IETF Logo Mail Archive

Re: [Json-canon] [EXT] Re: Support for a WG

Carsten Bormann <cabo@tzi.org> Wed, 23 January 2019 12:23 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: json-canon@ietfa.amsl.com
Delivered-To: json-canon@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1214512DF71 for <json-canon@ietfa.amsl.com>; Wed, 23 Jan 2019 04:23:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLVXXdjvupO4 for <json-canon@ietfa.amsl.com>; Wed, 23 Jan 2019 04:23:00 -0800 (PST)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDF8D128CE4 for <json-canon@ietf.org>; Wed, 23 Jan 2019 04:22:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost2.informatik.uni-bremen.de [IPv6:2001:638:708:30c8:406a:91ff:fe74:f2b7]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id x0NCMnOi004135; Wed, 23 Jan 2019 13:22:54 +0100 (CET)
Received: from [192.168.217.106] (p54A6CC50.dip0.t-ipconnect.de [84.166.204.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 43l4Dn297jz1Br6; Wed, 23 Jan 2019 13:22:49 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <FA88BB03-ADA7-49EB-AE71-7750BFE71013@gmail.com>
Date: Wed, 23 Jan 2019 13:22:48 +0100
Cc: Richard Struse <rjs@mitre.org>, "json-canon@ietf.org" <json-canon@ietf.org>
X-Mao-Original-Outgoing-Id: 569938966.496702-23d1621dde10c882ad5f4363d5773098
Content-Transfer-Encoding: quoted-printable
Message-Id: <100898B7-CCA6-4B00-895F-AD39AAAEF052@tzi.org>
References: <38C84459-3D2E-4E78-BF48-FE277388E33A@contoso.com> <21415_1547794000_5C417650_21415_473_1_34A23FAA-C8F5-40E3-8358-FD42C5F78126@tzi.org> <60B977A0-0958-4DDF-A666-A44F074E5946@mitre.org> <CBC45241-0BBB-410C-AF8C-9D49C642566B@tzi.org> <00243004-7200-4887-BB46-ED30D03C4545@gmail.com> <40731AB0-9640-4D74-99B3-EC6E7A51850B@tzi.org> <FA88BB03-ADA7-49EB-AE71-7750BFE71013@gmail.com>
To: Bret Jordan <jordan.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/json-canon/Px9noQZRvEvTJ7pNNbfP6hHxdTo>
Subject: Re: [Json-canon] [EXT] Re: Support for a WG
X-BeenThere: json-canon@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: JSON Canonicalization <json-canon.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json-canon>, <mailto:json-canon-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json-canon/>
List-Post: <mailto:json-canon@ietf.org>
List-Help: <mailto:json-canon-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json-canon>, <mailto:json-canon-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 12:23:02 -0000

Hi Bret,

> 1) Creating deterministic IDs for STIX Cyber Observables.  

Now that is very concrete!  Thank you.
What would be the best reference I could use to learn how STIX uses JSON?

> 2) Creating digital signatures for JSON objects using the JSON data “as-is”.  

Right, that is one very general use case, but as Allan and I hinted, it may be worth looking at the JSON data in a bit more detail.  Using Richard’s problem statement:

“two objects, each with the same contents, having the same hash value based on their representation in JSON.”

This has this gaping hole what “same contents” actually mean.
So far, I-JSON (RFC 7493) is the closest we have to a specification of the generic data model with which we are using JSON as an interchange format.
Maybe that is all we need, but that remains to be verified — best in the context of the applications that actually have a concept of what “same contents” would be.

So I still think analyzing a few applications would be a good thing before we can claim the generic use case (2) is covered.

Grüße, Carsten


> 
> 
> Thanks,
> Bret
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
> 
>> On Jan 23, 2019, at 11:32 AM, Carsten Bormann <cabo@tzi.org> wrote:
>> 
>> Hi Bret,
>> 
>> I’ve been in your shoes.
>> “It’s not that complicated.”  Yeah.
>> 
>> Allan already hinted at one possible complication.
>> You can of course declare that (very real!) issue out of scope.
>> But that is easier done if we know why we are doing this.
>> 
>> What’s so difficult about actually saying what the use cases are?
>> I’m not trying to suggest there needs to be an RFC that documents every single use case before there can be any work on the solution (I’m saying this because unfortunately we have had process hangups like this before and there simply is no need for this).
>> Instead, this mailing list is a great place to have some discussion on the use cases so the requirements are better understood.
>> “We want this because some people are telling us it’s easy” is not the level of discussion that can help with this.
>> 
>> On the solution side, having a solution but not having a well-understood description of what it does and what it does not is dangerous.  Even more so when some of the use cases have security considerations.
>> 
>> After all, the IETF would not be doing this solution as an ultimate goal — the point is that other protocols can build on top of this solution, and as we want to achieve interoperability (and maintain security), we need to know what the solution does and what requirements it places on its usage to actually achieve its desired properties.
>> 
>> Grüße, Carsten
>> 
>> 
>>> On Jan 23, 2019, at 10:27, Bret Jordan <jordan.ietf@gmail.com> wrote:
>>> 
>>> Carsten,
>>> 
>>> I do not see what the hang up is for doing this. There is a document that proposes a very nice solution.  There are libraries for various programming languages that can do this.  What we need is a standard that people can reference when they want to use it.  At the end of the day people, organizations, vendors, and groups need a way of dealing with white space, ordering, and the JSON Number type in a consistent way.  They do not want to use CBOR, ASN.1, XML, or anything else.  The market wants to use plain and simple JSON. Right now we have various groups and organizations going off and doing their own form of this. It will save a lot of pain if we could just, finally, standardize this. 
>>> 
>>> Lets not make this overly complicated.  Organizations, vendors, other standards, and other working groups want the ability to use JSON “as-is” and perform security operations on that string of data.  To do this, we need a canonical string of data that can be consistently generated.   
>>> 
>>> Thanks,
>>> Bret
>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>>> 
>>>> On Jan 22, 2019, at 7:05 PM, Carsten Bormann <cabo@tzi.org> wrote:
>>>> 
>>>> Hi Richard,
>>>> 
>>>>> On Jan 22, 2019, at 13:31, Struse, Richard J. <rjs@mitre.org> wrote:
>>>>> 
>>>>> The use case is to enable other standards that use a JSON serialization to be able to count on two objects, each with the same contents, having the same hash value based on their representation in JSON.
>>>> 
>>>> Well, that is the technical requirement, but what do you use this property for?
>>>> 
>>>> JSON was discovered/presented around 2002 and so far has worked quite well without this property.  What use cases have sprung up that now need it?
>>>> 
>>>> I’m asking because for many use cases I have heard, there actually are better technical approaches than canonicalization.  Having said that, CBOR, a data format defined in 2013, does have recommendations for deterministic encoding (“canonicalization”), which turned out to be useful for instance for test scripts.  One thing we found out quickly is that deterministic encoding is dependent on the application concept of equality, so it is hard to define a single variant of it for a serialization used in multiple applications.  One more reason to find out about use cases.
>>>> 
>>>> Grüße, Carsten
>>>> 
>>>> -- 
>>>> json-canon mailing list
>>>> json-canon@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/json-canon
>>> 
>>> -- 
>>> json-canon mailing list
>>> json-canon@ietf.org
>>> https://www.ietf.org/mailman/listinfo/json-canon
>> 
> 
> -- 
> json-canon mailing list
> json-canon@ietf.org
> https://www.ietf.org/mailman/listinfo/json-canon

v2.23.0 | Report a Bug | By Email