Re: [jose] canonical JSON

"Matt Miller (mamille2)" <mamille2@cisco.com> Tue, 19 February 2013 20:35 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2203021F8856 for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 12:35:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.537
X-Spam-Level:
X-Spam-Status: No, score=-10.537 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YddFU2QX8tp2 for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 12:35:23 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 4129F21F87B6 for <jose@ietf.org>; Tue, 19 Feb 2013 12:35:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3338; q=dns/txt; s=iport; t=1361306123; x=1362515723; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=KKCrtTdtAQvtzmr65Q0I5tmbWgYyO29lIzm3jhgCFHs=; b=LLcRS/+ATm57JzcXepQOC9nM3TyxRVPE5jIPQLvquMAOvsEkFUvULRne T5faq4rozV4HwsGaCD+9K3fAEOEpPI6SBvAP2oFNLhzP2q4Yxyz6hS8rF 8jgb48GFYWbaXq080naJBjtNKpJGtbkbOxAvxmd0yD8YhhOIjhlG6/gjD o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAJ/gI1GtJXG+/2dsb2JhbABFwDuBDRZzgh8BAQEDAQEBAWsLBQsCAQgOCgokIQYLJQIEDgUIh3gDCQYMsDOGQA0QiUqMN4IkAjEHgl9hA5JsgWSCeIomhRWDB4In
X-IronPort-AV: E=Sophos;i="4.84,697,1355097600"; d="scan'208";a="178901324"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-3.cisco.com with ESMTP; 19 Feb 2013 20:35:22 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id r1JKZMZl016698 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 19 Feb 2013 20:35:22 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.203]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0318.004; Tue, 19 Feb 2013 14:35:22 -0600
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [jose] canonical JSON
Thread-Index: AQHODm57KLMcmYZ0i0Gyb/ks/6ZBmJiBmX0AgAARsYCAAF3OAA==
Date: Tue, 19 Feb 2013 20:35:21 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED9411513E85D@xmb-aln-x11.cisco.com>
References: <CAG8k2+4xaAUBPs=Kw-=eBHZNyOMs6VYByPEb1jnAv1aGjLupng@mail.gmail.com> <CABkgnnWzdoo6b0ZymF0cv_v9zOjJKTWuUhkWuxiA-cM9qgu0jg@mail.gmail.com> <CAG8k2+47GQXHhWBdqd82UEAPZUfAigYE-vwxpaMJm4F5i8098A@mail.gmail.com> <CAL02cgQ3Oh1D9qHW7XWAZqzmfnE5T6-FjNydjpMEMhaHf2d7Xw@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150757902D@WSMSG3153V.srv.dir.telstra.com> <CAG8k2+5mVYJ6TgQHJ9juXEaWkfMteG6gV8w_dCoShP4-9fPqMA@mail.gmail.com> <CAL02cgRZkf8rR=gAuR6ZT61WCah3aWQNAq8d+GLWweehH7jN6A@mail.gmail.com>
In-Reply-To: <CAL02cgRZkf8rR=gAuR6ZT61WCah3aWQNAq8d+GLWweehH7jN6A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.129.24.55]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <B90285E4085E26468801CB1F6D95CCAB@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Daniel Holth <dholth@gmail.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, jose <jose@ietf.org>
Subject: Re: [jose] canonical JSON
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2013 20:35:24 -0000

I know I'm still reeling from canonicalization (c14n) issues in XML, but I can put that aside.  It would be nice to have JWK fingerprinting.

I can see value in each JWK type defining what is canonical; I'm less thrilled limiting metadata to a specific place, but could live with that.  I can see where excluding metadata can get us in trouble later, but I think that would mean having a much more robust c14n approach.

By the way, there is going to be a JSON BoF in Orlando, and c14n seems like a good thing to bring up there.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

PS: 42 vs 4.2e0 vs 4.2e1

On Feb 19, 2013, at 7:59 AM, Richard Barnes <rlb@ipv.sx> wrote:

> So your fingerprint algorithm would be something like the following?
> 
> INPUT: JWK
> 1. Remove "metadata" fields.  So, for RSA, you would be left with {"kty",
> "n", "e"}
> 2. Convert stripped JWK to canonical form
> 3. Compute digest over canonical form
> 
> That seems generally agreeable to me.
> 
> For (1) to be possible, you would need to define which fields are covered
> in the fingerprint for each key type ("kty" value).  Or, alternatively, you
> could restructure JWK so that metadata fields are grouped into a "meta"
> sub-dict.  Which might be nice anyway.
> 
> For (2), I agree that there is probably a better canonicalization than
> CJSON.  The code I pasted earlier implements the following changes from RFC
> 4627:
> -- Object fields must be in lexicographic order, sorted by field name
> -- No white space allowed
> -- Numbers: Exponent part must use 'e'
> -- Numbers: Exponent part must not use '+'
> -- Numbers: Fraction part must not have trailing zeros
> -- Strings: All characters must be escaped
> ISTM that those changes are fairly minimal, and avoid some of the CJSON
> problems that have been discussed above. Reasonably people can disagree
> over the string aspect; if you want less expansion, you could do things
> like exempt printable ASCII.
> 
> 
> 
> 
> On Tue, Feb 19, 2013 at 8:56 AM, Daniel Holth <dholth@gmail.com> wrote:
> 
>> On Tue, Feb 19, 2013 at 1:57 AM, Manger, James H <
>> James.H.Manger@team.telstra.com> wrote:
>> 
>>> A canonical form of JSON might be fairly easy, but the one you quote (
>>> http://wiki.laptop.org/go/Canonical_JSON) can’t handle floating point
>>> numbers (or very large integers), and produces invalid JSON if a string
>>> includes a tab! Fix those (escaping control chars [\u0000-\u001f]; use
>>> normalized scientific notation for numbers) and it might be worth
>>> considering.****
>>> 
>>> ** **
>>> 
>>> Defining JOSE calculations in terms of 1 or more byte arrays, the first
>>> of which is a UTF-8-encoded JSON header, would be useful. It can then be
>>> packaged as dot-separated base64url-encoded segments to be
>>> HTTP-header-friendly, or packaged as a single JSON object to be
>>> programmer-friendly, or packaged as raw bytes to be efficient.
>>> 
>> 
>> I am only proposing a key fingerprinting specification that does not
>> employ DER encoding. JWKs do not contain tabs or floating point numbers.
>> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose