Re: [jose] Canonical JSON form

Jim Schaad <ietf@augustcellars.com> Sun, 18 November 2018 16:54 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1556412D4E9 for <jose@ietfa.amsl.com>; Sun, 18 Nov 2018 08:54:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KiS9XFUnTeH7 for <jose@ietfa.amsl.com>; Sun, 18 Nov 2018 08:54:04 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D64C126DBF for <jose@ietf.org>; Sun, 18 Nov 2018 08:54:03 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Sun, 18 Nov 2018 08:49:05 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Carsten Bormann' <cabo@tzi.org>, 'Anders Rundgren' <anders.rundgren.net@gmail.com>
CC: <jose@ietf.org>
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com> <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com> <00ad01d460f4$69ae8a00$3d0b9e00$@augustcellars.com> <8436AEE7-B25A-4538-B8F6-16D558D9A504@gmail.com> <MEAPR01MB35428606C09BF315DE04CC79E5E10@MEAPR01MB3542.ausprd01.prod.outlook.com> <CAHbuEH6DCD7Zc+PK3TnCBkKv1esnROwyCcDb8ZR+TKwgQQ+yXQ@mail.gmail.com> <0E6BD488-74D5-4640-BC31-5E45B0531AFC@gmail.com> <CAHbuEH5oH-Km6uAjrSr0pEHswFBLuDpfVweQ+gpj472yk+8iTQ@mail.gmail.com> <073CB50F-8D91-4EF6-90BE-FC897D557AA6@oracle.com> <A37D69B1-6B77-4E11-8BB9-A0209C77752C@tzi.org> <434fbdb6-0202-5a02-4cec-9332fbbe548c@gmail.com> <FBBFA6FA-4B0C-4239-9145-0B713120EC98@tzi.org>
In-Reply-To: <FBBFA6FA-4B0C-4239-9145-0B713120EC98@tzi.org>
Date: Sun, 18 Nov 2018 08:53:54 -0800
Message-ID: <01fd01d47f5f$4c4889f0$e4d99dd0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQNnP1/vuW81sZle9dbx86Tf75xU2AFuBXA/AqJ1qI4BeDi93AGy0bp+AoVGtcgBWQ3ouAHMBZ2PAgPtnXwBomSRnAJU7RiuARLhWd8CKb2xYAFjdxe/oXQzkFA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/Zc--Yj64JhfRrkT7eH6HjMzLiow>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Nov 2018 16:54:06 -0000


> -----Original Message-----
> From: jose <jose-bounces@ietf.org> On Behalf Of Carsten Bormann
> Sent: Sunday, November 18, 2018 7:00 AM
> To: Anders Rundgren <anders.rundgren.net@gmail.com>
> Cc: jose@ietf.org
> Subject: Re: [jose] Canonical JSON form
> 
> On Nov 18, 2018, at 08:53, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
> >
> > On 2018-10-11 21:03, Carsten Bormann wrote:
> >> On Oct 11, 2018, at 20:23, Phil Hunt <phil.hunt@oracle.com> wrote:
> >>>
> >>> I am not sure of the value of canonicalization.  I prefer bytestream
> encoding style where the original content goes with the signature.
> >> I’m afraid a lot of people are sitting in front of their screens silently
> agreeing, but not typing anything because their hands are tied up in an
> interminable facepalm.
> >
> > Those who are not stuck in an a ever-lasting facepalm may not be entirely
> comfortable with signature schemes that completely change the structure of
> signed messages.  COSE do this as well?
> 
> I don’t understand the question.  The point of COSE is that the signed message
> is not changed at all.
> (With JOSE, it needs to be base64-encoded for transfer, but it also isn’t changed
> otherwise.)

COSE does do the same type of wrapping as what the JOSE standard does.  In that sense -- that the content being signed and the signature are not at the same level in the encoding - yes it "completely changes the structure of the signed message".  

> 
> > Well, you can of course add artificial unsigned layers (like the TEEP folks do),
> but that smells “workaround" rather than solution.
> 
> Again, I don’t understand.  But maybe what I wrote earlier is still applicable:

How it smells depends on how one looks at the world.  For me it smells "this is the right way to do things".  YMMV.

> 
> >> To the people asking for a c14n solution for signature: If you want XMLDSig,
> you know where to find it.
> >> The basic approach of having humongous XML documents that get
> signatures added to themselves as part of the document only makes sense in
> certain processing models that went out of favor with XML.
> 
> This.
> 
> >> JOSE does the right thing for more modern applications.
> 
> And this.
> 
> >> I’m not opposed to doing some “c14n” work on serialization schemes —
> deterministic serialization has other applications than just XMLDSig.
> 
> RFC 7049 has some recommendations for “c14n" that are being cleaned up and
> updated for 7049bis.
> Those are implemented in a few CBOR libraries, albeit not in all.
> The RFC 7049 version of “c14n” is in use in some other SDOs’ work.
> 
> >> I definitely do not like giving the message that c14n-based signatures are
> the new thing that will replace doing the right thing (JOSE, that is).
> 
> And this.
> 
> Grüße, Carsten
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose