[jose] Re: Do you need the JWP JSON Serialization?
Orie Steele <orie@transmute.industries> Thu, 08 August 2024 17:27 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0338DC16940E for <jose@ietfa.amsl.com>; Thu, 8 Aug 2024 10:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h46uobtXdoSi for <jose@ietfa.amsl.com>; Thu, 8 Aug 2024 10:27:07 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3ED7C169426 for <jose@ietf.org>; Thu, 8 Aug 2024 10:27:07 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-70eaf5874ddso1014841b3a.3 for <jose@ietf.org>; Thu, 08 Aug 2024 10:27:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1723138027; x=1723742827; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=ZUjltTMsp2kpPcDHdDoL3U/xCPOotW3ThxGk6o/0U+E=; b=e5AgGc4UAvXyawX+nkWvafYzfCwtEKmJYKtyw8gDFqXzDXB4AEhYeVhlRUnpcluiJq OsHV9nfof1xIdGFMxcCxMzJoc7ei0DTsx8TcHwoFHkUgRdjKUa1pbOfker0mIPP2OajM nZ8hXkIMjJNlcU/S54iz/dgNXGv9nyodN1KegASOjyDnSi0+Wk1c4SuQ2OVHrg6rBM1G ePh1oE2pVOv1ls4jpOUMIAJGPjR3eq9KhGePxpua/wNgOb95Np1jaEY6kXILnp6B2Wj4 wo2kFyRe+CpStnlNaT7L/GutaI4RZ90YmY7E7/iD+2XmMUzVMibMCQBSADkXkhlSFv4n Buvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723138027; x=1723742827; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZUjltTMsp2kpPcDHdDoL3U/xCPOotW3ThxGk6o/0U+E=; b=h5SgYpUetomQjV8qFjRKwfqFhMbd2c9yoAcOYI4lkAMfTKatz6wX7ybk4ghBTSbij+ 3+omZKO8hl2e4eVpDCigtktgWp8R6Ke6sa9Zs0VwJ8MQ7BfpIy/gH/6yASz8eeSt5w/t JLY9Z3kBe5d1Mphhxz32I9EuJLjKdrFD3lTkdSlWNHubdjA8Av6vUzz/8fvY3R1ixoIu zdYuvPXcT9NkHPaDySg90HSnFD6HZAtwaVSbBVGzF8X9IwsTJ9RemXyNRqBtxJDdzlvM rp+HHdr0UUz8P/qLiHzK8nARUtzvVJRT6zOCwr6pjz6NBZe9NrIVzLkzYI2dXPwAjOTP dMUQ==
X-Gm-Message-State: AOJu0YznQ9pNql08mtsyQd6x04C2ehADtcfe7sbcpav1ABUJPBU1lj3e YU47Vh3EP04yUPsX9WCrnBHCTMrMXfXtgJg3dq+I0Cpfc1aoJYRKzyvxMv4TwcYr4hUAdIijz2L pMsqRtqsf+tw6lLxoxhpfsvei2/4IgNKK6jevGptIbZ+oTOJo8Eo=
X-Google-Smtp-Source: AGHT+IFozJjOdzws1CGMHFAS7Ms0PI7QuJJViHMCHFa8e10Wzm3EGwiIoO1xcW893whqCFWh/ODedA7nvHjHHFQsPE8=
X-Received: by 2002:a05:6a20:7f91:b0:1c3:b263:d992 with SMTP id adf61e73a8af0-1c6fceb30c5mr2883916637.5.1723138026791; Thu, 08 Aug 2024 10:27:06 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB74391ECC2D8130E1F0994C1AB7BF2@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCQNWURoC=PcgNsmqGNhbd0Vpu9ukSwx+ZzJ7zLLS1hckg@mail.gmail.com>
In-Reply-To: <CA+k3eCQNWURoC=PcgNsmqGNhbd0Vpu9ukSwx+ZzJ7zLLS1hckg@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 08 Aug 2024 12:26:55 -0500
Message-ID: <CAN8C-_LYKz2Vg6gDQv3mRX4KsJnESeyc=Af58V_DBiLGV_Hqpg@mail.gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fc81e8061f2f55ce"
Message-ID-Hash: 2NH7BTYD357ZUCHWWDYQRVZFHNBCRTRB
X-Message-ID-Hash: 2NH7BTYD357ZUCHWWDYQRVZFHNBCRTRB
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Do you need the JWP JSON Serialization?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/ZQhDvG4FZb96iakq-gMdE5WzuNM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
I had an offlist chat with Mike, and he asked for me to share some summary here. COSE has unprotected headers, and they are used to transfer certificate chains, counter signatures, and transparency receipts, among other things. JADES - https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf Also uses unprotected headers to transport things. If JWTs had unprotected headers, I suspect SD-JWT would have used them for the mutable part (disclosures). When you don't give a token format an unprotected bucket, they will just make one up later, when it is needed... using concatenation. I would prefer for JWP / CWP to have some shared structure, and to not end up with awkwardness if moving from a CWP to a JWP or vice versa. This means that if I started with CWP, and added receipts, counter signatures and certificate chains... I should be able to move to JWP without much trouble. In order to do this, there might be a need to trade off some size for extensibility... If size is a consideration, JSON and text encoding binary are already the wrong answers. Ideally both JWP and CWP would have the following structure: [ immutable secured data, security information, mutable data ] In COSE this applies to [ protected header, unprotected header, payload, signature ] (immutable secured data = protected header + payload), mutable data = unprotected header + signature In SD-JWT this applies to [ protected header, payload, disclosures, signature ] (immutable secured data = protected header + payload), mutable data = disclosures + signature Side note, yes, signatures are mutable... ES256K upper and lowerS, etc... If you don't specify a JSON Serialization for JWP, and people need extensibility like they have in cose unprotected headers, they will simply make up the JSON serialization they need when they need it. Maybe that's ok, but I think that some design planning and consideration of both JOSE and COSE can eliminate potentially awkward future workarounds like the ~ in sd-jwt or the json serialized jwt variant for it in JADES. I'd recommend creating the concept of a JWP unprotected header, putting the disclosures and other mutable information in there, and then having both a JSON and Compact serialization. In COSE, there won't be a need for both, but there will be a need to name the "text encoded binary" since cbor is often transmitting text encoded. As we built out SD-CWT, we used the unprotected header to transport the mutable data. As we built out COSE Receipts, we used the unprotected header to transport the merkle tree proofs, and to add them over time... we also use unprotected header to store cert chains so that a holder can add all the verification material needed by a verifier when they need it, and remove it when its not needed. If JWP Compact supports unprotected headers, I see no reason to not define a JSON serialization. If JWP Compact only means no unprotected header, I don't like the design, and I suspect it will lead to awkward text concatenation in the future. I'm in favor of a JSON Serialization, especially one that is conceptually aligned to the CBOR Object that will represent CWPs. Regards, OS On Wed, Aug 7, 2024 at 12:47 PM Brian Campbell <bcampbell= 40pingidentity.com@dmarc.ietf.org> wrote: > Trying to take a bit of learning from history - the many JSON > serializations for JWS and JWE have, to the best of my knowledge, been very > scantily used or implemented in comparison to the popular compact > serializations. As such, I don't believe the JWP JSON Serialization is > needed. > > On Tue, Aug 6, 2024 at 5:42 PM Michael Jones <michael_b_jones@hotmail.com> > wrote: > >> I’m writing to ask whether any of you have a use case that requires the >> JSON Web Proof JSON Serialization? Unless concrete reasons are provided to >> keep it, we propose to make the Compact Serialization the only JSON >> Serialization for JWPs. This is being tracked at >> https://github.com/ietf-wg-jose/json-web-proof/issues/100. >> >> >> >> Responses saying “I don’t need the JSON Serialization” are also welcomed. >> >> >> >> (A CBOR serialization is planned of course – something we hope to create >> before IETF 121 in Dublin, building on the work to use binary fields values >> in computations that we did prior to Vancouver.) >> >> >> >> Thanks, >> >> -- Mike & >> DW >> >> >> _______________________________________________ >> jose mailing list -- jose@ietf.org >> To unsubscribe send an email to jose-leave@ietf.org >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > jose mailing list -- jose@ietf.org > To unsubscribe send an email to jose-leave@ietf.org > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [jose] Do you need the JWP JSON Serialization? Michael Jones
- [jose] Re: Do you need the JWP JSON Serialization? Bret Jordan
- [jose] Re: Do you need the JWP JSON Serialization? Michael Jones
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Carsten Bormann
- [jose] Re: Do you need the JWP JSON Serialization? David Waite
- [jose] Re: Do you need the JWP JSON Serialization? Carsten Bormann
- [jose] Re: Do you need the JWP JSON Serialization? Brian Campbell
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Brian Campbell
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Neil Madden
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Neil Madden
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Neil Madden
- [jose] Re: Do you need the JWP JSON Serialization? Orie Steele
- [jose] Re: Do you need the JWP JSON Serialization? Brian Campbell
- [jose] Re: Do you need the JWP JSON Serialization? David Waite