IETF Logo Mail Archive

[jose] Propsoed Signing Procedure

"Jim Schaad" <ietf@augustcellars.com> Sat, 29 June 2013 04:10 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B53F521F9CAC for <jose@ietfa.amsl.com>; Fri, 28 Jun 2013 21:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.979
X-Spam-Level:
X-Spam-Status: No, score=-2.979 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtK7wZ3fbBJY for <jose@ietfa.amsl.com>; Fri, 28 Jun 2013 21:10:24 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id DA4E321F9CAF for <jose@ietf.org>; Fri, 28 Jun 2013 21:10:24 -0700 (PDT)
Received: from Philemon (unknown [207.239.114.206]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id CAB5738EEA; Fri, 28 Jun 2013 21:08:46 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: jose@ietf.org, Mike Jones <Michael.Jones@microsoft.com>
Date: Fri, 28 Jun 2013 21:07:19 -0700
Message-ID: <063101ce747e$425dd4f0$c7197ed0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0632_01CE7443.9600AAA0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac50fElxmCSb5LZPRZybsBfpsl+Msg==
Content-Language: en-us
Subject: [jose] Propsoed Signing Procedure
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2013 04:10:30 -0000

I would suggest something along the following lines.  It is still missing
some of the descriptive text that is required, but not a great deal of it.

 

Jim

 

 

 

5.1 Message signing or MACing

 

To create a JWS, on performs the following steps.  The order of the steps is
information, however the result of performing the steps is prescriptive.

 

1.        Verify the content to be used as the JWS Payload is an octet
stream.  If it is not then the fail.

2.        If a common signature header field exists, then serialize the
object describing the header using UTF-8 and then base64 URL that result.
This is now the Encoded JWS Header.

3.       For each signature to be created perform the following steps:

a.       Obtain the algorithm to be used for the signature operation.  This
may be in the common signature protected header, the common signature
unprotected header or the signature header objects.  If this is not a legal
and supported signature algorithm then fail.

b.      Verify that the key to be used for the signature operation is
compatible with the signature algorithm.

c.       Concatenate the following values for the octet stream to be signed:

                                                               i.      The
Encoded JWS header if it exists,

                                                             ii.      One
period character ('.')

                                                            iii.      The
JWS payload

d.      Compute the signature value using the key, the signature algorithm
and the octet stream to be signed.

e.      Base64url encode the signature value, this is the Encoded JWS
signature.

 

Section 8.1  Compact serialization

 

In order for a compact serialization to be created, the following conditions
must be met:

1.       There must be exactly one signer

2.       There must not be a common unprotected header field or a signer
header field.  These can be combined before the signature is created to form
the common protected header field.

3.       The JWS payload MUST conform to the character set which is used for
base64url encoding.  This is A-Za-z0-9 (and whatever the rest of them are)

 

The compact serialization is formed by concatenating the following items:

1.       The Encoded JWS Header,

2.       One period character ('.')

3.       The JWS Payload

4.       One period character ('.')

5.       The Encoded JWS signature

 

Section 8.2  JSON Serialization

 

The JSON serialization is an object with the following members:

Protected            - a string containing the Encoded JWS Header (OPTIONAL)

Unprotected      - an object containing any common unprotected header values
(OPTINAL)

Payload                - a string containing the JWS Payload (REQUIRED)

Signatures           - an array containing one element for each signature
created.  Each array element consists of an object with the following
members:

                Header - an object containing any signer specific
unprotected header values (OPTINAL)

                Signature - a string containing the Encoded JWS Signature
for that signer.

v2.23.0 | Report a Bug | By Email