[jose] Propsoed Signing Procedure
"Jim Schaad" <ietf@augustcellars.com> Sat, 29 June 2013 04:10 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B53F521F9CAC for <jose@ietfa.amsl.com>; Fri, 28 Jun 2013 21:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.979
X-Spam-Level:
X-Spam-Status: No, score=-2.979 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtK7wZ3fbBJY for <jose@ietfa.amsl.com>; Fri, 28 Jun 2013 21:10:24 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id DA4E321F9CAF for <jose@ietf.org>; Fri, 28 Jun 2013 21:10:24 -0700 (PDT)
Received: from Philemon (unknown [207.239.114.206]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id CAB5738EEA; Fri, 28 Jun 2013 21:08:46 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: jose@ietf.org, Mike Jones <Michael.Jones@microsoft.com>
Date: Fri, 28 Jun 2013 21:07:19 -0700
Message-ID: <063101ce747e$425dd4f0$c7197ed0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0632_01CE7443.9600AAA0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac50fElxmCSb5LZPRZybsBfpsl+Msg==
Content-Language: en-us
Subject: [jose] Propsoed Signing Procedure
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2013 04:10:30 -0000
I would suggest something along the following lines. It is still missing some of the descriptive text that is required, but not a great deal of it. Jim 5.1 Message signing or MACing To create a JWS, on performs the following steps. The order of the steps is information, however the result of performing the steps is prescriptive. 1. Verify the content to be used as the JWS Payload is an octet stream. If it is not then the fail. 2. If a common signature header field exists, then serialize the object describing the header using UTF-8 and then base64 URL that result. This is now the Encoded JWS Header. 3. For each signature to be created perform the following steps: a. Obtain the algorithm to be used for the signature operation. This may be in the common signature protected header, the common signature unprotected header or the signature header objects. If this is not a legal and supported signature algorithm then fail. b. Verify that the key to be used for the signature operation is compatible with the signature algorithm. c. Concatenate the following values for the octet stream to be signed: i. The Encoded JWS header if it exists, ii. One period character ('.') iii. The JWS payload d. Compute the signature value using the key, the signature algorithm and the octet stream to be signed. e. Base64url encode the signature value, this is the Encoded JWS signature. Section 8.1 Compact serialization In order for a compact serialization to be created, the following conditions must be met: 1. There must be exactly one signer 2. There must not be a common unprotected header field or a signer header field. These can be combined before the signature is created to form the common protected header field. 3. The JWS payload MUST conform to the character set which is used for base64url encoding. This is A-Za-z0-9 (and whatever the rest of them are) The compact serialization is formed by concatenating the following items: 1. The Encoded JWS Header, 2. One period character ('.') 3. The JWS Payload 4. One period character ('.') 5. The Encoded JWS signature Section 8.2 JSON Serialization The JSON serialization is an object with the following members: Protected - a string containing the Encoded JWS Header (OPTIONAL) Unprotected - an object containing any common unprotected header values (OPTINAL) Payload - a string containing the JWS Payload (REQUIRED) Signatures - an array containing one element for each signature created. Each array element consists of an object with the following members: Header - an object containing any signer specific unprotected header values (OPTINAL) Signature - a string containing the Encoded JWS Signature for that signer.
- Re: [jose] Propsoed Signing Procedure Richard Barnes
- [jose] Propsoed Signing Procedure Jim Schaad
- Re: [jose] Propsoed Signing Procedure Mike Jones
- Re: [jose] Propsoed Signing Procedure Jim Schaad