[OAUTH-WG] FW: [Teep] Fwd: Side-meeting: Canonical JSON, Signed REST
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 27 March 2019 11:11 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 321751202A9 for <oauth@ietfa.amsl.com>; Wed, 27 Mar 2019 04:11:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id clEI-5aBUVya for <oauth@ietfa.amsl.com>; Wed, 27 Mar 2019 04:11:22 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on0621.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::621]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBF4E120254 for <oauth@ietf.org>; Wed, 27 Mar 2019 04:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Nu0eUvZlGCY23ehZ9/C1WmrnO7Z82qXw3ztPyxBqomY=; b=GxRaCPhf2OMsr4E3tJ7L/ZvRb+GcDE/PlZy8LvHsqAqSbQ144O49/E3p32Q/XThpJyu/Szdw480ZfCh34xgTLYgsOmRsk36hrhIgS5CigM2kAt6rVrqYezJtjje52jeQk+BObtISZvGu+8+MuM+6pwC2rvQ31EH/h3QzAFIs59g=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1551.eurprd08.prod.outlook.com (10.167.210.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.15; Wed, 27 Mar 2019 11:11:19 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::dd0a:bfcc:b6ce:8d65]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::dd0a:bfcc:b6ce:8d65%11]) with mapi id 15.20.1730.019; Wed, 27 Mar 2019 11:11:19 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: oauth <oauth@ietf.org>
Thread-Topic: [Teep] Fwd: Side-meeting: Canonical JSON, Signed REST
Thread-Index: AQHU5HajiaXN3l/2nEOIUhbOg7K88KYfUlGg
Date: Wed, 27 Mar 2019 11:11:19 +0000
Message-ID: <VI1PR0801MB21126D2644CD126EEFA90126FA580@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <4944d01f-4565-9688-8833-1c8b287c6ae0@gmail.com> <5e1c4ee8-0e8f-d1b7-2fca-759d2aaadb45@gmail.com>
In-Reply-To: <5e1c4ee8-0e8f-d1b7-2fca-759d2aaadb45@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [2001:67c:1232:144:f989:c517:2fd4:9426]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 010b74e3-a605-48fd-0cd6-08d6b2a4f02b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1551;
x-ms-traffictypediagnostic: VI1PR0801MB1551:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <VI1PR0801MB1551809FD712A82148A811F7FA580@VI1PR0801MB1551.eurprd08.prod.outlook.com>
x-forefront-prvs: 0989A7979C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(39860400002)(366004)(346002)(376002)(40434004)(189003)(199004)(6506007)(486006)(105586002)(229853002)(53936002)(561944003)(186003)(6306002)(476003)(6436002)(7696005)(446003)(9686003)(2473003)(106356001)(102836004)(55016002)(11346002)(46003)(99286004)(33656002)(81166006)(76176011)(81156014)(6116002)(8676002)(305945005)(14454004)(74316002)(2906002)(114624004)(7736002)(5660300002)(52536014)(25786009)(6916009)(316002)(97736004)(68736007)(256004)(5024004)(14444005)(71190400001)(71200400001)(72206003)(478600001)(966005)(86362001)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1551; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Qp3pdsXecp4vBeMb0fDEaDwl3CQqMI2U1UAAUeM33tobD9BriEv2HTd2WDTJBheNkVB7AvaFKVL9/nzk8YxIQnpBb01VcVDLn9e9AQOSstF+SjT0HjEhDX6Rm+npR64PiaH1EJ7MQG2QmIzTdfl+gP3oafmDBreClJRQOg/Y4HoiUZDXR91egMh+LxApHR4TnhIc4xq1oW9JBF4hn52iggcSzvFtT1+dZyVRcXkRCpXwR3qU6BEn+aJxvO82SRNSAx5qKQTi92wGv4oTOVR5MqxXhTH1lpFY7H/XQi8CMiARiYdPRv+ayu/SpCdJIDuWvsPJc480aknn+R+FG7g5tJPNg0y+5jErEAy5EygtT0QNKv85s7xhcujSlg1/xr90vlfJ0IvUEqUi5B5scyJBh+zMe3Hix2JriPhA63CGla4=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 010b74e3-a605-48fd-0cd6-08d6b2a4f02b
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 11:11:19.1756 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1551
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yLJpLv0I27laeQ3ESthYjo9ZCbw>
Subject: [OAUTH-WG] FW: [Teep] Fwd: Side-meeting: Canonical JSON, Signed REST
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 11:11:25 -0000
This may also be of interest to the folks in OAuth -------- Forwarded Message -------- Subject: Side-meeting: Canonical JSON, Signed REST Date: Wed, 27 Mar 2019 06:52:39 +0100 From: Anders Rundgren <anders.rundgren.net@gmail.com> To: 104Attendees <104attendees@ietf.org> Wednesday 14-15 in Paris. My presentations at IETF-104 couldn't go into details, so here some additional facts and motivations. The lack of canonicalized JSON have had quite practical implications in IETF security protocols like in this one: https://tools.ietf.org/html/draft-ietf-teep-opentrustprotocol-02 "The top element "<name>[Signed][Request|Response]" cannot be fully trusted to match the content because it doesn't participate in the signature generation. However, a recipient can always match it with the value associated with the property "payload". It purely serves to provide a quick reference for reading and method invocation" That is, the TEEP folks were forced adding a redundant (and IMO pretty ugly) JSON layer in order to tag objects since the JWS signature scheme dresses the payload in Base64Url. This scheme also introduces an additional validation step. This is sort of the opposite to my own work in this space, where canonicalization is also applied to the JWS container itself (aka clear text signatures). Here an example from "Saturn": { "requestHash": { "alg": "S256", "val": "cA-QNdJHcynjuM44ty-zXgXwx100AZVRFLmYx1So0Xc" }, "domainName": "demomerchant.com", "paymentMethod": "https://bankdirect.net", "accountId": "8645-7800239403", "timeStamp": "2019-03-23T10:33:02+01:00", "signature": { "alg": "ES256", "jwk": { "kty": "EC", "crv": "P-256", "x": "rQ4WXMB6_wQKHSiY_mbJ4QkGpfWLssF7hvIiiFpDEx8", "y": "Fh2rl0LGTtvaomOuhuRNo9Drz9o0--WXV2ITvdVQFRY" }, "val": "j2LL9pr2RyrPxvFlj8IzMhno5vvgGIgf2xi23dA5u_XwjYlIvT9qwIVKaCKYwjb26J5mMUL5zV02lqQGjZRClw" } } Recent proposal addressing Signed/JSON/REST since this apparently still is missing: https://tools.ietf.org/html/draft-rundgren-signed-http-requests-00 https://datatracker.ietf.org/meeting/104/materials/slides-104-hotrfc-3-signed-http-requests-shreq-00 Bring your rotten tomatoes if you want :-) Cheers, Anders _______________________________________________ TEEP mailing list TEEP@ietf.org https://www.ietf.org/mailman/listinfo/teep IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] FW: [Teep] Fwd: Side-meeting: Canonica… Hannes Tschofenig