Re: [woes] Proposed charter, post-Quebec edition

Matt Miller <mamille2@cisco.com> Thu, 04 August 2011 14:03 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: woes@ietfa.amsl.com
Delivered-To: woes@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FE5221F8A69 for <woes@ietfa.amsl.com>; Thu, 4 Aug 2011 07:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.043
X-Spam-Level:
X-Spam-Status: No, score=-3.043 tagged_above=-999 required=5 tests=[AWL=-0.444, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Bfh5a9HIqzC for <woes@ietfa.amsl.com>; Thu, 4 Aug 2011 07:03:15 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 20B3B21F89BA for <woes@ietf.org>; Thu, 4 Aug 2011 07:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mamille2@cisco.com; l=7669; q=dns/txt; s=iport; t=1312466610; x=1313676210; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=8NGNnHs1skiKwRmzBFUAhXmP1WZEX7/kQyJ+jQ2a6mk=; b=aN3/WzAmhJJnfUlggC10koWO8fMxKoUrIJEWwDSqrDdY/e7L5JAHgDsi AkIpPnqUH3Wgh8s665Vg3NlSdem3T42baXe4bZ3xhrlkIOfYkt7LyDMpX 1bYmxRixgbzZY+sY0eHCDpx1d8zAbg0e1txUzZ1zJ27xMdr51egkzSt7o g=;
X-Files: smime.p7s : 2214
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAEalOk6rRDoJ/2dsb2JhbABCp2Z3gUABAQEBAgEBAQEPAVsLBQsLGC4CJTAGCgkbB4dKBKJYAZ5/hWNfBIdaiyGRAw
X-IronPort-AV: E=Sophos; i="4.67,316,1309737600"; d="p7s'?scan'208"; a="9646291"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-8.cisco.com with ESMTP; 04 Aug 2011 14:03:29 +0000
Received: from dhcp-64-101-72-212.cisco.com (dhcp-64-101-72-212.cisco.com [64.101.72.212]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p74E3SFE019101; Thu, 4 Aug 2011 14:03:28 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/signed; boundary=Apple-Mail-16--848035747; protocol="application/pkcs7-signature"; micalg=sha1
From: Matt Miller <mamille2@cisco.com>
In-Reply-To: <CAMm+LwhPpqO13VxYOUYEeZ=nGPEt+pDpsbzBgRy6NtLQ3YfJmQ@mail.gmail.com>
Date: Thu, 4 Aug 2011 08:03:33 -0600
Message-Id: <4E13B17E-EBDF-4A92-BA8F-EE17D86D67A2@cisco.com>
References: <4F25253E-A870-4956-AAB1-20890B655984@vpnc.org> <DADD7EAD88AB484D8CCC328D40214CCD0E743D3330@EXPO10.exchange.mit.edu> <4E39B44C.1070706@stpeter.im> <4E39B483.7080101@stpeter.im> <DDAE45CD-111B-4C5F-83B0-0F267B8EC8E7@ve7jtb.com> <CAMm+LwhO98tr8PnC0ebObHAmPptP3kvV5Jq=u6LSs3ARjA5PYQ@mail.gmail.com> <BD80D366-B164-4466-B57C-ADC6E01DFEE7@ve7jtb.com> <CAMm+LwhPpqO13VxYOUYEeZ=nGPEt+pDpsbzBgRy6NtLQ3YfJmQ@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: "woes@ietf.org" <woes@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [woes] Proposed charter, post-Quebec edition
X-BeenThere: woes@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Web Object Encryption and Signing \(woes\) BOF discussion list" <woes.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/woes>, <mailto:woes-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/woes>
List-Post: <mailto:woes@ietf.org>
List-Help: <mailto:woes-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/woes>, <mailto:woes-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2011 14:03:16 -0000

On Aug 4, 2011, at 07:38, Phillip Hallam-Baker wrote:

> Since we are doing encryption as well, there are two problems needing a common solution. 
> 
> 
> Let us say we are encrypting a blob of data - 200K or so. Do we really want to have a JSON structure with the data blob JSON encoded?
> 
> For that and for the signing case I think we are going to want a structure that is something like:
> 
> Package
>     [Type=JSON Length=203 bytes]
>         <Encryption stuff>
>     [ID=2as9uas9u9 Length=293939933 bytes]
>         <Binary blob> 
>    
> Ascii encoding for control data is good, it helps debugging etc. But Ascii encoding JPEG bytes does not really help me much.
> 
> The package could even be as simple as a JSON control block that gives the length of a data blob that is to follow immediately.
> 
> 

We need to be *VERY* careful if the data ends up outside of the envelope.  There are lots and lots of use cases where the data to be transferred is somewhat small (<1k), and there isn't a good mechanism for holding onto that outside data.

We can't make the assumption that the only transport is HTTP!


- m&m

Matt Miller - <mamille2@cisco.com>
Collaboration Software Group - Cisco Systems, Inc.


> On Thu, Aug 4, 2011 at 9:25 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> XPath is NOT the way to go.  No argument from me.
> 
> The JWS spec has admittedly been focused on allowing JSON to be used as tokens for OAuth and openID.
> 
> Those need to be passed around in a URL safe way,  so we need a serialization that supports that.
> 
> In Quebec we did touch on alternate serializations that may be more suitable for other use cases.
> 
> I suspect that signing a manifest/reference is something we should be able to support in the JOSE spec.  
> 
> Finding the best way to accommodate they without complicating the simpler cases is something that should be explored.
> 
> John B.
> 
> On 2011-08-04, at 9:03 AM, Phillip Hallam-Baker wrote:
> 
>> 
>> 
>> On Thu, Aug 4, 2011 at 8:52 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>> In the JWS/JWE drafts the goal was to provide JSON envelopes for base64url encoded blobs.
>> 
>> In most cased we intend for those to be JSON, but nothing prevents this from being used with XML similar to the failed SAML simple sign.
>> 
>> With JSON payloads we really wanted to avoid touching the payload.  Inserting elements, canonicalization  and other things that touch the payload are highly problematic.
>> 
>> I really want to avoid C18N as well. The problem is how to do it.
>> 
>> If the data object is small it is no big deal base64 encoding it and storing it as an attribute.
>> 
>> But if the data object is larger (XML document, image, etc.) then some form of indirection is going to be necessary. For example take the digest of the data and sign that or if multiple objects are involved some sort of manifest scheme.
>> 
>> 
>> I really don't want to have to BASE64 a multimedia stream. So I think I am going to need some MIME like packaging scheme that allows us to send a JSON structure with attachments. I think that is going to be a very common requirement for others as well and I would like that to be a part of the standards toolkit rather than have to re-invent it for each protocol. 
>> 
>> 
>> Another very common corner case that is related is how to take a standard data object such as a JPEG, sign it and then attach the signature inside the data object. 
>> 
>> The blunder committed in XML Signature was to use XPath for that which introduced a mechanism for arbitrary transformations - yuk!
>> 
>> I really don't want to specify the precise means of embedding signatures in various media types but I certainly need an approach that makes it possible to use the spec as a basis for doing that. 
>> 
>> 
>> -- 
>> Website: http://hallambaker.com/
>> 
> 
> 
> 
> 
> -- 
> Website: http://hallambaker.com/
> 
> _______________________________________________
> woes mailing list
> woes@ietf.org
> https://www.ietf.org/mailman/listinfo/woes