Re: [jose] Enveloped JSON signatures

Phillip Hallam-Baker <hallam@gmail.com> Thu, 18 July 2013 15:21 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FCF621E8105 for <jose@ietfa.amsl.com>; Thu, 18 Jul 2013 08:21:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[AWL=0.199, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvGwyuRqI5SD for <jose@ietfa.amsl.com>; Thu, 18 Jul 2013 08:21:14 -0700 (PDT)
Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id A2CC321E812B for <jose@ietf.org>; Thu, 18 Jul 2013 08:21:11 -0700 (PDT)
Received: by mail-we0-f180.google.com with SMTP id w56so3063869wes.11 for <jose@ietf.org>; Thu, 18 Jul 2013 08:21:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Gx9sNjKzLcErszyq70GQEUiSk3sUCg1RrDYCHBMCnCk=; b=hZA+oZYl0+vC1AAIUy7Fi08yWVkpZPceYKxuoyO/VPNz4vdQdj06JF2oO/Y6dUp1CE uLkJD+Fe019rSx8qrv5Dx+SxUBY3COcCZSpEvFm8Aw3IqvRl209AxVtbhL/CRsr/Om+R p7EnFGk9ou0UdP+4a2A7ax0hqzFZjRqow5W+7lL3IOQlkscLanY2lEEqoMkPC0vM7RPV tWs32b0lZR6Nx/ZHeOekp0acUut9DOYrFVN5kj0BYYK6Q1wNNSmI8VEOZ/PpS2QyoqPZ HS3G/qixj9CPes5ZjJ1uPycbJTxUvi1JhwM0LdaE9kBvbW1jSqkkHlscaLb/dbPvFfpo jWKw==
MIME-Version: 1.0
X-Received: by 10.194.157.65 with SMTP id wk1mr8893755wjb.8.1374160870700; Thu, 18 Jul 2013 08:21:10 -0700 (PDT)
Received: by 10.194.6.65 with HTTP; Thu, 18 Jul 2013 08:21:10 -0700 (PDT)
In-Reply-To: <51E7AB29.7060600@telia.com>
References: <51E7AB29.7060600@telia.com>
Date: Thu, 18 Jul 2013 11:21:10 -0400
Message-ID: <CAMm+Lwgaz2XSycCqYY965Ln6s7BdbkH_XXoiYVSYzMf5RtFaCg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Anders Rundgren <anders.rundgren@telia.com>
Content-Type: multipart/alternative; boundary=089e0122e9b09026b904e1cac25f
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Enveloped JSON signatures
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2013 15:21:15 -0000

I agree that enveloped signatures are useful. But trying to do that in XML
or JSON is quite painful without resort to Base64 encoding or the like.

The problem is where to define the start and end of the signed text. Add
some whitespace, do a trivial reformat and the position is lost.

This is where ASN.1 has an advantage over JSON. Which would be fine if it
didn't also come with so many disadvantages. ASN.1 is the CPL of binary
encodings and XML is the CPL of text encodings.

Fortunately we now have JSON which is the C of text encodings. It may not
be pretty, it may not support every need but it does the job for 95% of all
needs. Unfortunately there remains a 5% in which there is no substitute for
a binary encoding.

Which is the reason Casten and Paul have been looking at CBOR and while I
have been working on JSON-B, C and D.

http://tools.ietf.org/html/draft-hallambaker-jsonbcd-00


What I am trying to do here is not compete with JSON for the purposes that
JSON is good at. In fact a compliant JSON-B reader will read JSON without
modification, a JSON-B reader will read JSON or JSON-B and a JSON-C reader
will read any of them.

The idea of JSON-BCD is not to compete with JSON, it is to minimally extend
the JSON syntax so as to address the missing 5% in which binary is
essential so that we can use JSON to drive a steak through the heart of
ASN.1 (preferably fillet).


I would like to use JSON-B as a wrapper for Jose data.



On Thu, Jul 18, 2013 at 4:45 AM, Anders Rundgren
<anders.rundgren@telia.com>wrote:

> Hi,
> I'm hooked on enveloped signatures i XML.  I'm considering dropping XML
> for JSON.
> I guess enveloped signatures won't be a part of JWS?
>
> Why enveloped signatures you may wonder?
> Well, in most schemes the root/top element is the message/type indicator
> and it is of course nice if a signature can cover the entire message.
>
> thanx
> Anders
>
> <ProvisioningInitializationResponse
>       Attestation="NxcMqBJGQi...hcKoS2wPQm7rvRc="
>       ClientTime="2013-07-09T18:13:52+02:00"
>       ID="C-13fc435e15fe1f9c7534beb0a08"
>       ServerSessionID="S-13fc435e0099bb7345b0bf57a85"
>       ServerTime="2013-07-09T18:13:52+02:00"
>       xmlns="http://xmlns.webpki.org/keygen2/beta/20121228#"
>       xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>       xmlns:ds11="http://www.w3.org/2009/xmldsig11#">
>     <ClientEphemeralKey>
>         <ds11:ECKeyValue>
>             <ds11:NamedCurve URI="urn:oid:1.2.840.10045.3.1.7"/>
>
> <ds11:PublicKey>BEdD3W6GslfY/AVEkRTD8MqT2R24iYnb+qvs2zP8PWXfecMNioEYR5P1VWPnKLPbRm1JMWPNrgBcTrBPebJ0eKc=</ds11:PublicKey>
>         </ds11:ECKeyValue>
>     </ClientEphemeralKey>
>     <DeviceCertificatePath>
>         <ds:X509Data>
>
> <ds:X509Certificate>MIIC2DCCAcCgAwIBAg...xtVD5cD1Gcn7KNdcJfLt</ds:X509Certificate>
>         </ds:X509Data>
>     </DeviceCertificatePath>
>     <ds:Signature>
>         <ds:SignedInfo>
>             <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>             <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
>             <ds:Reference URI="#C-13fc435e15fe1f9c7534beb0a08">
>                 <ds:Transforms>
>                     <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                     <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                 </ds:Transforms>
>                 <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>bQymGISGazFazPrSFcl45YrUBYPzF1sZ1O+29zpfx+w=</ds:DigestValue>
>             </ds:Reference>
>         </ds:SignedInfo>
>
> <ds:SignatureValue>ZN1QM20uWIfHd4rloiqtQqRRf6jAgifcFlzNxqlnk84=</ds:SignatureValue>
>         <ds:KeyInfo>
>             <ds:KeyName>derived-session-key</ds:KeyName>
>         </ds:KeyInfo>
>     </ds:Signature>
> </ProvisioningInitializationResponse>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>



-- 
Website: http://hallambaker.com/