[Teep] Fwd: Side-meeting: Canonical JSON, Signed REST
Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 27 March 2019 08:25 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A0FC120273 for <teep@ietfa.amsl.com>; Wed, 27 Mar 2019 01:25:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UL_yXRIxPDJ for <teep@ietfa.amsl.com>; Wed, 27 Mar 2019 01:25:20 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD81F12026B for <teep@ietf.org>; Wed, 27 Mar 2019 01:25:19 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id z24so12459868wmi.5 for <teep@ietf.org>; Wed, 27 Mar 2019 01:25:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=c3/Wd2wR8OVrhA1DDn9SGm7VBDIysflmaAcrdt6b2XY=; b=EfyhBxjCwZw1Jduukm5+GYYJ0bY6gR4nvfSdAOhwygE7fsnn5Bq1A6btNQXVTn6Iq3 IW65mzWxRrkhw0HNXwoM2PDsdO02Sao+lngoUemdIzYJJGWXadufhTYlzBE2tPrUF6a+ IJwW0ZCE+hmaR+yhy/DKrgqEcR7LnOZZFmhEx4gmddKo87qCDqP/me33blA9+t9langM YzdX24T/MrPMfWoQFCLqRADp/0SKoKfOZDn5XtQlgGUVIvKLUUChXyB1deANno8nIW0+ +b4wdauF83brL4W72CUqkwbi6qPfvlYgOI69dmi+DP00jQV6TDmDTbpIAAdOuMBCWQ5n wNmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=c3/Wd2wR8OVrhA1DDn9SGm7VBDIysflmaAcrdt6b2XY=; b=AkcA0X6STwC/F6cvcSWqPtMRduVAcgxwo8Xb6cMwaME9AR470PruIvdPhMmohpQlae BQt6Ho1nxMe1Z0nZgqXDPjz7sn1fB671AW4R6I2qQdXRroab0qvGJsGJOjZQM5B21LaE bdnlAbAZllbpW+ZhtYOzXkjJokS3kK7Q+8sGM2O2ZOX57BD3lmgi5oA+J2NdjWSvWPMV 33ABOhI8M6/fm7OrlLIBUWPn8K7grQfBNmBRta9GvbKVAvKGgbRd1vLi1gwQjETtKp2f 2kgfW/6JgBYKAIgpxnqgfFVdFHsmmGMEDmCuk+GuljSxtmNsu1th9Gdsa/RipQ8A0Y8P VMAQ==
X-Gm-Message-State: APjAAAXmJJfRLssS7Z6r4xnz3n3rSG+V1XUEbir6LgOsBdDDVI6aw6ao k/T7Vl+d5yIUp8SeUbi/w9KKr2fLWJs=
X-Google-Smtp-Source: APXvYqwC5MLql3Jl+YZr9dHmQUYkPtU3bqDQzLLMnTXeLh7cFeR8fXWuus6EQkzhGl27zpEEafVkgQ==
X-Received: by 2002:a7b:cc18:: with SMTP id f24mr11926094wmh.42.1553675117895; Wed, 27 Mar 2019 01:25:17 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:bc53:493f:3530:938e? ([2001:67c:1232:144:bc53:493f:3530:938e]) by smtp.googlemail.com with ESMTPSA id s10sm2159798wmh.0.2019.03.27.01.25.16 for <teep@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Mar 2019 01:25:16 -0700 (PDT)
References: <4944d01f-4565-9688-8833-1c8b287c6ae0@gmail.com>
To: "teep@ietf.org" <teep@ietf.org>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
X-Forwarded-Message-Id: <4944d01f-4565-9688-8833-1c8b287c6ae0@gmail.com>
Message-ID: <5e1c4ee8-0e8f-d1b7-2fca-759d2aaadb45@gmail.com>
Date: Wed, 27 Mar 2019 09:25:15 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0
MIME-Version: 1.0
In-Reply-To: <4944d01f-4565-9688-8833-1c8b287c6ae0@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/lrAfYuWoNo1Utr4f8uUjo5lZcwo>
Subject: [Teep] Fwd: Side-meeting: Canonical JSON, Signed REST
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 08:25:23 -0000
I hope you didn't mind me mentioning TEEP/OTrP as a [partially] awkward solution... -------- Forwarded Message -------- Subject: Side-meeting: Canonical JSON, Signed REST Date: Wed, 27 Mar 2019 06:52:39 +0100 From: Anders Rundgren <anders.rundgren.net@gmail.com> To: 104Attendees <104attendees@ietf.org> Wednesday 14-15 in Paris. My presentations at IETF-104 couldn't go into details, so here some additional facts and motivations. The lack of canonicalized JSON have had quite practical implications in IETF security protocols like in this one: https://tools.ietf.org/html/draft-ietf-teep-opentrustprotocol-02 "The top element "<name>[Signed][Request|Response]" cannot be fully trusted to match the content because it doesn't participate in the signature generation. However, a recipient can always match it with the value associated with the property "payload". It purely serves to provide a quick reference for reading and method invocation" That is, the TEEP folks were forced adding a redundant (and IMO pretty ugly) JSON layer in order to tag objects since the JWS signature scheme dresses the payload in Base64Url. This scheme also introduces an additional validation step. This is sort of the opposite to my own work in this space, where canonicalization is also applied to the JWS container itself (aka clear text signatures). Here an example from "Saturn": { "requestHash": { "alg": "S256", "val": "cA-QNdJHcynjuM44ty-zXgXwx100AZVRFLmYx1So0Xc" }, "domainName": "demomerchant.com", "paymentMethod": "https://bankdirect.net", "accountId": "8645-7800239403", "timeStamp": "2019-03-23T10:33:02+01:00", "signature": { "alg": "ES256", "jwk": { "kty": "EC", "crv": "P-256", "x": "rQ4WXMB6_wQKHSiY_mbJ4QkGpfWLssF7hvIiiFpDEx8", "y": "Fh2rl0LGTtvaomOuhuRNo9Drz9o0--WXV2ITvdVQFRY" }, "val": "j2LL9pr2RyrPxvFlj8IzMhno5vvgGIgf2xi23dA5u_XwjYlIvT9qwIVKaCKYwjb26J5mMUL5zV02lqQGjZRClw" } } Recent proposal addressing Signed/JSON/REST since this apparently still is missing: https://tools.ietf.org/html/draft-rundgren-signed-http-requests-00 https://datatracker.ietf.org/meeting/104/materials/slides-104-hotrfc-3-signed-http-requests-shreq-00 Bring your rotten tomatoes if you want :-) Cheers, Anders
- [Teep] Fwd: Side-meeting: Canonical JSON, Signed … Anders Rundgren
- Re: [Teep] Fwd: Side-meeting: Canonical JSON, Sig… Carsten Bormann
- Re: [Teep] Fwd: Side-meeting: Canonical JSON, Sig… Anders Rundgren
- Re: [Teep] Fwd: Side-meeting: Canonical JSON, Sig… Anders Rundgren