[jose] JSON-I. Was: JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 18 September 2014 12:12 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7FD91A0376 for <jose@ietfa.amsl.com>; Thu, 18 Sep 2014 05:12:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBXLF0ATSriV for <jose@ietfa.amsl.com>; Thu, 18 Sep 2014 05:12:02 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A3CE1A0162 for <jose@ietf.org>; Thu, 18 Sep 2014 05:12:01 -0700 (PDT)
Received: by mail-wi0-f181.google.com with SMTP id d1so24240wiv.2 for <jose@ietf.org>; Thu, 18 Sep 2014 05:12:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=/L2tmSWltkXIZ8xWhwdgkf0nfblvNoMTK/CoIXrKvVc=; b=sIEI7UwGqF8c6d3m1X0TKJwITqIVejzH+kVhS3TGcWPM86dYSAwzik6kqXhLe5lZ+o Zw/9I9v0YVEfUBMGbL5KCIgixwZaj9KkBvlmU7zAmvwR+pWyQpb4JzVfRPssS5lrse2O gDzv/TsvLMHwO+SeN73k4rh1PA+GfaMzMTDKeGCVirjNPQxy2hp1kihquIqs5Gjj8iKD C3cyYHi+XxKz78O91FocGVk7RPqKUDPA5L3lj4DBlOtWcq/xasfhQSW8HYieWJ7XF5bb nqRN8gMR+vKzkXk2ciM12IJ0HSiHGTkgOXHhdlr4ffg3AHtXIaaBWBqzu8b7gkx4D0sI zxgQ==
X-Received: by 10.180.78.234 with SMTP id e10mr47812367wix.7.1411042320098; Thu, 18 Sep 2014 05:12:00 -0700 (PDT)
Received: from [192.168.1.79] (250.16.14.81.rev.sfr.net. [81.14.16.250]) by mx.google.com with ESMTPSA id mz16sm2756282wic.13.2014.09.18.05.11.59 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 18 Sep 2014 05:11:59 -0700 (PDT)
Message-ID: <541ACC02.9000103@gmail.com>
Date: Thu, 18 Sep 2014 14:11:46 +0200
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: kivinen@iki.fi, "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="------------000907060607070304080107"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/bMJcv3daU6pj0ByTdrbKdKqj9As
Subject: [jose] JSON-I. Was: JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2014 12:12:06 -0000
Hi Tero, You are of course right. If you want to use JOSE you should use a parser that matches the requirements or update an existing until it does. I would consider taking this one step further. It is /*trivial*/ creating (sort of) "canonicalized" JSON by tweaking the parser (not the JSON spec) so that it doesn't modify the input with the exception of whitespace and escaping. There's no point repeating the problems we had with XML but still you don't /*have*/ to revert to base64-encoded octet-strings either. Why is that important? Because then you open the door to things like step #8 on: http://webpki.org/papers/PKI/EMV-Tokenization-SET-3DSecure-WebCryptoPlusPlus-combo.pdf#page=4 which when using JCS looks like this (actual log message): { "@context": "http://xmlns.webpki.org/wcpp-payment-demo", "@qualifier": "TransactionResponse", "PaymentRequest": { "CommonName": "Demo Merchant", "Amount": 325, "Currency": "USD", "ReferenceID": "#1000000", "DateTime": "2014-09-17T14:17:22Z", "Signature": { "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "KeyInfo": { "SignatureCertificate": { "Issuer": "CN=Merchant Network Sub CA5,C=DE", "SerialNumber": "1410946675139", "Subject": "CN=Demo Merchant,2.5.4.5=#1306383936333235,C=DE" }, "X509CertificatePath": [ "MIIDQzCCAiugAwIBAgIGAUiC-bHDMA0GCSqGSIb3DQEBCwUAMDAxCzAJBgNVBAYTAkRFMSEwHwYDVQQDExhNZXJjaGFudCBOZXR3b3JrIFN1YiBDQ TUwHhcNMTQwMTAxMDAwMDAwWhcNMjAwNzEwMDk1OTU5WjA2MQswCQYDVQQGEwJERTEPMA0GA1UEBRMGODk2MzI1MRYwFAYDVQQDEw1EZW1vIE1lcmNoYW50MIIBIjANBgkqh kiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlrcRmV_2Wt1-N_MQA_v55GMXCeUfep3f5gC6R76OzBgAR-Ix8waP_vtBi4WgDvCoIgt7S2rldeYSIP29qyGAYmRDo_OqBtVcNMmR3 jLxazC_cOg7dx-Rg2aqgD__-h_XsyvT7IQa6lKCum6iB1hkRxdavkyu7KVS8c9kGSLUL2c1iJk3EtcPzKTIf3YrOFktz2f6Ut_S75L7m2NsDOrfNG6iRgpPrLq1lesRRmKO2 ZfjD_3IwRMoqLRYos-Ff2zGjJASy8pTFfE7d_BnrPh_0svvG9bnMIyKLWEk6CJU43iC5wnBAZmdUIkavAi96yx1mqYAt7pNg8Lb_JETta6pVQIDAQABo10wWzAJBgNVHRMEA jAAMA4GA1UdDwEB_wQEAwID-DAdBgNVHQ4EFgQUw8YgcU_Hm68y1NTiE4Vfr1WpiNcwHwYDVR0jBBgwFoAUhGlwpV1GDevGR_FeQFLxSInanxUwDQYJKoZIhvcNAQELBQADg gEBANKrB8ntQCt9Hq7lvinwqUCzzMkPC0DLHh--cieJpUQ3lKonFR34hWT7jj0n2sv0HyKPSJlfj8U6AVUquWtAibURcNoZtZHWoR3AQ80b34n8ANaItS4U5nBMXpRLt6j0g 88FNrpoKg8W7LIe1fk6yWVsg2ivAvCzQKR__2oMD-TCf4FA5cCveT8FT4YHqf7IpXro7yCGoZgLpk-At-iihV8QN25ZGglySpUQowNe36MV3-HeEwNR-1ZOF4aeegATZoS09 IgzOjPejGyp_0loRaixy-mV-FkYR2W6hcK2EfzJ3aYb0KmGj9iIKNbkmG0kfxvu7BqdKREmYR0ewEskkPE", "MIIEPzCCAiegAwIBAgIBBTANBgkqhkiG9w0BAQsFADAxMQswCQYDVQQGEwJVUzEiMCAGA1UEAxMZTWVyY2hhbnQgTmV0d29yayBSb290IENBMTAeF w0xMjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMDAxCzAJBgNVBAYTAkRFMSEwHwYDVQQDExhNZXJjaGFudCBOZXR3b3JrIFN1YiBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA 4IBDwAwggEKAoIBAQDe77S3gc0enm8CE6TFzE0HjrX2WsPrEQUjWRtfJJacosg18BzkctPiQKdaVfJEt-stUTi_buADFfh1YrHgw0St9ejtiBwY-FOOBYbFaTih5F6arZgG7 G87MHvpN7QuurutyKO1nxumt2WK_Brr-LSty54nj_PaOTquwjqZ1Jw1awvv_5o03TANCvAUvgtpF9OGZzPD5gqO-rtu8hwY6uGaxCOqJ7chPqIKcXKkxniWGaDMXFjaBtRb5 c4r2z9zYl5BAYTDVCzXLZiL_84XpSi9zA0jElpLumTrRBWURutICFLgqdsQeqm6kib17BuopRHJOvrIrf9f_Xd67AVpj-dZAgMBAAGjYzBhMA8GA1UdEwEB_wQFMAMBAf8wD gYDVR0PAQH_BAQDAgEGMB0GA1UdDgQWBBSEaXClXUYN68ZH8V5AUvFIidqfFTAfBgNVHSMEGDAWgBSMgcUOGLi-1yZivLwshVNXviTYYjANBgkqhkiG9w0BAQsFAAOCAgEAT nKqxuy3F0kWWQ1kw7RSfaMbWvkf7HtyE1mOgCz7FisXyVEpVN3f0HhRqs723v7QPej5D89Gf4MUG_amwgkcoq5vsAkc3OYDbdXmMT0YtSFpwzWcm8oCniEB0zoGamt_si-qS x3WWR3YVqIymuphzgnjjoiiLdYDbF9Mqay4ICRJSJNEj2CuLPXbyvdfZ566WughYbmc67JUkROqa1Eig0ERTtncIw_Xe18OuDjtT16Cua9qMrZoYPng1G83tzlVczXSd-WY- X5o9emv7X-fUQqZGACIDNmYrD0loOBt1-agR1_rlSWWnnTe3Hzdrn_MhV1Ohta3EcIsm2rK4d4BHWIyTVfi3f3OV9IUBjlbB-vy6xWzGDcG6dRVOX_Kb_hJMdw-5MWCLfCg1 Ah4GXtpg5k12xvB5-iodxpfOCTMo7pxylQ_YRHPLPfAHzgr3__7y3JdxA2wkJt-mnzLIX0-FwdhKAbsVIfSc-D9e6rk7qX52fQc9IjMP_y5op27eQXYRU41cjptjd2KJVt1o UEREwiQFPUXjaLzoIvZO-w6jg-lCGDcJ_N_gvwoo8X6uLBX2nX2cvIUvDSlBOmf8FxNRLsu-UYIugCTmvvA0b3QT9f5qgr_YqPD0tgXbiUShKQon6LRLDqV8jSxMg9XPWD8o ScX-1rOJS8kE3TgB16VQQI" ] }, "SignatureValue": "Pdp3FCQuu34gBtyobMGTbesrqLgl5NuICpeVBxvvnwo6oqCX0d0thRWxGTLdUEniPbd4JnODCr3FjOlaLHJl7OuguJX6ejRmvA29y8q JhcELXtT1_n13JAI8puHPtk-hn_1M8d7048dqAeUKzjwN-uhyup1CaaxaVf4zxkMJBcUDqgs17EKmsHtuEKvz8kti8QfpYVWGRlJbkWlQHGerPVb6Ev6i4by1ruSZLnVLjFw 0-CerwOHMzN49FBe9_vjtDzAGqLTcHZlJxDHKBMEeCc9WERuGOEQHqdPG1lrQfuTcCqZPs-yXIXNQTvmLalK005DgODLPYCPt2tthNBjIzA" } }, "TransactionID": "#164006", "PayeePAN": "**** **** **** 1405", "CardType": "SuperCard", "Signature": { "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "KeyInfo": { "SignatureCertificate": { "Issuer": "CN=Payment Network Sub CA3,C=EU", "SerialNumber": "1410946666582", "Subject": "CN=mybank.com,2.5.4.5=#130434353031,C=FR" }, "X509CertificatePath": [ "MIIDPTCCAiWgAwIBAgIGAUiC-ZBWMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNVBAYTAkVVMSAwHgYDVQQDExdQYXltZW50IE5ldHdvcmsgU3ViIENBMzAeF w0xNDAxMDEwMDAwMDBaFw0yMDA3MTAwOTU5NTlaMDExCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRMwEQYDVQQDEwpteWJhbmsuY29tMIIBIjANBgkqhkiG9w0BAQEFA AOCAQ8AMIIBCgKCAQEA1_7YaM1c28HRTYzzVQzTP-ohms_xBoVWl2W5Ac4ZWItD3MqXIKukxjjUXQtb3duLHHnEgIvnAe-boksQ1KyvLigAMfpUKKrROluKW8GZeA0227HsT Y170PCB6TNMan3rmnhY3r42b10jVfFwX18LJMVa0ypfpZbEZD6LpB7FtZoJtFuTxt-Jjg3nxys7T4WMh4d_7uLAk3TgqSl_Js9Umu7dXJNIkW1pq1PA2GhLV87w2bARrNNCU eLtTyA1l2QThhJf4l5y065oHDzdgfhDz14dAbb-YOkDp85QcL2h06_9YPOLglrY_QiibvetSuRaGChoUVNZGw-met7ExDUA9wIDAQABo10wWzAJBgNVHRMEAjAAMA4GA1UdD wEB_wQEAwID-DAdBgNVHQ4EFgQUY4zmIe8sDzJ54onhjZBtD9z-y3QwHwYDVR0jBBgwFoAUFrK9xt6fLho6JuPVuBiMQZW1rJcwDQYJKoZIhvcNAQELBQADggEBAEpMyEoEn 6h8764AmOmNFPHHRNWBnyesv1eODDs7laYeAru7Cy--UE6G6oO79S7JtnK3XIz6J1UxoBkupbGzEZ7-qvVMJsiFERx39cItTisl1TmI_JyJgQjii2WBNPsRscs1-u2ELgoGY DDrG2x1r7q3mqWDLCLI0CTL-__dymLgcgzjXou0wLK-zxijl7ZKUJWC9BUZTetvBgfAc-zngcxvZrmGlEsDo4jlxTPAOENsjoO3LClEIA0MAj7IX5QbGigNpghKgL64DSqzp A3hpdavnijvFTlLedcKbQdRUKGpst3rOfDmiyUoGZqMixh3MYBEuR6TY6dRN680PR-Icc8", "MIIEPTCCAiWgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAwMQswCQYDVQQGEwJVUzEhMB8GA1UEAxMYUGF5bWVudCBOZXR3b3JrIFJvb3QgQ0ExMB4XDTEyM DcxMDEwMDAwMFoXDTI1MDcxMDA5NTk1OVowLzELMAkGA1UEBhMCRVUxIDAeBgNVBAMTF1BheW1lbnQgTmV0d29yayBTdWIgQ0EzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AM IIBCgKCAQEAnor9FjCEaGKUWWxEHPN8XuU7jGrCQGNEmyUWQ6eH7Jwy2-Pvt86UVCzJG_LITHv26pEE4pYCLFOnRTw6CmJ_lrzto-1lYuql8bcBNH3UP3FxabMkPdcq4HZZh qarHLgyC82jJfBwDkg_CvN241dBxJnftU9Qw6n4MhQuIl7q6eOh6J2-lPSFiforARHY2pP6Gt2nX6B2GdktD5T7ZYxZG6OilPwRk5WM-2F1HWAULzrc7w-qDbJaazNgHCC6M hKho_Z9fJYu1Uk3ZKSKRUgovulXDe73ZqBu9zi8JYYFWyPBtaZ5RvwD-pW2pyqjpCjN1fr6RB5eEDsDHs3iSMx5iwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH_MA4GA1UdD wEB_wQEAwIBBjAdBgNVHQ4EFgQUFrK9xt6fLho6JuPVuBiMQZW1rJcwHwYDVR0jBBgwFoAUZQEujCO-AA0gqjWV1iv8A2GJaQQwDQYJKoZIhvcNAQELBQADggIBAJf5IE5gh px2ELW9aYK4LpzpnyYk6jmF1PpcXnQqZLolXJ_sWyR_hrskv4JxQbYkeTFfwK6bHE8wwm44pGUIBXWL0oKxVBB0IEgfjRlZjUveuNm7NWkJI0pZeSZ8oFm1DJ7gLEjCFaKUi OmyJozwuz8uaKR2f2YU7HNsGu2HdQwib0S2CMr1tlHCHCf3A89KxWwnAg-92DAr_cfTcQAue4fb_LnG689ipXGMNgcyKeK7U15lXvycfflqum2529WtP3T9D0OQjHJ_tyAIl B1RxRzuL6EiNIpTbpU6c0ZDoZCXhTVQqhlZokKlSSFUrg7jMA8eLxsIf10r5hE3O1V3RkOhlb8XAFQ_mNpIqOD5_2qRmbNUREH8RTrarZFcWOuP8W13Bz1peXhHNKJGp7SX8 Z4Tqxdtc59Nlx0-aDDnWus2WEzMeBit4fAaKxuSgdwxp4PUxgzicDi1unzhzAd2LpOnjFsz4P5eAcpZWh1OA519iV3Pqbo5YU2kAzgvifqE9yiODz0-T7xuqox_fyhk7WZpg 1QUptX7JfrOKbo1JFDbOcb257k_02skqvbsSE_kAjTScSTvZScmmxwTf5ugTFw6vsIcAJ8LnHeJUtX1Jg2qmWbkMKpSVi9RG_p5RnJc6uCBfgPW0PK3QUaYgwzR6GA8PeRCn fk5B4HATgLo_p5K" ] }, "SignatureValue": "LZyTyWZPvX2Wfztvbr_d_25tvo4JxRfy3waqMbJEF3_It9lD83jdlkjSvqk5EosNU45_xcnYnCtdgeT0i7allt6vZW4-0-wr6QZLMtnsJNk Slk249z5y2Q_qZmqbBL0NpolepcREF_TBa_fSnWUV_c2lTkc6lj725_fIVHV1b58rYSEGE3yqF9zi3Eb8LGBIWf5TPXB3BloHu5aj1C3kqIwUkR0nOnoLPvxI5lF44yyLyKt Yvtqth3EoAmrcu-h2eLD-GMe18jwxazkK8QS3ZecJ-0Kb1RP5bgsReEwnrRJnLS6li5XqWRtJA6PBTJDrpvrIn_HLaqaATCbSborbyQ" } } JSON-I as it stands today doesn't return (IMO FWIW) enough benefits to motivate redesigned parsers. https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html#Normalization_and_Signature_Validation I will as an experiment see if I can add this feature to the Firefox JSON implementation. I could of course be wrong... Regards, Anders Rundgren
- [jose] JSON-I. Was: JWK member names, was: SECDIR… Anders Rundgren