On Nov 18, 2018, at 08:53, Anders Rundgren <[email protected]> wrote: > > On 2018-10-11 21:03, Carsten Bormann wrote: >> On Oct 11, 2018, at 20:23, Phil Hunt <[email protected]> wrote: >>> >>> I am not sure of the value of canonicalization. I prefer bytestream >>> encoding style where the original content goes with the signature. >> I’m afraid a lot of people are sitting in front of their screens silently >> agreeing, but not typing anything because their hands are tied up in an >> interminable facepalm. > > Those who are not stuck in an a ever-lasting facepalm may not be entirely > comfortable with signature schemes that completely change the structure of > signed messages. COSE do this as well?
I don’t understand the question. The point of COSE is that the signed message is not changed at all. (With JOSE, it needs to be base64-encoded for transfer, but it also isn’t changed otherwise.) > Well, you can of course add artificial unsigned layers (like the TEEP folks > do), but that smells “workaround" rather than solution. Again, I don’t understand. But maybe what I wrote earlier is still applicable: >> To the people asking for a c14n solution for signature: If you want XMLDSig, >> you know where to find it. >> The basic approach of having humongous XML documents that get signatures >> added to themselves as part of the document only makes sense in certain >> processing models that went out of favor with XML. This. >> JOSE does the right thing for more modern applications. And this. >> I’m not opposed to doing some “c14n” work on serialization schemes — >> deterministic serialization has other applications than just XMLDSig. RFC 7049 has some recommendations for “c14n" that are being cleaned up and updated for 7049bis. Those are implemented in a few CBOR libraries, albeit not in all. The RFC 7049 version of “c14n” is in use in some other SDOs’ work. >> I definitely do not like giving the message that c14n-based signatures are >> the new thing that will replace doing the right thing (JOSE, that is). And this. Grüße, Carsten _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
