Re: [jose] Canonical JSON form

Bret Jordan <jordan.ietf@gmail.com> Thu, 11 October 2018 14:40 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D41F4130E9E for <jose@ietfa.amsl.com>; Thu, 11 Oct 2018 07:40:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-aApinPBw8S for <jose@ietfa.amsl.com>; Thu, 11 Oct 2018 07:40:54 -0700 (PDT)
Received: from mail-yw1-xc2c.google.com (mail-yw1-xc2c.google.com [IPv6:2607:f8b0:4864:20::c2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD5D6126CC7 for <jose@ietf.org>; Thu, 11 Oct 2018 07:40:48 -0700 (PDT)
Received: by mail-yw1-xc2c.google.com with SMTP id v1-v6so3671606ywv.6 for <jose@ietf.org>; Thu, 11 Oct 2018 07:40:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=mHuktTF5YUdXQY/UqIIXx2vM8upFAWnK8FeJsv+xzS8=; b=JUsKRYB0A91/UeBjIXzQDMjW9x2xbKscNUIq+cqZ1nh+mjWHYlZKPApTWQ3835FsPD DPfvkCKWkLG8dqtt5rw4t/PtUMhTxdDGvO4KWLdInyRNf4A7p6RnMjHWNW+7Eo2bEEG+ u8yrH1MXu395ngXkag3d+OHUQ4jzeDyd7PHVQNERRwiKsn8FboS5vEDeAFNkCK4NSF3r yboD6Gae4lg/DW5P84DpZcucFahlJbXADCrycpHYsrSoRJBe9fTZQ+UHXwLLR6rwoG9I J6rnHmq0E3+Yg5MzjR1sidpr7UYBn+aR2tfnFNhj9WtQP2ksdA9nAXFgUZzAqhjICfMl fEYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=mHuktTF5YUdXQY/UqIIXx2vM8upFAWnK8FeJsv+xzS8=; b=PUFQh3VAdczPLyGu+Ruphd6jrUsQu89MiHmaBAxpgzI9V/K5FmsYsofZbEuOA8e28b SBH9WUq4VCun3QCuqwMbN9tSH7voqJLT76aSojfwNipDS5OtdQvcOneeYVYBlCS1rbRg y+pmEyuvPv0SsHJHXXZQ4ZXDtJsp99Sx4F60mwrQAWQKbUDMohOQr8Dt6lGMXmV8yp9E vQs89nYTvfNCwGej0IwFDF6TI0iOLkmS7CWH/ooMY2ixty8Nea9KYZAkcJeXTj+75WB6 KkvJdyN4PUY4Be8XV1CpNFZKURkLvwVVyl6NGL51JRG39ZsJiiDEePhb+3PQANb9vQdd 7K2g==
X-Gm-Message-State: ABuFfoh1uIjJMStstn8q0YvOvKDBNSEmymxv53NYl+RoObZsyASBSOrk 3EHuQxrLCr1jwZ+Nk6TUYO4=
X-Google-Smtp-Source: ACcGV62YFNT+8j1dUGub+Pahi4dMYVOC3vKCfH6vCNGqx2xqtdtxKUt1fs9WZsoXS+RQPdylsHjYZA==
X-Received: by 2002:a81:5489:: with SMTP id i131-v6mr985428ywb.87.1539268847655; Thu, 11 Oct 2018 07:40:47 -0700 (PDT)
Received: from ?IPv6:2605:a601:3260:266:7534:8ac9:bb4c:ce9d? ([2605:a601:3260:266:7534:8ac9:bb4c:ce9d]) by smtp.gmail.com with ESMTPSA id s3-v6sm11098071ywc.72.2018.10.11.07.40.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Oct 2018 07:40:46 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <B3FE522D-ACD0-4AF9-89FD-E29E7BF84FDE@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_27BC8545-66B3-423F-B814-ED4D8E69AB19"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 11 Oct 2018 08:40:41 -0600
In-Reply-To: <CAF2hCbZU51q4RMrbNW+9HnsmH8XDVHkYR3at6LXLz1z6Lu1gOA@mail.gmail.com>
Cc: neil.madden@forgerock.com, Jim Schaad <ietf@augustcellars.com>, npmccallum@redhat.com, jose@ietf.org
To: Samuel Erdtman <samuel@erdtman.se>
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com> <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com> <00ad01d460f4$69ae8a00$3d0b9e00$@augustcellars.com> <8436AEE7-B25A-4538-B8F6-16D558D9A504@gmail.com> <69EB3C20-0863-4D00-948B-989EB69D67CD@forgerock.com> <CAF2hCbZU51q4RMrbNW+9HnsmH8XDVHkYR3at6LXLz1z6Lu1gOA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/z5bQDv492GmLOy4RFZ8nlkxL6Ec>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2018 14:40:57 -0000

There is a lot of value that the market could gain from something like this.  I think it would be great if we could do this work here in the IETF.  I for one would be willing to spend some time on it if we can somehow get the work kickstarted.  

I know of several large projects (most outside the IETF, but one is an upcoming IETF project) that need this for their solutions. For the IETF one, we will be hosting a WebEx to talk through it on the 24th, see the CACAO mailing list if you are interested. 

Things that I see we need to figure out are:

1) Canonicalization of JSON to enable round-tripping 

2) Ability to sign JSON string data

3) Ability to have JSON signatures located in the content themselves with nested signatures and partial tree signatures



Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 11, 2018, at 12:44 AM, Samuel Erdtman <samuel@erdtman.se> wrote:
> 
> I for one think this is interesting.
> 
> I have published two implementations of the draft James mentions, draft-rundgren-json-canonicalization-scheme <https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme>, (Java <https://search.maven.org/artifact/io.github.erdtman/java-json-canonicalization/1.1/jar> and JavaScript <https://www.npmjs.com/package/canonicalize>) and I know Anders (the author of the draft) has implementations in .NET and Python too (all working well together).
> 
> The I have my self been part in writing a draft that uses this canonicalization mechanism to create signed cleartext JSON (draft-erdtman-jose-cleartext-jws <https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-01>). I have ported a JavaScript JOSE implementation to this new schema without any issues and Anders has at least a Java implementation.
> 
> Finally there was a resent conversation about this subject on the OAuth mailing-list <https://mailarchive.ietf.org/arch/msg/oauth/YL29UE_gNj73mChXTr9FgkCF5Kg> recently.
> 
> Best regards
> //Samuel
> 
> 
> On Thu, Oct 11, 2018 at 7:33 AM Neil Madden <neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote:
> 
> > On 11 Oct 2018, at 01:02, Bret Jordan <jordan.ietf@gmail.com <mailto:jordan.ietf@gmail.com>> wrote:
> > 
> >> 
> >> Other implementations say that you should preserver the order of the fields you read when serialized which is part of JSON for the browser implementations but not necessarily elsewhere.
> > 
> > Preserving order is hard.  Depending on your programming language you might be deserializing the content in to a struct or you may be using a map. 
> > 
> > What I need is a way for individuals and organizations to be able to pass around and share JSON data and collaboratively work on that JSON data and sign the parts that they have done. 
> 
> Have you considered Git with PGP-signed commits? It solves this use-case extremely well.
> 
> — Neil
> _______________________________________________
> jose mailing list
> jose@ietf.org <mailto:jose@ietf.org>
> https://www.ietf.org/mailman/listinfo/jose <https://www.ietf.org/mailman/listinfo/jose>