Re: [jose] JWK-specific key fingerprints?

Daniel Holth <dholth@gmail.com> Mon, 18 February 2013 18:55 UTC

Return-Path: <dholth@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40E0B21F87FF for <jose@ietfa.amsl.com>; Mon, 18 Feb 2013 10:55:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vx8dp9uuUCEj for <jose@ietfa.amsl.com>; Mon, 18 Feb 2013 10:55:47 -0800 (PST)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id 7F33121F8832 for <jose@ietf.org>; Mon, 18 Feb 2013 10:55:46 -0800 (PST)
Received: by mail-wi0-f178.google.com with SMTP id o1so3912594wic.11 for <jose@ietf.org>; Mon, 18 Feb 2013 10:55:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=/YEBFiqKEtWsDkVrALoqg0TgcsNGnToUYFW5sJ8Meks=; b=ArpQiLAwVsGSrZiRInUzEAkBJlcHJ5UjHFfJdeI+HsGR/rgDtA7Zuyfacl/H0/ey3Z zxPQ+ejlsjfsOuobONd80/AsKDBm765DSQagPisjZhBcX3KbcqcBQTsqOJh/RF3hpIaK dyPOb1Yg2gNBvHDnXpGRKHWmvCjPn8210dyjRVIunJDqlZ0tGa0S3X5UhBqyF6VcLGEB j707kEyuXj6uX9qfYeInlO5yomDTxyiN2C8VaTUS/hRHU6noRMkQK4FfmdZRgbOGNNq8 oIoYRIzteJnG3voUb4Htwvh0hCSbUOnjPAzKoTADP4Wwzv23VGKPs9j/l2XwsqerJLss mxsg==
MIME-Version: 1.0
X-Received: by 10.194.9.166 with SMTP id a6mr21534743wjb.2.1361213743834; Mon, 18 Feb 2013 10:55:43 -0800 (PST)
Received: by 10.194.122.67 with HTTP; Mon, 18 Feb 2013 10:55:43 -0800 (PST)
In-Reply-To: <CAL02cgQ3Oh1D9qHW7XWAZqzmfnE5T6-FjNydjpMEMhaHf2d7Xw@mail.gmail.com>
References: <CAG8k2+4xaAUBPs=Kw-=eBHZNyOMs6VYByPEb1jnAv1aGjLupng@mail.gmail.com> <CABkgnnWzdoo6b0ZymF0cv_v9zOjJKTWuUhkWuxiA-cM9qgu0jg@mail.gmail.com> <CAG8k2+47GQXHhWBdqd82UEAPZUfAigYE-vwxpaMJm4F5i8098A@mail.gmail.com> <CAL02cgQ3Oh1D9qHW7XWAZqzmfnE5T6-FjNydjpMEMhaHf2d7Xw@mail.gmail.com>
Date: Mon, 18 Feb 2013 13:55:43 -0500
Message-ID: <CAG8k2+5XAQtDz8__Wet+0gLUyzp75Yc4aXt07St4wA=P9omQiA@mail.gmail.com>
From: Daniel Holth <dholth@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary=047d7b450e0aaa26eb04d6044500
Cc: Martin Thomson <martin.thomson@gmail.com>, jose <jose@ietf.org>
Subject: Re: [jose] JWK-specific key fingerprints?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2013 18:55:48 -0000

On Mon, Feb 18, 2013 at 12:51 PM, Richard Barnes <rlb@ipv.sx> wrote:

> Citation for Canonical JSON:
> <http://wiki.laptop.org/go/Canonical_JSON>
>
> I have implemented this in python.  It is surprisingly easy [1].
>  Canonicalization has been anathema to this group, but I suspect largely
> because people have been bitten by XML canonicalization, rather than
> because JSON canonicalization has been tried and found difficult.
>
> If we're going to go down this path, I would prefer Canonical JSON to
> bencode, if only because bencode is an entirely different format to
> implement.
>
> Personally, given how easy canonicalization is to implement (it actually
> requires fewer lines in my experience than base64!), it seems like a
> sensible choice in general.  In particular, for the JSON serialization, it
> would save some unnecessary base64 encoding that is currently required.  I
> would be glad to contr
>
> --Richard
>
> [1] My own canonicalization, not sure if it matches the one linked above <
> http://pastebin.com/ptUfn0c3>
>
>
>
> On Tue, Feb 12, 2013 at 3:01 PM, Daniel Holth <dholth@gmail.com> wrote:
>
>> On Tue, Feb 12, 2013 at 2:53 PM, Martin Thomson <martin.thomson@gmail.com
>> > wrote:
>>
>>> On 12 February 2013 10:56, Daniel Holth <dholth@gmail.com> wrote:
>>> > ... canonical json ....
>>>
>>> Isn't mention of canonical JSON a swear-jar offense?  Something needs
>>> canonicalization, but JSON seems a poor candidate.
>>>
>>
>> There is something called Canonical JSON. They take out all the
>> whitespace, sort keys lexicographically, and only quote the " inside
>> strings. It is used in the wild by the OLPC project I think.
>>
>> bencode is an easier to implement protocol that is used in bittorrent and
>> yields a tiny write-only implementation if all you want to do is get unique
>> hashes for the subset of JSON used by JWK.
>>
>
Especially if you are not worried about the CJSON corner cases (which go
away when your data is all printable ASCII) it is stupidly simple. The rest
of the spec would be to exclude the members of the JWK that are not used by
the crypto math (need a better way to say this) and to give it a name like
"hash kid" -> "hkid".