On 2015-08-10 08:54, Jim Schaad wrote:
Anders,If you truly have a "Predictable Serialization" that is general purpose rather than only for a subset, please submit an ID with that information. It would be highly valuable. The JSON group is re-opening and it could provide some good input for that.
My take on "Predictable Serialization" is extremely simple both from a definition- and implementation-point of view ; it only means that the order and contents of properties is respected during parsing and serialization. This doesn't violate RFC 7159 but isn't supported by it either. An I-D would mainly be a rationale.
I do not find that humans do predictable serializations when creating JSON in any way. They tend to either copy some example or put in fields as they tend to remember them. They don't, for example, sort them in an alphabetic order by key name.
Right. What I meant is that when humans are authoring JSON data they tend to put properties in a for the context logical order. Anders http://docs.oracle.com/javase/7/docs/api/java/util/LinkedHashMap.html
Jim-----Original Message----- From: jose [mailto:[email protected]] On Behalf Of Anders Rundgren Sent: Sunday, August 09, 2015 10:11 PM To: Mike Jones; [email protected] Subject: Re: [jose] Payment Perspective ondraft-jones-jose-jws-signing-input-options 00 On 2015-08-10 06:33, Mike Jones wrote:You can represent unencoded header and payload values by using "b64":false> and "header" rather than "protected" with the JWS JSON Serialization. Got that but "header" is not signed, right? Anyway, the bigger picture is that "Predictable Serialization" is thede-factostandard for HUMAN-authored JSON data including the JOSE RFCs and I-Ds. By adding a mere 10-100 lines (required by _some_ JSON tools), you canfinallyclose the readability gap between HUMAN- and MACHINE-written JSON data. If you do that you also get an entirely different set of possibilities forhuman-readable, byte-efficient, and simple "in-object" JSON signatures like JCS. For detached signatures (which IMO is another story) I think your I-D isquiteuseful! Anders-- Mike -----Original Message----- From: jose [mailto:[email protected]] On Behalf Of Anders Rundgren Sent: Saturday, August 08, 2015 9:48 AM To: [email protected] Subject: [jose] Payment Perspective on draft-jones-jose-jws-signing-input-options 00 Hi JOSE WG, The JOSE standards grew out of OpenID and similar. They obviously do agreatjob in that space!So the question I have tried to answer is: How do the JOSE standards fitin amore traditional XML or EDI context?SIZE: If we start with size (which probably is the least important factorhere), JOSEsignature schemes seem to have one thing in common: they need to Base64URL-encode protected header arguments which for X.509 certificates means two layers of Base64. It doesn't take an Einstein to figure outthatsignatures schemes that use header protection for explicit X.509 datawon't beparticularly space-efficient.READABILITY: This is a more complicated issue than one might think because JSON unlike its "predecessors" does not depend on (or support) position-based data which for example makes the modified sample in JWS A.7 { "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q""protected":"eyJhbGciOiJFUzI1NiJ9", "payload":"eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtc GxlLmNvbS9pc19yb290Ijp0cnVlfQ","header": {"kid":"e9bc097a-ce51-4036-9562-d2ade882db0d"}, } fully valid but slightly less pleasing to read. Applied to JSON objectswithdozens of properties this (IMO) becomes a debug and document hurdle alsoforsystems that do not use signatures.Now going back to readability which was one of the motives behind draft-jones-jose-jws-signing-input-options 00...As far as I can tell, draft-jones-jose-jws-signing-input-options 00doesn't reallydeal with signed JSON, it is rather a scheme for signing arbitrary UTF-8data. Ifyou use this scheme for in-line signing of JSON data, readability wouldsuffer dueto 1) typical JSON serializers' inability maintaining "insertion order" 2)the codegetting garbled by escape characters.That protected headers are Base64URL-encoded is also a readability (anddebug) impediment.If you would like to use a JSON schema for input validation thingsbecomerather "hacky" since the signature and the data isn't in the same format.In some applications (like the ones I work with...), there's also adisadvantagewith embedding signatures since they change the structure of an object completely. That signed PDFs is not about putting PDF data inside of aCMSblob is not a coincidence!All those issues put together plus the fact that "predictableserialization" isabsolutely trivial to implement and has legitimate uses outside ofsignaturesmakes me less convinced that the JOSE WG at this stage has a viablesolution forpayments and such.However, that DOES NOT disqualifydraft-jones-jose-jws-signing-input-options00 as a possible extension to existing JOSE standards. The detachedversion ofthe concept seems like a particularly useful thing!So, I'm still counting on a new scheme for payments. Although thefollowingJCS sample may look verbose, it is actually quite a bit morebyte-efficient thancurrent JOSE signature schemes. Readability? Not even "pretty-printing"breakssignatures. Well, strings must of course not be folded...{ "@context":"https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fxmlns.web pki.org%2fwebpay%2fv1&data=01%7c01%7cmichael.jones%40microsoft.com% 7ce83bbb0608b14320772308d2a0111b64%7c72f988bf86f141af91ab2d7cd011d b47%7c1&sdata=zRirh4Ml%2bLrdObxfyIKPEiT%2fWTV8EkvxaWPwafW0ong%3d ","@qualifier": "ProviderGenericAuthRes", "paymentRequest": { "payee": "Demo Merchant", "amount": "94617.00", "currency": "USD", "referenceId": "#1000002", "dateTime": "2015-08-08T14:17:22Z", "softwareId":"https://na01.safelinks.protection.outlook.com/?url=WebPKI.org&data=01%7c 01%7cmichael.jones%40microsoft.com%7ce83bbb0608b14320772308d2a0111b 64%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5nGtCZFiJGh02Zn7OXe U8QTmBGIvMxL%2fjTb1GKdtHSo%3d - Merchant","softwareVersion": "1.00", "signature": { "algorithm": "RS256", "signerCertificate": { "issuer": "CN=Merchant Network Sub CA5,C=DE", "serialNumber": "1437034463499", "subject": "CN=DemoMerchant,2.5.4.5=#1306383936333235,C=DE"}, "certificatePath": ["MIIDQzCCAiugAwIBAgIGAU6V7cELMA0GCSqGSIb3DQEBCwUAMDAxCzAJBgNV BAYTAkRFMSEwHwYDVQQDExhNZXJjaGFudCBOZXR3b3JrIFN1YiBDQTUwHhcNMTQwMTAxM DAwMDAwWhcNMjAwNzEwMDk1OTU5WjA2MQswCQYDVQQGEwJERTEPMA0GA1UEBRMGOD k2MzI1MRYwFAYDVQQDEw1EZW1vIE1lcmNoYW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg KCAQEAgwjGibfiCx8SOPyM-xWnxPg7T2Aqyww3SpD0n8nPEs0DPWHZEVNsATd3dYLCTk7iEyGlKnR_ZCeC018fC6cg9Yqc-vcvg7SG21JNm05q1XG0h6mVnyNNlRBVEq36CPoRiiyHdFIa9UfA141ZJAvONgejEVWSe4ZSNxxo81hvebQQc2lHs7n9LvSB4tc7qfgNRvjffgXTpwtcumeXg N_42kIJSANVwwKj6HhXZVnaHHQ4M-cL9_BWjWQIr8VmQvi4Ijq9fIa6GMjYoOlznBbnUjsmALA0CRXYc-3mxQbeKUDal1Z8fsstXsSBOSm1T0Im4oGbuPFKAuF5LqlxSmcnHQIDAQABo10wWzAJBgNVHRMEAjAAMA4GA1UdDwEB_wQEAwID-DAdBgNVHQ4EFgQUehiUWQGM9QOs31qpSTKCIasVC8gwHwYDVR0jBBgwFoAU8hS_eJVH7LntNHSRqkO_Y3rJxCIwDQYJKoZIhvc NAQELBQADggEBAAYB5NqFPxHwIyQWkQY3Ip4nIFfCHzOEJ4CyBZG0nrZPi4696Nf66iR1W 0xJxPo0PTFHD1Q1sRlhbonEh1rrQpNctzZtS8jEo6VeskH7MiGq3wUV9pfnQys0_2j0-GTnVlXwCkMKnBRIWue4MdbZJplahOS3QbD4w1HcXGlaluWoCGCS_8eIVPHmTTSCmGOU3J X-PIZoV7V_q-wevUwAJfoeWF21EKgic3yQWvIgoDQEeSRjg7f3LDTrr2J9uVqXMTTkTvsTKCYNZoUTeM66Rxa1nTSryu 866Nuj9XmKorNmDAmrxN4tX64tzNIMnaoTXv6qifQal0hEVRlE7ONUNfY","MIIEPzCCAiegAwIBAgIBBTANBgkqhkiG9w0BAQ0FADAxMQswCQYDVQQGEwJV UzEiMCAGA1UEAxMZTWVyY2hhbnQgTmV0d29yayBSb290IENBMTAeFw0xMjA3MTAxMDAw MDBaFw0yNTA3MTAwOTU5NTlaMDAxCzAJBgNVBAYTAkRFMSEwHwYDVQQDExhNZXJjaGFudC BOZXR3b3JrIFN1YiBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbOtyy4Q Z5re1twR79TDAQ0we0cGLlfUW920F3lVnov7aEec7zRtUBVKsSs-MVfiuDFmhTSfULT52o_mv5Re76n0AdbKsV61sQDInXFDPLPUWxayuWJaHu3TzisjQOKupor25V8zHzqAVU5fuGsvYD0 uPUwjncRVQU9GmUU49iKu0D5Twf4GSkDRiUoouwJ2CQnGLVie4ImMHAK-vlHc5cvg1zd_G3HEECgg-EYYXbwUppb-7KiH6Z3ftWJZsiE22nGtrYbXNH4ESp_NNYbMyLP1Nu1XFvUc9Y2jCzXcGoe4FDcrTC6QhdRARVY3oNMDRTLpQcc0nUWfvTnZNk8IONAgMBAAGjYzBhMA8 GA1UdEwEB_wQFMAMBAf8wDgYDVR0PAQH_BAQDAgEGMB0GA1UdDgQWBBTyFL94lUfsue0 0dJGqQ79jesnEIjAfBgNVHSMEGDAWgBQbQarjDLZwVQi-a9eysaPNhSKG7jANBgkqhkiG9w0BAQ0FAAOCAgEAeyGWd5HUJEtJfwOgHF7OTby7sx6OuYw4EApUCfsDBLHZwFY5vPZvhOZYTYxB FmHyVxZBRvikWuCeDn6TP8uDDWbwnLESVAAgGAxK1y4mMzP32SHESnnrehcrJrhwxA3xbp KsTeolNceOVB8XzKz9Ti3TmmDt9VA20aruGw-Zv8XIF036oNpOY4SBz0Hvfu_CrLEZXrhKqKvmS9N9m44Us8L6FZbRNaPfkVIfKRBGgtMziDUyyXrb0PisuRkdFenmkoqfO2d6QVho6SuNUlXd_pGNklKaQfEP- A6vN4XK7JpYhwgmhvrxKUUC9nfx601olcIcUm3TpewUz5t- s2Kpv4EVCAet6vKqHDH4A4oI2hOPEWSzhjqumtJmPguNGVdeBbdgZrVEl3XbwsRO qgYGGHLXURSRnySaIaUY-4Se8HgA-AHbn3MiK_pBz1Igj- mokjZILt51t6I77Qf_fTi9OJYBrAPkZozxUGN2RaQ6zPqPlIgrKQQwS_jTQg- z_QkctYP8V7w9__Z6Na8dCR9rBhoruBdKO1OPipT_qeqRVq3xzu- 80MFDRNouegE4UoS8_KTMwfisCKssrKydA7IIACMKa6V3BtGKD6ML3LhnhgfGQS oCxVU4v5QZ6866TImLRSl-E8M8SdeIZ4MKRV-oKPouq6B0d-0mrHkCstTilfI"], "value": "AYUvS4Nq7cuHz8zCoXh_-vOWYKchnAAUfROaDbU1nGv9cM3H0uZz- W6d8v51jlBGq0bt9yWDpyjmd9FFqHSqLEf1FNTGTObAEpQ2ar6Lgvwmer- HXhi3Y5Hng7MqMokOZeF_tsbfZTffXg96BvFVRzUr3qBeCYPNMH7q2pTV_4L57sj4 QssJkRfG-KxT1nSkhSGCD1big2Vfr_93CC0cKuURSJup2AwK- A3BJ3ax5QlW4YA2KBRiaSf6X1jlJhCFQZf- oaj7bUIna7kWd_f0ab869Co4H4HoDvECoDKa-JHqNw- NOeUAxT0brMHyKJ_Nvq8LUuiAzic3CPqIJaJSHA"} }, "cardType": "SuperCard", "cardReference": "************2109", "referenceId": "#164010", "dateTime": "2015-08-08T14:17:37Z", "softwareId":"https://na01.safelinks.protection.outlook.com/?url=WebPKI.org&data=01%7c 01%7cmichael.jones%40microsoft.com%7ce83bbb0608b14320772308d2a0111b 64%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5nGtCZFiJGh02Zn7OXe U8QTmBGIvMxL%2fjTb1GKdtHSo%3d - Bank","softwareVersion": "1.00", "signature": { "algorithm": "ES256", "signerCertificate": { "issuer": "CN=Payment Network Sub CA3,C=EU", "serialNumber": "1437034453652", "subject": "CN=mybank.com,2.5.4.5=#130434353031,C=FR" }, "certificatePath": ["MIIBtjCCAVmgAwIBAgIGAU6V7ZqUMAwGCCqGSM49BAMCBQAwLzELMAkGA1 UEBhMCRVUxIDAeBgNVBAMTF1BheW1lbnQgTmV0d29yayBTdWIgQ0EzMB4XDTE0MDEwMTA wMDAwMFoXDTIwMDcxMDA5NTk1OVowMTELMAkGA1UEBhMCRlIxDTALBgNVBAUTBDQ1MDEx EzARBgNVBAMTCm15YmFuay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQsqMMQgB9jB PfnNXhQo9QSGp1P0OF8-2VZp-BEeRmk3kNRH1y2E0f0A-y1DVC34oOF71EyPeAv74mxhjc3gElgo10wWzAJBgNVHRMEAjAAMA4GA1UdDwEB_wQEAwID-DAdBgNVHQ4EFgQU3butViPf_sGq0YGegUKNflI4I7YwHwYDVR0jBBgwFoAUiJnScUmlW9Sj8LhXJ5MCsWtU6EQwDAYIKoZIzj0E AwIFAANJADBGAiEApr5pe3Oeqr2Ep7xfs6s011Z5w9SaoumonMnD6_UQrFYCIQCAE2vi1 QoIzr8gH800AnBrdOtG9Xw9jI-Vb1ixyow0tA","MIIDcjCCAVqgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAwMQswCQYDVQQGEwJV UzEhMB8GA1UEAxMYUGF5bWVudCBOZXR3b3JrIFJvb3QgQ0ExMB4XDTEyMDcxMDEwMDAw MFoXDTI1MDcxMDA5NTk1OVowLzELMAkGA1UEBhMCRVUxIDAeBgNVBAMTF1BheW1lbnQgT mV0d29yayBTdWIgQ0EzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwR1b9NmpqCEX7wJb391 eOhqzmBraQyHpvZ2Y0WmkEHXQcKx3pWg_0jalhZpNmmmcfM_TzmqrID4ZDGoKimC4iaNj MGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIiZ0nFJ pVvUo_C4VyeTArFrVOhEMB8GA1UdIwQYMBaAFJm5JC6Uimm49w3xJhmpWpxn3DozMA0GCS qGSIb3DQEBDQUAA4ICAQAO5pRZZMkLt3EelSdX2V5bOz4iC-XfSed9PJYuR2slXij3w2DFmxYHmbSVH4dZshotkFHCHAhoLpZdtq6IeYdkEGuf94corvBh8hPxqetn-F-qLVUpdFwEww1POd8T0n02YouRDSi4HWUY003C9hB6ouTdfHaswR6-cBOpKzwOqfRUGdBG_pDdP_XURIIgxPt6wp3PGd32gS6FLMO-GOfFIQJgQ2lZNPQ-UPaa0UGmNI-GcDkco_kI1eOlPlWfZPZwe9bLWyE_g380l_ozm2waLM8p9tVNUqp37ktLUeIJbBS_u4vR8j3h9QVBrSVitddQbkGFyxLDB_dkuQ jNDigESmCBgbjeoa5DSxNGc_FkHDVkJyTkTjL5vvG9cee9kqlRjWM4KEXPVJcBcNyGPqis myMWNgIm1TJC7Z7tm_epvzoJnfN35RUW7cUjPyRZtIsymnqs_uILyY_cmTWUmH1c75Utg Tx1-Jfp6B3Qyji8pDR_Ba3eUlz1BJhyFuC8cHL275S8zQ2jCyjnaMXZvm_EnZGpOcm4DZrPD3cujBc1E09LyujylglLi N_up0I_ImliqF0GIA1o-s3nk7F1QlTe-7HWsbTrPOocm3SHDmyJEOgz8ChftelxeQ5- 2hhz5QURdmmUIPUrDBcK1I5Fopv2-SPmNipPkZ1o7Gz1Mbqzrg"], "value":"bUZ2bjXVKQisr_RyYG1Ru0P263ft1LkmhLnBTg94AjYQ4YLXLdwImmcZUd6yzApC SARFZ6xOoYw_IuvvkBG_ug"} } thanx, Anders R https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmobilepki.org%2fjcs&data=01%7c01%7cmichael.jones%40microsoft.com%7ce83bbb 0608b14320772308d2a0111b64%7c72f988bf86f141af91ab2d7cd011db47%7c1&sd ata=4BxnKZzwfjHI9agf8KmyH9r8uq99%2bcJuynTGLfe7F5U%3d _______________________________________________ jose mailing list [email protected] https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fjose&data=01%7c01%7cmichael.jones%40microsoft.com%7ce83bbb0608b14320772308d2a0111b64%7c72f988bf86f141af91 ab2d7cd011db47%7c1&sdata=SZEW0IWLt8eUw0nPilbQE45376rM41ChicZcQmLOeAE %3d_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
