[jose] Enveloped JSON signatures

Anders Rundgren <anders.rundgren@telia.com> Thu, 18 July 2013 08:45 UTC

Return-Path: <anders.rundgren@telia.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B480A11E80EF for <jose@ietfa.amsl.com>; Thu, 18 Jul 2013 01:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C-zNKIBr+dFt for <jose@ietfa.amsl.com>; Thu, 18 Jul 2013 01:45:38 -0700 (PDT)
Received: from smtp-out21.han.skanova.net (smtp-out21.han.skanova.net [195.67.226.208]) by ietfa.amsl.com (Postfix) with ESMTP id 544B411E80E2 for <jose@ietf.org>; Thu, 18 Jul 2013 01:45:38 -0700 (PDT)
Received: from [192.168.0.202] (213.64.1.89) by smtp-out21.han.skanova.net (8.5.133) (authenticated as u36408181) id 51AC783600EBEF95 for jose@ietf.org; Thu, 18 Jul 2013 10:45:35 +0200
Message-ID: <51E7AB29.7060600@telia.com>
Date: Thu, 18 Jul 2013 10:45:29 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: jose@ietf.org
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [jose] Enveloped JSON signatures
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2013 08:45:43 -0000

Hi,
I'm hooked on enveloped signatures i XML.  I'm considering dropping XML for JSON.
I guess enveloped signatures won't be a part of JWS?

Why enveloped signatures you may wonder?
Well, in most schemes the root/top element is the message/type indicator
and it is of course nice if a signature can cover the entire message.

thanx
Anders

<ProvisioningInitializationResponse
      Attestation="NxcMqBJGQi...hcKoS2wPQm7rvRc="
      ClientTime="2013-07-09T18:13:52+02:00"
      ID="C-13fc435e15fe1f9c7534beb0a08"
      ServerSessionID="S-13fc435e0099bb7345b0bf57a85"
      ServerTime="2013-07-09T18:13:52+02:00"
      xmlns="http://xmlns.webpki.org/keygen2/beta/20121228#"
      xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
      xmlns:ds11="http://www.w3.org/2009/xmldsig11#">
    <ClientEphemeralKey>
        <ds11:ECKeyValue>
            <ds11:NamedCurve URI="urn:oid:1.2.840.10045.3.1.7"/>
            <ds11:PublicKey>BEdD3W6GslfY/AVEkRTD8MqT2R24iYnb+qvs2zP8PWXfecMNioEYR5P1VWPnKLPbRm1JMWPNrgBcTrBPebJ0eKc=</ds11:PublicKey>
        </ds11:ECKeyValue>
    </ClientEphemeralKey>
    <DeviceCertificatePath>
        <ds:X509Data>
            <ds:X509Certificate>MIIC2DCCAcCgAwIBAg...xtVD5cD1Gcn7KNdcJfLt</ds:X509Certificate>
        </ds:X509Data>
    </DeviceCertificatePath>
    <ds:Signature>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
            <ds:Reference URI="#C-13fc435e15fe1f9c7534beb0a08">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>bQymGISGazFazPrSFcl45YrUBYPzF1sZ1O+29zpfx+w=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>ZN1QM20uWIfHd4rloiqtQqRRf6jAgifcFlzNxqlnk84=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyName>derived-session-key</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
</ProvisioningInitializationResponse>