Hi Anders,
You're right that "header" header is not signed. If you want to
integrity-protect the headers, you'd use "protected", which base64url encodes
the headers so that a canonical JSON representation doesn't have to be defined
or used. I suspect that it's really the payload that you're interested in
being human-readable - whereas the headers are likely to contain relatively
uninteresting content - usually an "alg" and a "kid", and so making them
human-readable is not as big a deal as whether the payload is. But that's a
judgement call that each deployer gets to make.
As you know, the JOSE working group intentionally stayed away from defining or
using a canonical JSON encoding and instead opted for base64url encoding when
it was necessary to represent arbitrary byte sequences, including arbitrary
JSON representations. You're free to define different specs that make
different choices, but that's up to you and whatever working group you might
charter and its members.
Thanks again for your review and for expressing the opinion that the I-D is
quite useful for detached signatures.
Best wishes,
-- Mike
-----Original Message-----
From: Anders Rundgren [mailto:[email protected]]
Sent: Sunday, August 09, 2015 10:11 PM
To: Mike Jones; [email protected]
Subject: Re: [jose] Payment Perspective on
draft-jones-jose-jws-signing-input-options 00
On 2015-08-10 06:33, Mike Jones wrote:
> You can represent unencoded header and payload values by using
> "b64":false
> and "header" rather than "protected" with the JWS JSON Serialization.
Got that but "header" is not signed, right?
Anyway, the bigger picture is that "Predictable Serialization" is the de-facto
standard for HUMAN-authored JSON data including the JOSE RFCs and I-Ds.
By adding a mere 10-100 lines (required by _some_ JSON tools), you can finally
close the readability gap between HUMAN- and MACHINE-written JSON data.
If you do that you also get an entirely different set of possibilities for
human-readable, byte-efficient, and simple "in-object" JSON signatures like JCS.
For detached signatures (which IMO is another story) I think your I-D is quite
useful!
Anders
>
> -- Mike
>
> -----Original Message-----
> From: jose [mailto:[email protected]] On Behalf Of Anders Rundgren
> Sent: Saturday, August 08, 2015 9:48 AM
> To: [email protected]
> Subject: [jose] Payment Perspective on
> draft-jones-jose-jws-signing-input-options 00
>
> Hi JOSE WG,
>
> The JOSE standards grew out of OpenID and similar. They obviously do a great
> job in that space!
>
> So the question I have tried to answer is: How do the JOSE standards fit in a
> more traditional XML or EDI context?
>
> SIZE:
> If we start with size (which probably is the least important factor here),
> JOSE signature schemes seem to have one thing in common: they need to
> Base64URL-encode protected header arguments which for X.509 certificates
> means two layers of Base64. It doesn't take an Einstein to figure out that
> signatures schemes that use header protection for explicit X.509 data won't
> be particularly space-efficient.
>
> READABILITY:
> This is a more complicated issue than one might think because JSON
> unlike its "predecessors" does not depend on (or support)
> position-based data which for example makes the modified sample in JWS
> A.7
>
> {
> "signature":
> "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
> "protected":"eyJhbGciOiJFUzI1NiJ9",
> "payload":
> "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
> "header": {"kid":"e9bc097a-ce51-4036-9562-d2ade882db0d"},
> }
>
> fully valid but slightly less pleasing to read. Applied to JSON objects with
> dozens of properties this (IMO) becomes a debug and document hurdle also for
> systems that do not use signatures.
>
> Now going back to readability which was one of the motives behind
> draft-jones-jose-jws-signing-input-options 00...
>
> As far as I can tell, draft-jones-jose-jws-signing-input-options 00 doesn't
> really deal with signed JSON, it is rather a scheme for signing arbitrary
> UTF-8 data. If you use this scheme for in-line signing of JSON data,
> readability would suffer due to 1) typical JSON serializers' inability
> maintaining "insertion order" 2) the code getting garbled by escape
> characters.
>
> That protected headers are Base64URL-encoded is also a readability (and
> debug) impediment.
>
> If you would like to use a JSON schema for input validation things become
> rather "hacky" since the signature and the data isn't in the same format.
>
> In some applications (like the ones I work with...), there's also a
> disadvantage with embedding signatures since they change the structure of an
> object completely. That signed PDFs is not about putting PDF data inside of
> a CMS blob is not a coincidence!
>
> All those issues put together plus the fact that "predictable serialization"
> is absolutely trivial to implement and has legitimate uses outside of
> signatures makes me less convinced that the JOSE WG at this stage has a
> viable solution for payments and such.
>
> However, that DOES NOT disqualify draft-jones-jose-jws-signing-input-options
> 00 as a possible extension to existing JOSE standards. The detached version
> of the concept seems like a particularly useful thing!
>
> So, I'm still counting on a new scheme for payments. Although the following
> JCS sample may look verbose, it is actually quite a bit more byte-efficient
> than current JOSE signature schemes. Readability? Not even "pretty-printing"
> breaks signatures. Well, strings must of course not be folded...
>
> {
> "@context":
> "https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fxmlns.webpki.org%2fwebpay%2fv1&data=01%7c01%7cmichael.jones%40microsoft.com%7ce83bbb0608b14320772308d2a0111b64%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=zRirh4Ml%2bLrdObxfyIKPEiT%2fWTV8EkvxaWPwafW0ong%3d";,
> "@qualifier": "ProviderGenericAuthRes",
> "paymentRequest":
> {
> "payee": "Demo Merchant",
> "amount": "94617.00",
> "currency": "USD",
> "referenceId": "#1000002",
> "dateTime": "2015-08-08T14:17:22Z",
> "softwareId":
> "https://na01.safelinks.protection.outlook.com/?url=WebPKI.org&data=01%7c01%7cmichael.jones%40microsoft.com%7ce83bbb0608b14320772308d2a0111b64%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5nGtCZFiJGh02Zn7OXeU8QTmBGIvMxL%2fjTb1GKdtHSo%3d
> - Merchant",
> "softwareVersion": "1.00",
> "signature":
> {
> "algorithm": "RS256",
> "signerCertificate":
> {
> "issuer": "CN=Merchant Network Sub CA5,C=DE",
> "serialNumber": "1437034463499",
> "subject": "CN=Demo Merchant,2.5.4.5=#1306383936333235,C=DE"
> },
> "certificatePath":
> [
> "MIIDQzCCAiugAwIBAgIGAU6V7cELMA0GCSqGSIb3DQEBCwUAMDAxCzAJBgNVBAYTAkRFM
> SEwHwYDVQQDExhNZXJjaGFudCBOZXR3b3JrIFN1YiBDQTUwHhcNMTQwMTAxMDAwMDAwWhc
> NMjAwNzEwMDk1OTU5WjA2MQswCQYDVQQGEwJERTEPMA0GA1UEBRMGODk2MzI1MRYwFAYDV
> QQDEw1EZW1vIE1lcmNoYW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgwj
> GibfiCx8SOPyM-xWnxPg7T2Aqyww3SpD0n8nPEs0DPWHZEVNsATd3dYLCTk7iEyGlKnR_Z
> CeC018fC6cg9Yqc-vcvg7SG21JNm05q1XG0h6mVnyNNlRBVEq36CPoRiiyHdFIa9UfA141
> ZJAvONgejEVWSe4ZSNxxo81hvebQQc2lHs7n9LvSB4tc7qfgNRvjffgXTpwtcumeXgN_42
> kIJSANVwwKj6HhXZVnaHHQ4M-cL9_BWjWQIr8VmQvi4Ijq9fIa6GMjYoOlznBbnUjsmALA
> 0CRXYc-3mxQbeKUDal1Z8fsstXsSBOSm1T0Im4oGbuPFKAuF5LqlxSmcnHQIDAQABo10wW
> zAJBgNVHRMEAjAAMA4GA1UdDwEB_wQEAwID-DAdBgNVHQ4EFgQUehiUWQGM9QOs31qpSTK
> CIasVC8gwHwYDVR0jBBgwFoAU8hS_eJVH7LntNHSRqkO_Y3rJxCIwDQYJKoZIhvcNAQELB
> QADggEBAAYB5NqFPxHwIyQWkQY3Ip4nIFfCHzOEJ4CyBZG0nrZPi4696Nf66iR1W0xJxPo
> 0PTFHD1Q1sRlhbonEh1rrQpNctzZtS8jEo6VeskH7MiGq3wUV9pfnQys0_2j0-GTnVlXwC
> kMKnBRIWue4MdbZJplahOS3QbD4w1HcXGlaluWoCGCS_8eIVPHmTTSCmGOU3JX-PIZoV7V
> _q-wevUwAJfoeWF
21E
>
> Kgic3yQWvIgoDQEeSRjg7f3LDTrr2J9uVqXMTTkTvsTKCYNZoUTeM66Rxa1nTSryu866Nu
> j9XmKorNmDAmrxN4tX64tzNIMnaoTXv6qifQal0hEVRlE7ONUNfY",
> "MIIEPzCCAiegAwIBAgIBBTANBgkqhkiG9w0BAQ0FADAxMQswCQYDVQQGEwJVUzEiMCAGA
> 1UEAxMZTWVyY2hhbnQgTmV0d29yayBSb290IENBMTAeFw0xMjA3MTAxMDAwMDBaFw0yNTA
> 3MTAwOTU5NTlaMDAxCzAJBgNVBAYTAkRFMSEwHwYDVQQDExhNZXJjaGFudCBOZXR3b3JrI
> FN1YiBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbOtyy4QZ5re1twR7
> 9TDAQ0we0cGLlfUW920F3lVnov7aEec7zRtUBVKsSs-MVfiuDFmhTSfULT52o_mv5Re76n
> 0AdbKsV61sQDInXFDPLPUWxayuWJaHu3TzisjQOKupor25V8zHzqAVU5fuGsvYD0uPUwjn
> cRVQU9GmUU49iKu0D5Twf4GSkDRiUoouwJ2CQnGLVie4ImMHAK-vlHc5cvg1zd_G3HEECg
> g-EYYXbwUppb-7KiH6Z3ftWJZsiE22nGtrYbXNH4ESp_NNYbMyLP1Nu1XFvUc9Y2jCzXcG
> oe4FDcrTC6QhdRARVY3oNMDRTLpQcc0nUWfvTnZNk8IONAgMBAAGjYzBhMA8GA1UdEwEB_
> wQFMAMBAf8wDgYDVR0PAQH_BAQDAgEGMB0GA1UdDgQWBBTyFL94lUfsue00dJGqQ79jesn
> EIjAfBgNVHSMEGDAWgBQbQarjDLZwVQi-a9eysaPNhSKG7jANBgkqhkiG9w0BAQ0FAAOCA
> gEAeyGWd5HUJEtJfwOgHF7OTby7sx6OuYw4EApUCfsDBLHZwFY5vPZvhOZYTYxBFmHyVxZ
> BRvikWuCeDn6TP8uDDWbwnLESVAAgGAxK1y4mMzP32SHESnnrehcrJrhwxA3xbpKsTeolN
> ceOVB8XzKz9Ti3TmmDt9VA20aruGw-Zv8XIF036oNpOY4SBz0Hvfu_CrLEZXrhKqKvmS9N
> 9m44Us8L6FZbRNa
Pfk
>
> VIfKRBGgtMziDUyyXrb0PisuRkdFenmkoqfO2d6QVho6SuNUlXd_pGNklKaQfEP-A6vN4XK7JpYhwgmhvrxKUUC9nfx601olcIcUm3TpewUz5t-s2Kpv4EVCAet6vKqHDH4A4oI2hOPEWSzhjqumtJmPguNGVdeBbdgZrVEl3XbwsROqgYGGHLXURSRnySaIaUY-4Se8HgA-AHbn3MiK_pBz1Igj-mokjZILt51t6I77Qf_fTi9OJYBrAPkZozxUGN2RaQ6zPqPlIgrKQQwS_jTQg-z_QkctYP8V7w9__Z6Na8dCR9rBhoruBdKO1OPipT_qeqRVq3xzu-80MFDRNouegE4UoS8_KTMwfisCKssrKydA7IIACMKa6V3BtGKD6ML3LhnhgfGQSoCxVU4v5QZ6866TImLRSl-E8M8SdeIZ4MKRV-oKPouq6B0d-0mrHkCstTilfI"
> ],
> "value":
> "AYUvS4Nq7cuHz8zCoXh_-vOWYKchnAAUfROaDbU1nGv9cM3H0uZz-W6d8v51jlBGq0bt9yWDpyjmd9FFqHSqLEf1FNTGTObAEpQ2ar6Lgvwmer-HXhi3Y5Hng7MqMokOZeF_tsbfZTffXg96BvFVRzUr3qBeCYPNMH7q2pTV_4L57sj4QssJkRfG-KxT1nSkhSGCD1big2Vfr_93CC0cKuURSJup2AwK-A3BJ3ax5QlW4YA2KBRiaSf6X1jlJhCFQZf-oaj7bUIna7kWd_f0ab869Co4H4HoDvECoDKa-JHqNw-NOeUAxT0brMHyKJ_Nvq8LUuiAzic3CPqIJaJSHA"
> }
> },
> "cardType": "SuperCard",
> "cardReference": "************2109",
> "referenceId": "#164010",
> "dateTime": "2015-08-08T14:17:37Z",
> "softwareId":
> "https://na01.safelinks.protection.outlook.com/?url=WebPKI.org&data=01%7c01%7cmichael.jones%40microsoft.com%7ce83bbb0608b14320772308d2a0111b64%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5nGtCZFiJGh02Zn7OXeU8QTmBGIvMxL%2fjTb1GKdtHSo%3d
> - Bank",
> "softwareVersion": "1.00",
> "signature":
> {
> "algorithm": "ES256",
> "signerCertificate":
> {
> "issuer": "CN=Payment Network Sub CA3,C=EU",
> "serialNumber": "1437034453652",
> "subject": "CN=mybank.com,2.5.4.5=#130434353031,C=FR"
> },
> "certificatePath":
> [
> "MIIBtjCCAVmgAwIBAgIGAU6V7ZqUMAwGCCqGSM49BAMCBQAwLzELMAkGA1UEBhMCRVUxI
> DAeBgNVBAMTF1BheW1lbnQgTmV0d29yayBTdWIgQ0EzMB4XDTE0MDEwMTAwMDAwMFoXDTI
> wMDcxMDA5NTk1OVowMTELMAkGA1UEBhMCRlIxDTALBgNVBAUTBDQ1MDExEzARBgNVBAMTC
> m15YmFuay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQsqMMQgB9jBPfnNXhQo9Q
> SGp1P0OF8-2VZp-BEeRmk3kNRH1y2E0f0A-y1DVC34oOF71EyPeAv74mxhjc3gElgo10wW
> zAJBgNVHRMEAjAAMA4GA1UdDwEB_wQEAwID-DAdBgNVHQ4EFgQU3butViPf_sGq0YGegUK
> NflI4I7YwHwYDVR0jBBgwFoAUiJnScUmlW9Sj8LhXJ5MCsWtU6EQwDAYIKoZIzj0EAwIFA
> ANJADBGAiEApr5pe3Oeqr2Ep7xfs6s011Z5w9SaoumonMnD6_UQrFYCIQCAE2vi1QoIzr8
> gH800AnBrdOtG9Xw9jI-Vb1ixyow0tA",
> "MIIDcjCCAVqgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAwMQswCQYDVQQGEwJVUzEhMB8GA
> 1UEAxMYUGF5bWVudCBOZXR3b3JrIFJvb3QgQ0ExMB4XDTEyMDcxMDEwMDAwMFoXDTI1MDc
> xMDA5NTk1OVowLzELMAkGA1UEBhMCRVUxIDAeBgNVBAMTF1BheW1lbnQgTmV0d29yayBTd
> WIgQ0EzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwR1b9NmpqCEX7wJb391eOhqzmBr
> aQyHpvZ2Y0WmkEHXQcKx3pWg_0jalhZpNmmmcfM_TzmqrID4ZDGoKimC4iaNjMGEwDwYDV
> R0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIiZ0nFJpVvUo_C4Vye
> TArFrVOhEMB8GA1UdIwQYMBaAFJm5JC6Uimm49w3xJhmpWpxn3DozMA0GCSqGSIb3DQEBD
> QUAA4ICAQAO5pRZZMkLt3EelSdX2V5bOz4iC-XfSed9PJYuR2slXij3w2DFmxYHmbSVH4d
> ZshotkFHCHAhoLpZdtq6IeYdkEGuf94corvBh8hPxqetn-F-qLVUpdFwEww1POd8T0n02Y
> ouRDSi4HWUY003C9hB6ouTdfHaswR6-cBOpKzwOqfRUGdBG_pDdP_XURIIgxPt6wp3PGd3
> 2gS6FLMO-GOfFIQJgQ2lZNPQ-UPaa0UGmNI-GcDkco_kI1eOlPlWfZPZwe9bLWyE_g380l
> _ozm2waLM8p9tVNUqp37ktLUeIJbBS_u4vR8j3h9QVBrSVitddQbkGFyxLDB_dkuQjNDig
> ESmCBgbjeoa5DSxNGc_FkHDVkJyTkTjL5vvG9cee9kqlRjWM4KEXPVJcBcNyGPqismyMWN
> gIm1TJC7Z7tm_epvzoJnfN35RUW7cUjPyRZtIsymnqs_uILyY_cmTWUmH1c75UtgTx1-Jf
> p6B3Qyji8pDR_Ba
3eU
>
> lz1BJhyFuC8cHL275S8zQ2jCyjnaMXZvm_EnZGpOcm4DZrPD3cujBc1E09LyujylglLiN_up0I_ImliqF0GIA1o-s3nk7F1QlTe-7HWsbTrPOocm3SHDmyJEOgz8ChftelxeQ5-2hhz5QURdmmUIPUrDBcK1I5Fopv2-SPmNipPkZ1o7Gz1Mbqzrg"
> ],
> "value":
> "bUZ2bjXVKQisr_RyYG1Ru0P263ft1LkmhLnBTg94AjYQ4YLXLdwImmcZUd6yzApCSARFZ6xOoYw_IuvvkBG_ug"
> }
> }
>
> thanx,
> Anders R
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmobil
> epki.org%2fjcs&data=01%7c01%7cmichael.jones%40microsoft.com%7ce83bbb06
> 08b14320772308d2a0111b64%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=
> 4BxnKZzwfjHI9agf8KmyH9r8uq99%2bcJuynTGLfe7F5U%3d
>
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.i
> etf.org%2fmailman%2flistinfo%2fjose&data=01%7c01%7cmichael.jones%40mic
> rosoft.com%7ce83bbb0608b14320772308d2a0111b64%7c72f988bf86f141af91ab2d
> 7cd011db47%7c1&sdata=SZEW0IWLt8eUw0nPilbQE45376rM41ChicZcQmLOeAE%3d
>
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
