2.34 with SMTP id 2mr298012wjr.39.1446103572083; Thu, 29 Oct 2015 00:26:12 -0700 (PDT)
Received: from [192.168.1.79] (148.198.130.77.rev.sfr.net. [77.130.198.148]) by smtp.googlemail.com with ESMTPSA id v191sm7693561wmd.24.2015.10.29.00.26.10 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 29 Oct 2015 00:26:11 -0700 (PDT)
To: Mark Watson <watsonm@netflix.com>
References: <5631BF2A.70109@gmail.com> <BY2PR03MB442AAE04D574F870B1C3D77F5200@BY2PR03MB442.namprd03.prod.outlook.com> <5631C5CE.7030807@gmail.com> <CAEnTvdBOGbRTeebiYoNRRB1nHT=-fD71tWcOU8P-dmA_R+57QA@mail.gmail.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <5631CA0C.8080300@gmail.com>
Date: Thu, 29 Oct 2015 08:26:04 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CAEnTvdBOGbRTeebiYoNRRB1nHT=-fD71tWcOU8P-dmA_R+57QA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060405000504080608030402"
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/Z6h7U6nifmadteTk_VYv-4AdwoQ>
Cc: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2015 07:26:18 -0000

On 2015-10-29 08:16, Mark Watson wrote:
>
>
> On Thu, Oct 29, 2015 at 4:07 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2015-10-29 07:44, Mike Jones wrote:
>
>         This may be just my personal opinion, but preserving member creation order is only one small part of producing canonical JSON, which would be what would be required for such a scheme to be guaranteed to work. For instance, if the value 1e3 is part of the JSON input, will JSON.stringify() be guaranteed to emit it as 1e3, or might it be 1E3 or 100?  Unless it's deterministic, different serializers will produce different results, and therefore different signatures.  Without a canonical JSON being both defined and widely deployed, I can't recommend doing any work that requires a canonical JSON representation to deterministically succeed.
>
>
>     Mike,
>     There is no absolute need for a canonical format, but normalization of numbers is as you mention not without challenges.
>
>
> ​Also strings. Any character in a JSON string can be replaced with the \uxxxx format, changing the serialization without changing the string.

Mike,
I can't speak for all JSON-parsers in the world but the ES6-variant do the right thing already (normalize strings) and that's good enough for a standard that (primarily) would target ES6 (and JSON systems compatible with ES6).

Anders

>
> Unless you have canonical serialization you are going to need to insert / extract the signature member "manually" (without really parsing) to convert to / from the object-with-signature and the object-to-be-signed.​
>
> ...Mark
>
>
>     However, as described in the linked document there is a pretty simple "workaround" which I believe is fully ES6-compatible.
>
>     It certainly isn't ideal building standards on workarounds but pragmatism apparently ruled when Ecma specified ES6 property order so why couldn't the same thinking be used for signatures?  The workaround could maybe even go away with a future ES iteration if the Ecma ES committee is notified of the issue.
>
>     Anyway, this is not [at all] about dismissing JWS, it is about offering an alternative which has some pros and cons versus JWS. The in-object scheme cannot easily deal with multiple signature for example.
>
>     Regarding non-ES parsers, I don't see that as a showstopper; JavaScript is the origin of JSON and now it has changed.
>
>     Cheers,
>     Anders
>
>
>
>                                         -- Mike
>
>         -----Original Message-----
>         From: jose [mailto:jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>] On Behalf Of Anders Rundgren
>         Sent: Wednesday, October 28, 2015 11:40 PM
>         To: jose@ietf.org <mailto:jose@ietf.org>
>         Subject: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
>
>         ES6-compliant in-object JS/JSON signature:
>
>             var inObjectSignedData =
>               {
>                   // Object data expressed as JS properties
>                   "device": "Pump2",
>                   "value": 1e-18,
>
>                   // Object signature
>                   "signature": {
>                       ...Protected headers + Signature value expressed as JS properties...
>                   }
>               };
>
>         JavaScript's JSON.parse() and JSON.stringify() suffice for "canonicalization" purposes.
>
>
>         Converting the above to JWS JSON Serialization you would get:
>
>         var signedData =
>             {
>                 // Object data in a coded format
>                 "payload":"<payload contents>",
>
>                 // Protected headers wrapped in Base64URL
>                 "protected":"<integrity-protected header contents>",
>
>                 // Signature in a unique format
>                 "signature":"<signature contents>"
>             }
>
>         ES6 was released in June 2015 so this opportunity is actually quite new.
>
>         Cheers,
>         Anders
>
>         http://webpki.org/ietf/draft-rundgren-predictable-serialization-for-json-tools-00.html#rfc.section.3.3
>
>         _______________________________________________
>         jose mailing list
>         jose@ietf.org <mailto:jose@ietf.org>
>         https://www.ietf.org/mailman/listinfo/jose
>
>
>     _______________________________________________
>     jose mailing list
>     jose@ietf.org <mailto:jose@ietf.org>
>     https://www.ietf.org/mailman/listinfo/jose
>
>

v2.23.0 | Report a Bug | By Email