IETF Logo Mail Archive

Re: [jose] Reducing the size of JWS payloads

Anthony Nadalin <tonynad@microsoft.com> Thu, 20 December 2012 18:08 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7546B21F8473 for <jose@ietfa.amsl.com>; Thu, 20 Dec 2012 10:08:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.784
X-Spam-Level: *
X-Spam-Status: No, score=1.784 tagged_above=-999 required=5 tests=[AWL=1.250, BAYES_00=-2.599, BODY_ENHANCEMENT2=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nr93V75AZnSc for <jose@ietfa.amsl.com>; Thu, 20 Dec 2012 10:08:39 -0800 (PST)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.28]) by ietfa.amsl.com (Postfix) with ESMTP id 62F3D21F8419 for <jose@ietf.org>; Thu, 20 Dec 2012 10:08:39 -0800 (PST)
Received: from BL2FFO11FD006.protection.gbl (10.173.161.202) by BL2FFO11HUB017.protection.gbl (10.173.160.109) with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 20 Dec 2012 18:08:36 +0000
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD006.mail.protection.outlook.com (10.173.161.2) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Thu, 20 Dec 2012 18:08:35 +0000
Received: from va3outboundpool.messaging.microsoft.com (157.54.51.81) by mail.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.2.318.3; Thu, 20 Dec 2012 18:08:14 +0000
Received: from mail187-va3-R.bigfish.com (10.7.14.253) by VA3EHSOBE008.bigfish.com (10.7.40.28) with Microsoft SMTP Server id 14.1.225.23; Thu, 20 Dec 2012 18:07:08 +0000
Received: from mail187-va3 (localhost [127.0.0.1]) by mail187-va3-R.bigfish.com (Postfix) with ESMTP id 0B8AA32015B for <jose@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 20 Dec 2012 18:07:08 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -20
X-BigFish: PS-20(zz98dI9371Id6eah148cI542I1432Izz1de0h1202h1e76h1d1ah1d2ah1082kzz1033IL17326ah8275bh8275dhz31h2a8h668h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h9a9j1155h)
Received-SPF: softfail (mail187-va3: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT003.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB041; LANG:en;
Received: from mail187-va3 (localhost.localdomain [127.0.0.1]) by mail187-va3 (MessageSwitch) id 1356026825675612_17501; Thu, 20 Dec 2012 18:07:05 +0000 (UTC)
Received: from VA3EHSMHS024.bigfish.com (unknown [10.7.14.254]) by mail187-va3.bigfish.com (Postfix) with ESMTP id 8C47640091; Thu, 20 Dec 2012 18:07:05 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by VA3EHSMHS024.bigfish.com (10.7.99.34) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 20 Dec 2012 18:07:05 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.245.2; Thu, 20 Dec 2012 18:07:05 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 20 Dec 2012 18:06:53 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.160]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.160]) with mapi id 15.00.0586.000; Thu, 20 Dec 2012 18:06:53 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [jose] Reducing the size of JWS payloads
Thread-Index: Ac3dkDn1ScBaTFOCSwGyAjfBe1wGHgAAqR2AAAQEvdAAGR1xAAA1UCtQ
Date: Thu, 20 Dec 2012 18:06:52 +0000
Message-ID: <ed0af5bc3f9846c9b014eb1dabf53a5c@BY2PR03MB041.namprd03.prod.outlook.com>
References: <4E1F6AAD24975D4BA5B16804296739436696B341@TK5EX14MBXC283.redmond.corp.microsoft.com> <A96543D2-9380-4191-89AD-6A896B461938@gmail.com> <79f178fcdba34e6ea83635761d795178@BY2PR03MB041.namprd03.prod.outlook.com> <9F135913-1D88-4842-B51E-C584D4510BF9@gmail.com>
In-Reply-To: <9F135913-1D88-4842-B51E-C584D4510BF9@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.46.126.7]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT003.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC107.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC107.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464002)(52604002)(377454001)(51704002)(24454001)(23726001)(51856001)(54356001)(59766001)(550184003)(54316002)(46406002)(6806001)(15202345001)(56776001)(31966008)(44976002)(33646001)(77982001)(74662001)(74502001)(47446002)(56816002)(49866001)(5343655001)(47736001)(16676001)(50466001)(4396001)(76482001)(50986001)(46102001)(47776002)(5343635001)(53806001)(47976001)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB017; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07013D7479
Cc: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Reducing the size of JWS payloads
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 18:08:40 -0000

Your defining a new algorithm and not allowing ability to use others that may prefer the integrity check

-----Original Message-----
From: Dick Hardt [mailto:dick.hardt@gmail.com] 
Sent: Wednesday, December 19, 2012 8:39 AM
To: Anthony Nadalin
Cc: Dick Hardt; Mike Jones; jose@ietf.org
Subject: Re: [jose] Reducing the size of JWS payloads

What "flexability" does it not allow?

Seems more flexible to me. 

On Dec 18, 2012, at 8:42 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:

> This forces a specific way and does not allow the flexability
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Dick Hardt
> Sent: Tuesday, December 18, 2012 6:45 PM
> To: Mike Jones
> Cc: jose@ietf.org; Dick Hardt
> Subject: Re: [jose] Reducing the size of JWS payloads
> 
> Hi Mike
> 
> Thanks for bringing this up again. 
> 
> An alternative approach I proposed was to have both the encryption and signing information in one header, and to use the signing signature to ensure integrity instead of having a separate encryption integrity check. This would reduce the size of the token by the size of the integrity value +1 bytes, as well as reduce the processing.
> 
> Given that header properties are overloaded now (they have different meanings depending on being a JWE or JWS, we could put the encryption header values into a sub object in the header. Perhaps call that 'enc'.
> 
> -- Dick
> 
> The process below has 
> On Dec 18, 2012, at 6:26 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
>> I've noticed that more than one person has expressed a desire to reduce the size of JWS payloads before signing.  This especially comes up when nested encryption and signing is being performed.  This note contains a quantitative evaluation of some possible methods of reducing JWS payload size and asks for working group input based upon the data.
>> 
>> Dick proposed one method below - have a header parameter to say that the payload is already URL-safe and that base64url encoding is not to be performed.  Another way that people have proposed is to allow the use of the "zip" parameter to compress the JWS payload before base64url encoding.  To get some initial data on how the solutions compare, I tried both methods using the sample JWE value in http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-07#appendix-A.2 as the JWS payload.
>> 
>> CURRENT SITUATION:  The JWE is 526 characters in length.  Currently, when used as a JWS payload, base64url encoding it would increase its size to 702 characters - an increase of 33% or 176 characters.
>> 
>> AVOIDING DOUBLE BASE64URL ENCODING:  If we used a header parameter "b64":false to indicate that no additional base64url encoding is to be performed, the payload would be 176 characters smaller than the current situation.  The encoded header size would increase by 16 characters - the number of characters needed to base64url encode this header parameter value and a comma, for a net decrease in size of 160 characters.  (Yes, parsing the three pieces would be slightly more difficult.)
>> 
>> APPLYING DEFLATE TO THE PAYLOAD:  Believe it or not, using DEFLATE on this input results in a LARGER output - 536 bytes or a net increase of 10 bytes.  If you think about it, this isn't too surprising, as the encrypted data should contain no usable predictability/redundancy.  Base64url encoding these 536 bytes results in a 715 character payload - an increase of 189 characters or 36%.  Plus, adding "zip":"DEF" to the header adds 16 characters, for a total increase of 29 characters over the current situation.  Clearly a suboptimal choice!
>> 
>> CONCLUSION:  Clearly, if we're going to enable reduction of the size of JWS payloads, avoiding the double base64url encoding is preferable to zip, which actually makes things worse.
>> 
>> QUESTION TO WORKING GROUP:  I'm curious whether people would like to see us enable avoiding double base64encoding of JWS payloads when they are already URL-safe.  The space savings are significant; they come at the cost of the JWS parsing becoming [part before first period . part between first and last period . part after last period] rather than the current [part before first period . part between first and second period . part after second period (with no other periods allowed)].  Opinions?
>> 
>> 				-- Mike
>> 
>> -----Original Message-----
>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Dick Hardt
>> Sent: Monday, October 29, 2012 8:57 AM
>> To: jose@ietf.org
>> Subject: [jose] signing an existing JWT
>> 
>> 
>> Let's say we have created a JWE as such:
>> 	
>> 	headerOne.encryptedKeyOne.initializationVectorOne.ciphertextOne.integritityVectorOne
>> 
>> This is now the payload to a JWS. Rather than increasing the token size by 4/3 by URL safe base 64 encoding the payload (since it is already URL safe), it would be useful to have a JWS header parameter that indicates the payload was not re-encoded and does not need to be URL safe base 64 decoded.
>> 
>> As there are more periods than expected in a JWS, decoding would ignore all periods except the first and last one for separating out the header, payload and signature.
>> 
>> The indicating parameter would seem to be either "tip" or "cty". I'm still confused about the difference between the two parameters, so not sure which one is appropriate.
>> 
>> -- Dick
>> 
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> 
> 
>

v2.23.0 | Report a Bug | By Email