IETF Logo Mail Archive

Re: [jose] JWS Unencoded Payload Option and the % character

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 23 September 2015 05:35 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D0CF1A00CA for <jose@ietfa.amsl.com>; Tue, 22 Sep 2015 22:35:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4
X-Spam-Level:
X-Spam-Status: No, score=-4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwlR4t5bCQsd for <jose@ietfa.amsl.com>; Tue, 22 Sep 2015 22:35:14 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A3F51A00E4 for <jose@ietf.org>; Tue, 22 Sep 2015 22:35:14 -0700 (PDT)
Received: by wicge5 with SMTP id ge5so190590698wic.0 for <jose@ietf.org>; Tue, 22 Sep 2015 22:35:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=eby7Tm5qm2Co1DFaaPTbMEKiKJWBgrFbZuNyCgmGCag=; b=lI4X8oofsgikWBWg8cvlNdRDUpG8HFKSDDhdI674GhHMySO+SxuUtoply2/KQdyru0 0iO4yTvqmIJZvgilND2jy6sVAtQnnZNygZQvjo0qQEda2mAqy4fB01hoZOihnVmCQ3mr 3A+GSjRnXy6bFlARHDOa1Qgad+Oks6SBvOrTQ2ZDW5Az8AWlxmg4JzUCoz1ka6DTrM/T IQuU6r2qFX0Wo9oykNi8NM/cajPNdVF1S2W3fXDJ95UScfjmEes5efXq0b8TfJE3kZsr Z+rMOQFHQ7Y95rz4ptpqK+sWTFtBdTM+MgCMxQjtLMxrmVcTHAfrT9wTtc1ZICoKQngK K8nw==
X-Received: by 10.194.80.71 with SMTP id p7mr1351317wjx.83.1442986512840; Tue, 22 Sep 2015 22:35:12 -0700 (PDT)
Received: from [192.168.1.79] (148.198.130.77.rev.sfr.net. [77.130.198.148]) by smtp.googlemail.com with ESMTPSA id wx10sm5272130wjb.46.2015.09.22.22.35.11 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Sep 2015 22:35:11 -0700 (PDT)
To: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
References: <BY2PR03MB4426BED954F4CAC80447B4EF5450@BY2PR03MB442.namprd03.prod.outlook.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <56023A0A.5070907@gmail.com>
Date: Wed, 23 Sep 2015 07:35:06 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <BY2PR03MB4426BED954F4CAC80447B4EF5450@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/ko6akwYAuNDiYX5Do5xOUkE3NGw>
Subject: Re: [jose] JWS Unencoded Payload Option and the % character
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 05:35:16 -0000

On 2015-09-23 00:23, Mike Jones wrote:
> There’s one outstanding issue with the JWS Unencoded Payload Option
 > specification that I’d like to see working group discussion on:
 > What should the processing rules be for a ‘%’ character in the
 > JWS Payload for a non-detached payload using “b64”:false with the
 > JWS Compact Serialization?  I see the possibilities as being:


Mike,

This is a question of purely theoretic value since nobody (in their right mind)
would consider using the non-detached payload option when it only takes 10-
150 lines of additional code making a JSON serializer "crypto-capable" allowing
you to to use "Signed JSON" as well as do other pretty cool crypto-stuff like
the "requestHash" construct in

    http://webpki.org/papers/payments/webpay-4-corner-flow.html#p8

which simply put is undoable using current JOSE standards.

For detached signatures the document is fine "as is".

Anders

>
> 1.  Use of ‘%’ is prohibited, because it is not URL-safe.  This is the behavior current specified in https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-02#section-5.2.  This is the simplest option.  It means that inline unencoded payloads are limited to using letters, numbers, dash, underscore, and tilde.
>
> 2.  Use of ‘%’ is allowed and has no defined semantics at the JWS level; it’s just another allowed character.  This maintains the invariant that the JWS Signing input consists of the characters before the second ‘.’ in the JWS representation. Note that because ‘%’ is not URL-safe, any URLs containing JWS containing ‘%’ characters would have to form-url-encode them – resulting in them being represented in the URL as “%25”.  Applications **could** use ‘%’ at the application level to escape octets using the ‘%’ <hex> <hex> convention but this escaping would not be understood by JWS.  For example, the JWS Payload could be “%24%2E02”, be represented in the JWS as “%24%2E02”, be represented in URLs as “%2524%252E02”, and the JWS Signing Input would contain “%24%2E02”.  I believe that this is the position that was being advocated by Sergey Beryozkin in http://www.ietf.org/mail-archive/web/jose/current/msg05257.html.
>
> 3.  Use of ‘%’ is allowed and is used for ‘%’ <hex> <hex> encoding of payload octets, with the JWS Signing Input keeping the ‘%’ <hex> <hex> characters as-is.  This maintains the invariant that the JWS Signing input consists of the characters before the second ‘.’ in the JWS representation.  It requires form-url-decoding of any payload value containing ‘%’ when returning the JWS Payload.    For example, the JWS Payload could be “$.02”, be represented in the JWS as “%24%2E02”, be represented in URLs as “%2524%252E02”, and the JWS Signing Input would contain “%24%2E02”.
>
> 4.  Use of ‘%’ is allowed and is used for ‘%’ <hex> <hex> encoding of payload octets, with the JWS Signing Input containing the encoded octets.  This loses the invariant that the JWS Signing input consists of the characters before the second ‘.’ in the JWS representation.  It requires form-url-decoding of any payload value containing ‘%’ both when doing signing and when returning the JWS Payload.    For example, the JWS Payload could be “$.02”, be represented in the JWS as “%24%2E02”, be represented in URLs as “%2524%252E02”, and the JWS Signing Input would contain “$.02”.  This is the most consistent with the JWS JSON Serialization processing rules in https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-02#section-5.3, in which the JWS Payload and JWS Signing Input values are determined after performing any escape processing.  I believe that this is the position that was being advocated by Jim Schaad in
> http://www.ietf.org/mail-archive/web/jose/current/msg05259.html.
>
> How would working group members like to see us use (or not use) ‘%’?
>
>                                                                  -- Mike
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email