[jose] JSON-I. Was: JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 18 September 2014 12:12 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7FD91A0376 for <jose@ietfa.amsl.com>; Thu, 18 Sep 2014 05:12:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBXLF0ATSriV for <jose@ietfa.amsl.com>; Thu, 18 Sep 2014 05:12:02 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A3CE1A0162 for <jose@ietf.org>; Thu, 18 Sep 2014 05:12:01 -0700 (PDT)
Received: by mail-wi0-f181.google.com with SMTP id d1so24240wiv.2 for <jose@ietf.org>; Thu, 18 Sep 2014 05:12:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=/L2tmSWltkXIZ8xWhwdgkf0nfblvNoMTK/CoIXrKvVc=; b=sIEI7UwGqF8c6d3m1X0TKJwITqIVejzH+kVhS3TGcWPM86dYSAwzik6kqXhLe5lZ+o Zw/9I9v0YVEfUBMGbL5KCIgixwZaj9KkBvlmU7zAmvwR+pWyQpb4JzVfRPssS5lrse2O gDzv/TsvLMHwO+SeN73k4rh1PA+GfaMzMTDKeGCVirjNPQxy2hp1kihquIqs5Gjj8iKD C3cyYHi+XxKz78O91FocGVk7RPqKUDPA5L3lj4DBlOtWcq/xasfhQSW8HYieWJ7XF5bb nqRN8gMR+vKzkXk2ciM12IJ0HSiHGTkgOXHhdlr4ffg3AHtXIaaBWBqzu8b7gkx4D0sI zxgQ==
X-Received: by 10.180.78.234 with SMTP id e10mr47812367wix.7.1411042320098; Thu, 18 Sep 2014 05:12:00 -0700 (PDT)
Received: from [192.168.1.79] (250.16.14.81.rev.sfr.net. [81.14.16.250]) by mx.google.com with ESMTPSA id mz16sm2756282wic.13.2014.09.18.05.11.59 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 18 Sep 2014 05:11:59 -0700 (PDT)
Message-ID: <541ACC02.9000103@gmail.com>
Date: Thu, 18 Sep 2014 14:11:46 +0200
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: kivinen@iki.fi, "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="------------000907060607070304080107"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/bMJcv3daU6pj0ByTdrbKdKqj9As
Subject: [jose] JSON-I. Was: JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2014 12:12:06 -0000

Hi Tero,
You are of course right.  If you want to use JOSE you should use a parser that matches the requirements or update an existing until it does.
I would consider taking this one step further.

It is /*trivial*/ creating (sort of) "canonicalized" JSON by tweaking the parser (not the JSON spec) so that it doesn't modify the input with the exception of whitespace and escaping.

There's no point repeating the problems we had with XML but still you don't /*have*/ to revert to base64-encoded octet-strings either.

Why is that important?  Because then you open the door to things like step #8 on:
http://webpki.org/papers/PKI/EMV-Tokenization-SET-3DSecure-WebCryptoPlusPlus-combo.pdf#page=4
which when using JCS looks like this (actual log message):

{
   "@context": "http://xmlns.webpki.org/wcpp-payment-demo",
   "@qualifier": "TransactionResponse",
   "PaymentRequest":
     {
       "CommonName": "Demo Merchant",
       "Amount": 325,
       "Currency": "USD",
       "ReferenceID": "#1000000",
       "DateTime": "2014-09-17T14:17:22Z",
       "Signature":
         {
           "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
           "KeyInfo":
             {
               "SignatureCertificate":
                 {
                   "Issuer": "CN=Merchant Network Sub CA5,C=DE",
                   "SerialNumber": "1410946675139",
                   "Subject": "CN=Demo Merchant,2.5.4.5=#1306383936333235,C=DE"
                 },
               "X509CertificatePath":
                 [
"MIIDQzCCAiugAwIBAgIGAUiC-bHDMA0GCSqGSIb3DQEBCwUAMDAxCzAJBgNVBAYTAkRFMSEwHwYDVQQDExhNZXJjaGFudCBOZXR3b3JrIFN1YiBDQ
TUwHhcNMTQwMTAxMDAwMDAwWhcNMjAwNzEwMDk1OTU5WjA2MQswCQYDVQQGEwJERTEPMA0GA1UEBRMGODk2MzI1MRYwFAYDVQQDEw1EZW1vIE1lcmNoYW50MIIBIjANBgkqh
kiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlrcRmV_2Wt1-N_MQA_v55GMXCeUfep3f5gC6R76OzBgAR-Ix8waP_vtBi4WgDvCoIgt7S2rldeYSIP29qyGAYmRDo_OqBtVcNMmR3
jLxazC_cOg7dx-Rg2aqgD__-h_XsyvT7IQa6lKCum6iB1hkRxdavkyu7KVS8c9kGSLUL2c1iJk3EtcPzKTIf3YrOFktz2f6Ut_S75L7m2NsDOrfNG6iRgpPrLq1lesRRmKO2
ZfjD_3IwRMoqLRYos-Ff2zGjJASy8pTFfE7d_BnrPh_0svvG9bnMIyKLWEk6CJU43iC5wnBAZmdUIkavAi96yx1mqYAt7pNg8Lb_JETta6pVQIDAQABo10wWzAJBgNVHRMEA
jAAMA4GA1UdDwEB_wQEAwID-DAdBgNVHQ4EFgQUw8YgcU_Hm68y1NTiE4Vfr1WpiNcwHwYDVR0jBBgwFoAUhGlwpV1GDevGR_FeQFLxSInanxUwDQYJKoZIhvcNAQELBQADg
gEBANKrB8ntQCt9Hq7lvinwqUCzzMkPC0DLHh--cieJpUQ3lKonFR34hWT7jj0n2sv0HyKPSJlfj8U6AVUquWtAibURcNoZtZHWoR3AQ80b34n8ANaItS4U5nBMXpRLt6j0g
88FNrpoKg8W7LIe1fk6yWVsg2ivAvCzQKR__2oMD-TCf4FA5cCveT8FT4YHqf7IpXro7yCGoZgLpk-At-iihV8QN25ZGglySpUQowNe36MV3-HeEwNR-1ZOF4aeegATZoS09
IgzOjPejGyp_0loRaixy-mV-FkYR2W6hcK2EfzJ3aYb0KmGj9iIKNbkmG0kfxvu7BqdKREmYR0ewEskkPE",
"MIIEPzCCAiegAwIBAgIBBTANBgkqhkiG9w0BAQsFADAxMQswCQYDVQQGEwJVUzEiMCAGA1UEAxMZTWVyY2hhbnQgTmV0d29yayBSb290IENBMTAeF
w0xMjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMDAxCzAJBgNVBAYTAkRFMSEwHwYDVQQDExhNZXJjaGFudCBOZXR3b3JrIFN1YiBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA
4IBDwAwggEKAoIBAQDe77S3gc0enm8CE6TFzE0HjrX2WsPrEQUjWRtfJJacosg18BzkctPiQKdaVfJEt-stUTi_buADFfh1YrHgw0St9ejtiBwY-FOOBYbFaTih5F6arZgG7
G87MHvpN7QuurutyKO1nxumt2WK_Brr-LSty54nj_PaOTquwjqZ1Jw1awvv_5o03TANCvAUvgtpF9OGZzPD5gqO-rtu8hwY6uGaxCOqJ7chPqIKcXKkxniWGaDMXFjaBtRb5
c4r2z9zYl5BAYTDVCzXLZiL_84XpSi9zA0jElpLumTrRBWURutICFLgqdsQeqm6kib17BuopRHJOvrIrf9f_Xd67AVpj-dZAgMBAAGjYzBhMA8GA1UdEwEB_wQFMAMBAf8wD
gYDVR0PAQH_BAQDAgEGMB0GA1UdDgQWBBSEaXClXUYN68ZH8V5AUvFIidqfFTAfBgNVHSMEGDAWgBSMgcUOGLi-1yZivLwshVNXviTYYjANBgkqhkiG9w0BAQsFAAOCAgEAT
nKqxuy3F0kWWQ1kw7RSfaMbWvkf7HtyE1mOgCz7FisXyVEpVN3f0HhRqs723v7QPej5D89Gf4MUG_amwgkcoq5vsAkc3OYDbdXmMT0YtSFpwzWcm8oCniEB0zoGamt_si-qS
x3WWR3YVqIymuphzgnjjoiiLdYDbF9Mqay4ICRJSJNEj2CuLPXbyvdfZ566WughYbmc67JUkROqa1Eig0ERTtncIw_Xe18OuDjtT16Cua9qMrZoYPng1G83tzlVczXSd-WY-
X5o9emv7X-fUQqZGACIDNmYrD0loOBt1-agR1_rlSWWnnTe3Hzdrn_MhV1Ohta3EcIsm2rK4d4BHWIyTVfi3f3OV9IUBjlbB-vy6xWzGDcG6dRVOX_Kb_hJMdw-5MWCLfCg1
Ah4GXtpg5k12xvB5-iodxpfOCTMo7pxylQ_YRHPLPfAHzgr3__7y3JdxA2wkJt-mnzLIX0-FwdhKAbsVIfSc-D9e6rk7qX52fQc9IjMP_y5op27eQXYRU41cjptjd2KJVt1o
UEREwiQFPUXjaLzoIvZO-w6jg-lCGDcJ_N_gvwoo8X6uLBX2nX2cvIUvDSlBOmf8FxNRLsu-UYIugCTmvvA0b3QT9f5qgr_YqPD0tgXbiUShKQon6LRLDqV8jSxMg9XPWD8o
ScX-1rOJS8kE3TgB16VQQI"
                 ]
             },
           "SignatureValue": "Pdp3FCQuu34gBtyobMGTbesrqLgl5NuICpeVBxvvnwo6oqCX0d0thRWxGTLdUEniPbd4JnODCr3FjOlaLHJl7OuguJX6ejRmvA29y8q
JhcELXtT1_n13JAI8puHPtk-hn_1M8d7048dqAeUKzjwN-uhyup1CaaxaVf4zxkMJBcUDqgs17EKmsHtuEKvz8kti8QfpYVWGRlJbkWlQHGerPVb6Ev6i4by1ruSZLnVLjFw
0-CerwOHMzN49FBe9_vjtDzAGqLTcHZlJxDHKBMEeCc9WERuGOEQHqdPG1lrQfuTcCqZPs-yXIXNQTvmLalK005DgODLPYCPt2tthNBjIzA"
         }
     },
   "TransactionID": "#164006",
   "PayeePAN": "**** **** **** 1405",
   "CardType": "SuperCard",
   "Signature":
     {
       "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
       "KeyInfo":
         {
           "SignatureCertificate":
             {
               "Issuer": "CN=Payment Network Sub CA3,C=EU",
               "SerialNumber": "1410946666582",
               "Subject": "CN=mybank.com,2.5.4.5=#130434353031,C=FR"
             },
           "X509CertificatePath":
             [
"MIIDPTCCAiWgAwIBAgIGAUiC-ZBWMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNVBAYTAkVVMSAwHgYDVQQDExdQYXltZW50IE5ldHdvcmsgU3ViIENBMzAeF
w0xNDAxMDEwMDAwMDBaFw0yMDA3MTAwOTU5NTlaMDExCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRMwEQYDVQQDEwpteWJhbmsuY29tMIIBIjANBgkqhkiG9w0BAQEFA
AOCAQ8AMIIBCgKCAQEA1_7YaM1c28HRTYzzVQzTP-ohms_xBoVWl2W5Ac4ZWItD3MqXIKukxjjUXQtb3duLHHnEgIvnAe-boksQ1KyvLigAMfpUKKrROluKW8GZeA0227HsT
Y170PCB6TNMan3rmnhY3r42b10jVfFwX18LJMVa0ypfpZbEZD6LpB7FtZoJtFuTxt-Jjg3nxys7T4WMh4d_7uLAk3TgqSl_Js9Umu7dXJNIkW1pq1PA2GhLV87w2bARrNNCU
eLtTyA1l2QThhJf4l5y065oHDzdgfhDz14dAbb-YOkDp85QcL2h06_9YPOLglrY_QiibvetSuRaGChoUVNZGw-met7ExDUA9wIDAQABo10wWzAJBgNVHRMEAjAAMA4GA1UdD
wEB_wQEAwID-DAdBgNVHQ4EFgQUY4zmIe8sDzJ54onhjZBtD9z-y3QwHwYDVR0jBBgwFoAUFrK9xt6fLho6JuPVuBiMQZW1rJcwDQYJKoZIhvcNAQELBQADggEBAEpMyEoEn
6h8764AmOmNFPHHRNWBnyesv1eODDs7laYeAru7Cy--UE6G6oO79S7JtnK3XIz6J1UxoBkupbGzEZ7-qvVMJsiFERx39cItTisl1TmI_JyJgQjii2WBNPsRscs1-u2ELgoGY
DDrG2x1r7q3mqWDLCLI0CTL-__dymLgcgzjXou0wLK-zxijl7ZKUJWC9BUZTetvBgfAc-zngcxvZrmGlEsDo4jlxTPAOENsjoO3LClEIA0MAj7IX5QbGigNpghKgL64DSqzp
A3hpdavnijvFTlLedcKbQdRUKGpst3rOfDmiyUoGZqMixh3MYBEuR6TY6dRN680PR-Icc8",
"MIIEPTCCAiWgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAwMQswCQYDVQQGEwJVUzEhMB8GA1UEAxMYUGF5bWVudCBOZXR3b3JrIFJvb3QgQ0ExMB4XDTEyM
DcxMDEwMDAwMFoXDTI1MDcxMDA5NTk1OVowLzELMAkGA1UEBhMCRVUxIDAeBgNVBAMTF1BheW1lbnQgTmV0d29yayBTdWIgQ0EzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AM
IIBCgKCAQEAnor9FjCEaGKUWWxEHPN8XuU7jGrCQGNEmyUWQ6eH7Jwy2-Pvt86UVCzJG_LITHv26pEE4pYCLFOnRTw6CmJ_lrzto-1lYuql8bcBNH3UP3FxabMkPdcq4HZZh
qarHLgyC82jJfBwDkg_CvN241dBxJnftU9Qw6n4MhQuIl7q6eOh6J2-lPSFiforARHY2pP6Gt2nX6B2GdktD5T7ZYxZG6OilPwRk5WM-2F1HWAULzrc7w-qDbJaazNgHCC6M
hKho_Z9fJYu1Uk3ZKSKRUgovulXDe73ZqBu9zi8JYYFWyPBtaZ5RvwD-pW2pyqjpCjN1fr6RB5eEDsDHs3iSMx5iwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH_MA4GA1UdD
wEB_wQEAwIBBjAdBgNVHQ4EFgQUFrK9xt6fLho6JuPVuBiMQZW1rJcwHwYDVR0jBBgwFoAUZQEujCO-AA0gqjWV1iv8A2GJaQQwDQYJKoZIhvcNAQELBQADggIBAJf5IE5gh
px2ELW9aYK4LpzpnyYk6jmF1PpcXnQqZLolXJ_sWyR_hrskv4JxQbYkeTFfwK6bHE8wwm44pGUIBXWL0oKxVBB0IEgfjRlZjUveuNm7NWkJI0pZeSZ8oFm1DJ7gLEjCFaKUi
OmyJozwuz8uaKR2f2YU7HNsGu2HdQwib0S2CMr1tlHCHCf3A89KxWwnAg-92DAr_cfTcQAue4fb_LnG689ipXGMNgcyKeK7U15lXvycfflqum2529WtP3T9D0OQjHJ_tyAIl
B1RxRzuL6EiNIpTbpU6c0ZDoZCXhTVQqhlZokKlSSFUrg7jMA8eLxsIf10r5hE3O1V3RkOhlb8XAFQ_mNpIqOD5_2qRmbNUREH8RTrarZFcWOuP8W13Bz1peXhHNKJGp7SX8
Z4Tqxdtc59Nlx0-aDDnWus2WEzMeBit4fAaKxuSgdwxp4PUxgzicDi1unzhzAd2LpOnjFsz4P5eAcpZWh1OA519iV3Pqbo5YU2kAzgvifqE9yiODz0-T7xuqox_fyhk7WZpg
1QUptX7JfrOKbo1JFDbOcb257k_02skqvbsSE_kAjTScSTvZScmmxwTf5ugTFw6vsIcAJ8LnHeJUtX1Jg2qmWbkMKpSVi9RG_p5RnJc6uCBfgPW0PK3QUaYgwzR6GA8PeRCn
fk5B4HATgLo_p5K"
             ]
         },
       "SignatureValue": "LZyTyWZPvX2Wfztvbr_d_25tvo4JxRfy3waqMbJEF3_It9lD83jdlkjSvqk5EosNU45_xcnYnCtdgeT0i7allt6vZW4-0-wr6QZLMtnsJNk
Slk249z5y2Q_qZmqbBL0NpolepcREF_TBa_fSnWUV_c2lTkc6lj725_fIVHV1b58rYSEGE3yqF9zi3Eb8LGBIWf5TPXB3BloHu5aj1C3kqIwUkR0nOnoLPvxI5lF44yyLyKt
Yvtqth3EoAmrcu-h2eLD-GMe18jwxazkK8QS3ZecJ-0Kb1RP5bgsReEwnrRJnLS6li5XqWRtJA6PBTJDrpvrIn_HLaqaATCbSborbyQ"
     }
}

JSON-I as it stands today doesn't return (IMO FWIW) enough benefits to motivate redesigned parsers.

https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html#Normalization_and_Signature_Validation

I will as an experiment see if I can add this feature to the Firefox JSON implementation.  I could of course be wrong...

Regards,
Anders Rundgren