IETF Logo Mail Archive

Re: [Json-canon] [EXT] Re: Support for a WG

Samuel Erdtman <samuel@erdtman.se> Thu, 24 January 2019 07:13 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: json-canon@ietfa.amsl.com
Delivered-To: json-canon@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F1B1310D5 for <json-canon@ietfa.amsl.com>; Wed, 23 Jan 2019 23:13:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.04
X-Spam-Level:
X-Spam-Status: No, score=-2.04 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I1hX8rHHJava for <json-canon@ietfa.amsl.com>; Wed, 23 Jan 2019 23:13:41 -0800 (PST)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 923C4130EA9 for <json-canon@ietf.org>; Wed, 23 Jan 2019 23:13:41 -0800 (PST)
Received: by mail-pg1-x535.google.com with SMTP id n2so2284214pgm.3 for <json-canon@ietf.org>; Wed, 23 Jan 2019 23:13:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZX3SCeTmdnwi9QfXQ7RH4oAOdaKxWlrOIr22AYGEwZY=; b=AMUh/n/qd5YL9wp8DBTyklqaOLq3VqjFSOp+IUzAmcrM/qJBU7M5M7FejjQEVOeeTz ChYHZS/i0LqXznKcn5RGGR8sDMNJy/Qu6Gp/iOJ3m8xkOxmCPfALeeGm/M/wEmzZ+TBi S1JKfTCkIK84JKK9k9RyD9OGpxwLgsdt/0CM7skGEoWJ4p2SPOD0B8an3ISNiifCbgMl J/HqNE5kloon+W55DiegSdtnnaJJ9o0X6lAjRHOhlARhw19zcaIZ3tvwPaPNV+w2d/Da elJtJspcqxHp+Exf9MNFm34IZYJrm6d4SsrzRXgBI8BqbZh0a3ixP3JdMs1szLY9OsCx /6pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZX3SCeTmdnwi9QfXQ7RH4oAOdaKxWlrOIr22AYGEwZY=; b=rDvM5yjxr5M6XrBB/O1N6LzfPGQstQY0OJHpJ3Z+niAC2BMb2Amts+r/hQcedoyioH Sdmnup6WOwKV43/9W3MdZT5Yk05U1Ywgyp16MIxNsea79cCvefy9dikc1OZ4U3aXuY0D AAc5zaWhlw63pi8ROV11LY77EqttvCgTF6IXHf7SKqYzzWhVAas54WyfxdNjh+d9wght /O//S/3gBpPoDvc4oTZ0LvRqbfd2Py5rzX4Qp8dDIeCK54A2NblKj+ZcthBsPtVEFZ3D lUVAWqtFu3RFGZk4TkI9VeC+odUjL+mXJBBz63B/htTeP0L9aejJcwFo5/bCmz1F29wh uycQ==
X-Gm-Message-State: AJcUukd9g81KrBCxGEeX3Vc7GYTmW1cTngguIA16Wohu37Jz8SYmXdzx P2qlC+Ofk6cTe9UupaztWK5jSt93VuxJ4ggmiJWuYydbKrr0/1AG
X-Google-Smtp-Source: ALg8bN5vwxkdBpjc2glbFkH/FzqjSnF7frVSusFiEudlTdyerzAJB8+4GrmGPlfz/FLTOX/286tKurSMI2oXv2nrj64=
X-Received: by 2002:a62:2292:: with SMTP id p18mr5481617pfj.9.1548314020929; Wed, 23 Jan 2019 23:13:40 -0800 (PST)
MIME-Version: 1.0
References: <38C84459-3D2E-4E78-BF48-FE277388E33A@contoso.com> <21415_1547794000_5C417650_21415_473_1_34A23FAA-C8F5-40E3-8358-FD42C5F78126@tzi.org> <60B977A0-0958-4DDF-A666-A44F074E5946@mitre.org> <E7B44CE8-CE81-4AB3-9665-12D1A52FD9C5@lookingglasscyber.com> <CAF2hCbYSDsPf6p56i1uhSBZZQv7jgLdCQGqHmsVi+nzbW3_46A@mail.gmail.com> <866D8EB8-49F6-4353-B502-F3337ACDBF61@lookingglasscyber.com> <CAF2hCbZCxCL7CxtFWYwp-hwEio_PQev=jFgX9K_7NQneNLMzXQ@mail.gmail.com>
In-Reply-To: <CAF2hCbZCxCL7CxtFWYwp-hwEio_PQev=jFgX9K_7NQneNLMzXQ@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Thu, 24 Jan 2019 08:13:29 +0100
Message-ID: <CAF2hCbZ1DHGd=NQLHekGn7q-8nYpdUn3LRdATTT3wBr=rf4H7A@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: "Struse, Richard J." <rjs@mitre.org>, "json-canon@ietf.org" <json-canon@ietf.org>, Allan Thomson <athomson@lookingglasscyber.com>
Content-Type: multipart/alternative; boundary="00000000000038166305802ef3a5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/json-canon/ugh5WohE3dXyHu1kOIDxf-bLXcI>
Subject: Re: [Json-canon] [EXT] Re: Support for a WG
X-BeenThere: json-canon@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: JSON Canonicalization <json-canon.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json-canon>, <mailto:json-canon-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json-canon/>
List-Post: <mailto:json-canon@ietf.org>
List-Help: <mailto:json-canon-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json-canon>, <mailto:json-canon-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 07:13:44 -0000

Carsten, Here comes a few another concrete example where canonical JSON
would be beneficial (not an absolute need).

Open Banking (
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/5785171/Account+and+Transaction+API+Specification+-+v1.1.0#AccountandTransactionAPISpecification-v1.1.0-Processforsigningapayload
)
In this case RFC 7797 is used to keep the payload separated form the
signature and headers.
If you look at the processing steps the HTTP body (josn) is Base64 encoded
and used as payload for the JWS calculation, it is however not the base64
encoded payload that is sent in the HTTP body but the cleartext json (as
can be seen in the verification steps). This is a workable but brittle
solution. With a canonical JOSN format this solution could be made stable.
(I have no personal contact with this group so I do not know if they
formally would be interested, but it is a case here cleartext JSON is
signed)

Then there are the TEEP usecase (
https://tools.ietf.org/id/draft-ietf-teep-opentrustprotocol)
In this case JOSE is used and there is several layers of signing (and
encryption) being done, since the payload is always base64 encode and then
wrapped the messages becomes very opaque. So to me they have a workable
solution but would benefit from canonical JOSN in combination with RFC
7797. (Once again I have no personal contact with this group so I do not
know if they formally would be interested)

Then there is the Signing HTTP Messages case (
https://tools.ietf.org/html/draft-cavage-http-signatures)
This one is a bit more far fetched, but instead of defining how to
canonicalize the HTTP headers they could do a simple mapping form https
headers to JOSN and have it canonicalized and then signed using RFC 7797.
(Once again I have no personal contact with this group so I do not know if
they formally would be interested)

Best regards
//Samuel




On Thu, Jan 24, 2019 at 7:17 AM Samuel Erdtman <samuel@erdtman.se> wrote:

> Thanks for the followup Allan.
>
> In my opinion the application layer schemas for defining what the JSON can
> look like (optional values different values meaning the same thing etc),
> should be verified by application layer. I would like to keep the
> canonicalization (and potential signatures) at the level where they say the
> JSON has not changed.
>
> When it comes to empty empty values I think those are values too, they
> might convey some meaning to the application layer.and with empty I mean
> {"empty": ""}. And since I do not want the canonicalization to be involved
> with application level details optional attributes are not a concept.
>
> Does that make sense?
>
> Cheers
> //Samuel
>
>
>
>
>
> On Tue, Jan 22, 2019 at 5:47 PM Allan Thomson <
> athomson@lookingglasscyber.com> wrote:
>
>> I’m not sure how you can create a consistent hash value without
>> considering how empty/optional fields in a JSON structure are treated
>> consistently across implementations.
>>
>>
>>
>> So if the same optional/empty fields exist from 2 different
>> vendors/instances then do they end up with the same hash?
>>
>>
>>
>> Allan
>>
>>
>>
>> *From: *Samuel Erdtman <samuel@erdtman.se>
>> *Date: *Tuesday, January 22, 2019 at 8:37 AM
>> *To: *Allan Thomson <athomson@lookingglasscyber.com>
>> *Cc: *"Struse, Richard J." <rjs@mitre.org>, Carsten Bormann <cabo@tzi.org>,
>> "json-canon@ietf.org" <json-canon@ietf.org>
>> *Subject: *Re: [Json-canon] [EXT] Re: Support for a WG
>>
>>
>>
>> I do not think we should go into schemas, that is one of the things that
>> makes XMLDigSig inconvenient. But instead keep to simple JSON stringifying
>> with predictable result.
>>
>> On Tue, 22 Jan 2019 at 16:19, Allan Thomson <
>> athomson@lookingglasscyber.com> wrote:
>>
>> Particularly important in what Rich says is also is to ensure the same
>> hash is created where those JSON objects have optional or empty/missing
>> properties that are defined in the schema of the object.
>>
>> Regards
>>
>> Allan
>>
>> On 1/22/19, 4:31 AM, "json-canon on behalf of Struse, Richard J." <
>> json-canon-bounces@ietf.org on behalf of rjs@mitre.org> wrote:
>>
>>     The use case is to enable other standards that use a JSON
>> serialization to be able to count on two objects, each with the same
>> contents, having the same hash value based on their representation in JSON.
>>
>>     Does that help?
>>
>>     On 1/18/19, 1:47 AM, "Carsten Bormann" <cabo@tzi.org> wrote:
>>
>>         On Jan 18, 2019, at 03:50, Struse, Richard J. <rjs@mitre.org>
>> wrote:
>>         >
>>         > A standardized deterministic canonicalization of JSON data
>> streams is essential
>>
>>         For what?
>>
>>         I think we would all benefit if you could explain your use case.
>>
>>         Grüße, Carsten
>>
>>
>>
>>     --
>>     json-canon mailing list
>>     json-canon@ietf.org
>>     https://www.ietf.org/mailman/listinfo/json-canon
>>
>>
>> --
>> json-canon mailing list
>> json-canon@ietf.org
>> https://www.ietf.org/mailman/listinfo/json-canon
>>
>>

v2.23.0 | Report a Bug | By Email