Re: [KEYPROV] Giving up on XML DSig => JSON

Anders Rundgren <> Thu, 29 August 2013 12:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0F14221F9DDB for <>; Thu, 29 Aug 2013 05:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.691
X-Spam-Status: No, score=-1.691 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pevxXVRPAhgz for <>; Thu, 29 Aug 2013 05:27:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B9E6921F9DC7 for <>; Thu, 29 Aug 2013 05:27:09 -0700 (PDT)
Received: from [] ( by (8.5.133) (authenticated as u36408181) id 521DAB1700060CF6; Thu, 29 Aug 2013 14:26:57 +0200
Message-ID: <>
Date: Thu, 29 Aug 2013 14:26:45 +0200
From: Anders Rundgren <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Simon Josefsson <>
References: <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [KEYPROV] Giving up on XML DSig => JSON
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Aug 2013 12:27:15 -0000

On 2013-08-29 13:55, Simon Josefsson wrote:

> You wrote:
Hi Simon,

>>> If the latter, why not JWS?
>> Because JWS is based on in-line signatures of base64-encoded payloads.
>> This would ruin the readability of the already complex KeyGen2
>> protocol and make the switch from XML look bad.
> Why can't you hash the data you want to sign, and then use JWS to sign
> the hash?

Such a thing would still require most of what I have done anyway,
wouldn't it?  I mean, "Reference", canonicalization etc.

Existing JSON parsers probably don't support canonicalization since
this hasn't been an issue until now.  By building-in all that from
the beginning you get a cool and rather smallish system as well.

> Then you get readability and don't have to invent something new.

I actually enjoy inventing new things.  Don't you like my brand new octagonic wheel? :-)

To be a bit more serious: I'm not overly convinced that clinging on
to standards always is the best solution.  I have don my clinging
with XML DSig now and it turned out to be a mistake :-(

It is like PKCS #11 and on-line provisioning; it will never work although
the OASIS PKCS11 TC claims that. Why? Because PKCS #11 wasn't designed for
a remote SO and that is a bit hard to add as an afterthought, not to
mention getting all drivers up-to-date.  IMO - Simply undoable.

> However, your example blob in the PDF is hardly readable, so I
> don't fully follow the argument about readability to begin with.

There are blobs but they at least have labels.

Here is the XML version of KeyGen2:

It is rather pretty (IMO...).  The JSON version will be _almost_
as nice but but only use 1/3 as much code (including third-party
libraries and all).


> /Simon