[jose] Signed JSON for "Open Banking" - An implementation report
Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 17 November 2017 06:53 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A34128D0F for <jose@ietfa.amsl.com>; Thu, 16 Nov 2017 22:53:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zGosV3seyT8p for <jose@ietfa.amsl.com>; Thu, 16 Nov 2017 22:53:17 -0800 (PST)
Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E42551286C7 for <jose@ietf.org>; Thu, 16 Nov 2017 22:53:16 -0800 (PST)
Received: by mail-wm0-x243.google.com with SMTP id g130so2263218wme.0 for <jose@ietf.org>; Thu, 16 Nov 2017 22:53:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=MMW8v0RI6LD12Znq+Gnq1zBo2ogEb1W0/1OuNIvqJUU=; b=XdBvgCIWhPwaZuIjcNNCFEMV13R4G7xpSdlajWT4fGqXeiWkvLID7WZ5MDw4v8o84f 2l7flQXvNJmtq8tLfRwiI9brlORQYU4jC7WzH6wSjb6Ok5nyFHmkfbCO2CcsSsfVKq6s cfou1Z5Df16WectQOCNb2dw4VxFIQoP4SSCKl/PqYY+EysiMUZwKlsPOfaNXB9oDInOB 194vOL0KmEm9899bf7UTQ8Y9j0C3Dw/ioXqpZ2DDeaVJi4NmF5bFR87YtuRZ5U0edMNk 0Aqn+ezCLyMcyherHq5JeDNdMfk2CzVJfo2/EvjFWvOuz3Z0JK89NzZS1hilPowt8BCh Z7hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=MMW8v0RI6LD12Znq+Gnq1zBo2ogEb1W0/1OuNIvqJUU=; b=h2DUHo2kD+1urEO+SaaJJgSwFbz5RRfslU377MlOPYZieoPwbr2DTRersITZSNJHsM e3RmhkAwfteyBAn3bwp+puBFBXvAw5Rl5oPNE+RpbvoX8MjrkHRGtkoHREBbzYwPH1Sr ut9JolYKIMhcODjtHi7bxZedMoJXWn8Ef4x26DEbORz2dbRlfweCX1WqQ+AomoV7E14q gFa+1/xGiC1gThN8OfqNTMR1MlBGXO7VqpdsA2bPffWftt3/QwZeqQCbMf7mpG7aLDRt EndC+JQOPpZeO6R6AVK9qNqEawdhrHmSwmKb4MRLHUWEuETd4OxodRv5h1S6NHL8GZbi KtaQ==
X-Gm-Message-State: AJaThX7nQOxn0AHPgLy4wvLEZBv+AbIdYLEH52NbgZKTV3hhZP3aZPOJ 1Anh33astxxhqb4pxMdl0QVujQ==
X-Google-Smtp-Source: AGs4zMZ0eS3HjMYTtS/f0+7mdHUHBODmir9bmGVTAzS7+cSZTrTnLIQ3LAXbvBcfmqLTmvoP9/G5gg==
X-Received: by 10.80.213.90 with SMTP id f26mr6110480edj.225.1510901595431; Thu, 16 Nov 2017 22:53:15 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id r4sm2197455edd.4.2017.11.16.22.53.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Nov 2017 22:53:14 -0800 (PST)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Message-ID: <c6cf8313-7fda-d298-64a8-82d4d772cf5d@gmail.com>
Date: Fri, 17 Nov 2017 07:53:10 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/_1PbQ3MAkEKdSNbNgj40Pyxx-RM>
Subject: [jose] Signed JSON for "Open Banking" - An implementation report
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 06:53:19 -0000
Dear List, Here is a list of the three most well-known APIs for Open Banking and their take on "Signed JSON": http://openid.net/specs/openid-financial-api-part-2.html#request In-line JWS (base64url-encoded messages) https://www.stet.eu/assets/files/PSD2/API-DSP2-STET_V1.2.2.pdf#page=56 HTTP-Signatures (clear text messages using a not yet standardized signature scheme) https://www.openbanking.org.uk/read-write-apis/payment-initiation-api/v1-1-0/#usage-examples-merchant-illustrative-interactions-payment-setup Detached JWS (clear text messages signed by a JWS in a specific HTTP header) I believe this supports my view that base64-encoded JSON will continue to be a hard sell no matter how good it may be. Other "uncool" side-effects include lookup services providing signed responses in base64url https://tools.ietf.org/html/draft-ietf-oauth-discovery-07#section-2.1 and security protocols needing artificial outer layers in order to make objects recognizable https://tools.ietf.org/html/draft-pei-opentrustprotocol-01#section-8.2.1.1 May I propose a JOSE2 effort based on ES6.JSON serialization [1] to end the current proliferation of "DIY standards" and reducing the need for [ugly] workarounds like used by UK's Open Banking? Making JOSE more Browser/JS friendly wouldn't be a terrible idea, either. Availability of ES6.JSON compatible tools isn't really a showstopper, we are talking about < 2000 lines of pretty simple [2] code for parsing and serialization. thanx, Anders 1] https://cyberphone.github.io/doc/security/jcs.html#Normalization_and_Signature_Validation 2] Well, number serialization is non-trivial so implementers probably need to build on already written code and algorithms out there like I did.
- [jose] Signed JSON for "Open Banking" - An implem… Anders Rundgren
- Re: [jose] Signed JSON for "Open Banking" - An im… Nat Sakimura
- Re: [jose] Signed JSON for "Open Banking" - An im… Anders Rundgren