This looks good to me. As for using JOSE implementations that lack support for the JSON serialization formats (and only support the compact one), is there an RFC, Internet-Draft, or similar document with an explanation of the conversion process already prepared (that can simply be thrown into the ACME draft's references section)? Or would it be necessary to include an appendix in the ACME draft with an outline of the conversion process? The conversion process looks fairly straightforward. However, it would be nice if there was a document or part of a document that could be easily referenced.
Logan On Wed, Jan 3, 2018 at 5:47 PM, Fraser Tweedale <fr...@frase.id.au> wrote: > On Thu, Jan 04, 2018 at 12:07:34AM +0100, Jörn Heissler wrote: > > Hello and happy new Year! > > > > I've found an inaccuracy in the ACME specs. > > > > https://tools.ietf.org/html/rfc7515#section-7 states: > > > > Applications using this specification need to specify what > serialization > > and serialization features are used for that application. > > > > Although this is neither a "SHOULD" nor a "MUST", I think ACME should > specify > > which serialization formats need to be supported by server > implementations. > > > > RFC7515 defines four serialization formats: > > > > * JWS Compact Serialization > > * General JWS JSON Serialization Syntax > > * One signature only > > * Multiple signatures > > * Flattened JWS JSON Serialization Syntax > > > > https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme. > html#rfc.section.6.2 > > states: > > > > In the examples below, JWS objects are shown in the JSON or > > flattened JSON serialization > > > > All examples in the ACME specification use only the flattened > serialization. > > Depending on the clarification above, this might need to be amended too. > > > > Best regards > > Jörn Heissler > > I am the author of a JOSE library, and have had to deal with > interoperability issues arising from the multiple serialisations and > underspecified applications/protocols. Please heed my advice. > > Where there is a choice of JSON serialisation (i.e. exactly one > signature), JOSE does not require or recommend a particular > serialisation be used. Not does the specification require or > recommend that there be a mechanism for telling a library what JSON > serialisation to use. The outcome of this is that there are: > > - implementations that unconditionally produce the General JSON > serialisation > > - implementations that unconditionally produce the Flattened JSON > serialisation (and do not support multiple signatures at all) > > - implementations that produce the Flattened serialisation when > there is a single signature, and the General JSON serialisation > otherwise > > Therefore for interoperability and to avoid situations where a > conforming JOSE library cannot be used for ACME, I suggest that ACME > adopt the following regime: > > - Conforming ACME implementations MUST process JWS objects using the > Flattened JWS JSON Serialization and SHOULD process JWS objects > using the General JWS JSON Serialization. > > - Conforming ACME implementations MAY refuse to process JWS objects > with multiple signatures. If an implementation accepts > multiple-signature JWS objects, it MUST validate at least one > signature using the account's public key. > > Cheers, > Fraser > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
