Re: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt
Mike Jones <Michael.Jones@microsoft.com> Tue, 26 June 2012 22:04 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F5FC11E809F for <jose@ietfa.amsl.com>; Tue, 26 Jun 2012 15:04:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.822
X-Spam-Level:
X-Spam-Status: No, score=-3.822 tagged_above=-999 required=5 tests=[AWL=-0.223, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vRSDlrCMskE5 for <jose@ietfa.amsl.com>; Tue, 26 Jun 2012 15:04:10 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe004.messaging.microsoft.com [216.32.180.14]) by ietfa.amsl.com (Postfix) with ESMTP id 32B0F11E8097 for <jose@ietf.org>; Tue, 26 Jun 2012 15:04:09 -0700 (PDT)
Received: from mail263-va3-R.bigfish.com (10.7.14.235) by VA3EHSOBE004.bigfish.com (10.7.40.24) with Microsoft SMTP Server id 14.1.225.23; Tue, 26 Jun 2012 22:02:27 +0000
Received: from mail263-va3 (localhost [127.0.0.1]) by mail263-va3-R.bigfish.com (Postfix) with ESMTP id 6BE763C005B; Tue, 26 Jun 2012 22:02:27 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -28
X-BigFish: VS-28(zz98dI9371I542M1432Izz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h944hd25hf0ah)
Received-SPF: pass (mail263-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail263-va3 (localhost.localdomain [127.0.0.1]) by mail263-va3 (MessageSwitch) id 1340748145134081_23933; Tue, 26 Jun 2012 22:02:25 +0000 (UTC)
Received: from VA3EHSMHS042.bigfish.com (unknown [10.7.14.243]) by mail263-va3.bigfish.com (Postfix) with ESMTP id 1592E640042; Tue, 26 Jun 2012 22:02:25 +0000 (UTC)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS042.bigfish.com (10.7.99.52) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 26 Jun 2012 22:02:24 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.02.0309.003; Tue, 26 Jun 2012 22:03:26 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt
Thread-Index: Ac1T54J3Hq2uD/biTxyDhHQtQaL+4Q==
Date: Tue, 26 Jun 2012 22:03:25 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366569B1D@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.22]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: John Bradley <ve7jtb@ve7jtb.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jun 2012 22:04:11 -0000
http://tools.ietf.org/html/draft-jones-json-web-signature-json-serialization-01 is an existence proof that it's not hard to sign the parameters and have multiple signatures. -- Mike -----Original Message----- From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard L. Barnes Sent: Tuesday, June 26, 2012 10:46 AM To: Brian Campbell Cc: John Bradley; jose@ietf.org Subject: Re: [jose] New Version Notification for draft-barnes-jose-jsms-00.txt I agree with that goal! I disagree that JWS is a good solution. It is true that JWS provides a relatively simple mechanism for a single signature, but: 1. It could be simpler (see below) 2. JWS header protection is useless for the single-signature case, and makes the multiple-signature/recipient case harder --Richard On Jun 26, 2012, at 12:16 PM, Brian Campbell wrote: > I wasn't suggesting that integrity-protecting the header itself makes > things simpler. Rather that a desirable goal is for support of a > relatively simple model utilizing a single signature over the whole > message. And that we already have that in JWS. > > On Mon, Jun 25, 2012 at 3:55 PM, Richard L. Barnes <rbarnes@bbn.com> wrote: >> >> On Jun 25, 2012, at 5:53 PM, Richard L. Barnes wrote: >> >>>>> I think part of this is that as one of the openID Connect authors I look at this as a necessary security token format, for OAuth and Connect. >>>>> For that simple processing with one signature is a high priority for adoption. >>>> >>>> +1. >>>> >>>> A simple JSON friendly model supporting a single signature over the >>>> entire message (including headers) is an important case for >>>> adoption (and security). JWS provides that now and there are >>>> already numerous interoperable JWS implementations available or in the works. >>> >>> I'm not sure how people think that integrity-protecting the header makes things *simpler*, especially since it adds a whole new decoding step and makes the parsing more complicated. >>> >>> Pseudocode without integrity protection (assuming JSMS format, but JWS could be made to look similar): >>> function verify(json) { >>> jose = JSON.parse(json); >>> // Check algorithm values >>> return Crypto.SignatureAlgorithm.verify(jose.content, >>> jose.keys[0].signature, jose.keys[0].key); } >>> >>> Pseudocode with integrity protection (assuming JWS format): >>> function verify(jws) { >>> (txtHeader, content, signature) = jws.split("\."); >>> protectedBody = header + "." + content >>> jsonHeader = base64url.decode(txtHeader); >>> header = JSON.parse(jsonHeader); >>> return Crypto.SignatureAlgorithm.verify(content, signature, >>> header.jwk); } >>> >> >> Err, sorry, that should read: >> protectedBody = txtHeader + "." + content; and >> return Crypto.SignatureAlgorithm.verify(protectedBody, signature, >> header.jwk); >> >> See how hard it is to get right? :) >> >> --Richard > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] Fwd: New Version Notification for draft-ba… Richard L. Barnes
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Richard L. Barnes
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Mike Jones
- Re: [jose] Fwd: New Version Notification for draf… Breno de Medeiros
- Re: [jose] Fwd: New Version Notification for draf… Nat Sakimura
- Re: [jose] Fwd: New Version Notification for draf… John Bradley
- Re: [jose] Fwd: New Version Notification for draf… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Breno de Medeiros
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Mike Jones
- Re: [jose] New Version Notification for draft-bar… Nat Sakimura
- Re: [jose] New Version Notification for draft-bar… Brian Campbell
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Brian Campbell
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Mike Jones
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Richard L. Barnes
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… Anthony Nadalin
- Re: [jose] New Version Notification for draft-bar… Jim Schaad
- Re: [jose] New Version Notification for draft-bar… John Bradley
- Re: [jose] New Version Notification for draft-bar… Matt Miller
- [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Richard L. Barnes
- Re: [jose] protected attributes Jim Schaad
- Re: [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Richard L. Barnes
- Re: [jose] protected attributes Manger, James H
- Re: [jose] protected attributes Stephen Kent
- Re: [jose] protected attributes Richard L. Barnes