Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
Mike Jones <Michael.Jones@microsoft.com> Thu, 29 October 2015 06:46 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 556B11A88D2 for <jose@ietfa.amsl.com>; Wed, 28 Oct 2015 23:46:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UmVphvzFDB_p for <jose@ietfa.amsl.com>; Wed, 28 Oct 2015 23:46:16 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0129.outbound.protection.outlook.com [207.46.100.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC6FA1A88CF for <jose@ietf.org>; Wed, 28 Oct 2015 23:46:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Hg5Swm7wU0r2jpqnuHgj7fBjGp9h6gUk67ogpeFHB1g=; b=fGXCsMaGIjZdlG4LsAryEsBO9n8Dy5d9PbbI/Wk+pEgNN/5O/A/sJd6jzepk6RfEDxR9hIRCuKG38+Ub1LSQIulfOx9DUXz36ip379xkhP2JyAPHOUynqzehB68/Byvv62rnGyaIMSuAiO6F+/CrnD5JcUM9mJgLLNTM97C8Y+o=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.306.13; Thu, 29 Oct 2015 06:46:14 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0306.003; Thu, 29 Oct 2015 06:46:14 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
Thread-Index: AQHREhSfPUc899doEUijvOIwpnQMWp6CBicQgAAAX2A=
Date: Thu, 29 Oct 2015 06:46:13 +0000
Message-ID: <BY2PR03MB4423FFEDE264D6089C4BA0CF5200@BY2PR03MB442.namprd03.prod.outlook.com>
References: <5631BF2A.70109@gmail.com> <BY2PR03MB442AAE04D574F870B1C3D77F5200@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB442AAE04D574F870B1C3D77F5200@BY2PR03MB442.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [64.134.220.65]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:EGdXQvR4Fuz7tbaDYBhQFyriKmV6cbdNIkc4ZfQ6YW6CN4MdW4aCz4UnPnYW27O+5DCYcJuZrPimxjYhZ+sNk5vDktkkujmYaK9tc+PALIJxJAmxM7KSy5EK/xKnbL95EBjtLC0MwcaIeKj1dgDHKg==; 24:G9ZY0pjgxHYtqwahdrHNWkfBW6yiX8RMrAtJx50uFUNyRFiCcxpEp+Zk48/NDa0vDhKKQPKd19luBUmTXYB5YrpNmZkflpv3Rlk4SVIxgMo=; 20:ozscng4vg1Ye0hARjj+R/kViwtwl/hiNUTRhuPuAH0+ZXTOzZXx+J83Lwe/WTjomC5VoapFOVKpwg7txunAfFg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442;
x-microsoft-antispam-prvs: <BY2PR03MB442014961282293240CFBC7F5200@BY2PR03MB442.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(102215026)(61426024)(61427024); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442;
x-forefront-prvs: 0744CFB5E8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(13464003)(189002)(377454003)(76176999)(99286002)(66066001)(106356001)(97736004)(5001770100001)(2501003)(2421001)(76576001)(15395725005)(5004730100002)(92566002)(8990500004)(1511001)(5005710100001)(5007970100001)(10400500002)(2561002)(11100500001)(10290500002)(81156007)(101416001)(77096005)(54356999)(87936001)(19580405001)(5003600100002)(5008740100001)(102836002)(50986999)(33656002)(15975445007)(2900100001)(86612001)(5001960100002)(2950100001)(40100003)(105586002)(122556002)(5002640100001)(10090500001)(106116001)(189998001)(19580395003)(107886002)(74316001)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2015 06:46:13.9622 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/c0JMF312u3u0TCJoIcJjgtpfajg>
Subject: Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2015 06:46:18 -0000
Typo correction: s/100/1000/ -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Wednesday, October 28, 2015 11:44 PM To: Anders Rundgren; jose@ietf.org Subject: Re: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures This may be just my personal opinion, but preserving member creation order is only one small part of producing canonical JSON, which would be what would be required for such a scheme to be guaranteed to work. For instance, if the value 1e3 is part of the JSON input, will JSON.stringify() be guaranteed to emit it as 1e3, or might it be 1E3 or 100? Unless it's deterministic, different serializers will produce different results, and therefore different signatures. Without a canonical JSON being both defined and widely deployed, I can't recommend doing any work that requires a canonical JSON representation to deterministically succeed. -- Mike -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren Sent: Wednesday, October 28, 2015 11:40 PM To: jose@ietf.org Subject: [jose] At a glance: JWS vs "in-object" ES6/JSON signatures ES6-compliant in-object JS/JSON signature: var inObjectSignedData = { // Object data expressed as JS properties "device": "Pump2", "value": 1e-18, // Object signature "signature": { ...Protected headers + Signature value expressed as JS properties... } }; JavaScript's JSON.parse() and JSON.stringify() suffice for "canonicalization" purposes. Converting the above to JWS JSON Serialization you would get: var signedData = { // Object data in a coded format "payload":"<payload contents>", // Protected headers wrapped in Base64URL "protected":"<integrity-protected header contents>", // Signature in a unique format "signature":"<signature contents>" } ES6 was released in June 2015 so this opportunity is actually quite new. Cheers, Anders http://webpki.org/ietf/draft-rundgren-predictable-serialization-for-json-tools-00.html#rfc.section.3.3 _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] At a glance: JWS vs "in-object" ES6/JSON s… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mike Jones
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mike Jones
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Mark Watson
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Jim Schaad
- Re: [jose] At a glance: JWS vs "in-object" ES6/JS… Anders Rundgren