[OAUTH-WG] Signature calculation in JWS JSON Serialization

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 18 March 2014 14:00 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 152A31A043E for <oauth@ietfa.amsl.com>; Tue, 18 Mar 2014 07:00:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUDtnzpUmXyT for <oauth@ietfa.amsl.com>; Tue, 18 Mar 2014 07:00:48 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) by ietfa.amsl.com (Postfix) with ESMTP id CE1BD1A040A for <oauth@ietf.org>; Tue, 18 Mar 2014 07:00:47 -0700 (PDT)
Received: by mail-wi0-f182.google.com with SMTP id d1so3721347wiv.9 for <oauth@ietf.org>; Tue, 18 Mar 2014 07:00:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=UvNWTKD08gqAVWWJG9tRoOGRXE3Pgwd38rvE7A2m12M=; b=V84WHrvi0tMZk7VVzNFVPAObAzM0tkzVUBsXdzJxwu+TsR1AYaQH4S9NMVJ5LUFNMq L8X5+2W6SbytZkYEXNLksS5YTaNhwI2FB7SbOr5rjPKwdJYMzFCsyefyO/ErIdENkKBW bIpNH6zQ4UObYN3bViK2gx+PAsF46YlQjDZon2J3c9973g/Nb4dZ4M9+bb2k66NfYC4Q dIfzudiL+Z5VhZ07bQKiVNhu8iUq15WopnnSDErYv60PNNjt5a1oTGIj+nx/OjuJCNI9 Mgz49zA1tuZ0DiLisaOheFNoHn6qERd9XNMRScU49vn6c2JCJLbmdOnYKpd7CcHlaSZv kifQ==
X-Received: by 10.180.19.138 with SMTP id f10mr14542253wie.11.1395151237877; Tue, 18 Mar 2014 07:00:37 -0700 (PDT)
Received: from [10.36.226.2] ([80.169.137.42]) by mx.google.com with ESMTPSA id ga10sm47492392wjb.23.2014.03.18.07.00.36 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Mar 2014 07:00:36 -0700 (PDT)
Message-ID: <53285183.6010406@gmail.com>
Date: Tue, 18 Mar 2014 14:00:35 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Y237hDnmw650F_fp2vTwPb7xZi4
Subject: [OAUTH-WG] Signature calculation in JWS JSON Serialization
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 14:00:50 -0000

Hi

It's not clear to me how a signature is calculated in [1].
Specifically, given Protected and Unprotected headers, the text 
recommends that the union of the values referred to as JWS Header is 
signed:

"The Header Parameter values used when creating or validating individual 
signature or MAC values are the union of the two sets of Header 
Parameter values that may be present".

but if so why differentiate between Protected and Unprotected headers in 
a given signature element ?

How do the unprotected header values affect the signature/MAC calculation ?

Thanks, Sergey

[1] 
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-23#section-7.2