W3C home > Mailing lists > Public > public-credentials@w3.org > December 2014

Re: JOSE author didn't use JWS. Was: Digital Signatures for Credentials

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 02 Dec 2014 19:29:51 +0100
Message-ID: <547E051F.9080202@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
CC: Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org
On 2014-12-02 19:09, Richard Barnes wrote:
> Human-readability is only a very minor part of the objectives here.  Base64 deserialization is not a major issue.

This departs from the thoughts behind JSON's predecessor, XML.

Anyway, I'm sure many other organizations will use JSON clear-text signatures
(home-brewed though since there is no such standard), particularly since it has
been found out to be compliant with at least the browser parsers.  That this
is the case has a trivial explanation:

Only a bad programmer would design a parser so it would output data
in a different order than it was supplied in, even if the "standard"
allowed that.

Anders

>
> On Tue, Dec 2, 2014 at 9:57 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2014-12-02 18:20, Richard Barnes wrote:
>
>         When I wrote that, there was no flattened serialization.  I'm currently revising to use JWS.
>
>
>     So ACME will go from:
>
>     {
>         "type": "certificateRequest",
>         "csr": "5jNudRx6Ye4HzKEqT5...__FS6aKdZeGsysoCo4H9P",
>         "signature": {
>           "alg": "RS256",
>           "nonce": "h5aYpWVkq-xlJh6cpR-3cw",
>           "sig": "KxITJ0rNlfDMAtfDr8eAw...__fSSoehDFNZKQKzTZPtQ",
>           "jwk": {
>             "kty":"RSA",
>             "e":"AQAB",
>             "n":"KxITJ0rNlfDMAtfDr8eAw...__fSSoehDFNZKQKzTZPtQ"
>           }
>         }
>     }
>
>     to:
>
>     {
>       "payload":"<payload contents>",
>       "protected":"<integrity-__protected header contents>",
>       "header":<non-integrity-__protected header contents>,
>       "signature":"<signature contents>"
>     }
>
>     That's not so cool (you don't see what it is anymore...), not to mention how poorly
>     it matches the JSON schema validation ACME seems to use.
>
>     JSON Cleartext Signatures rocks :-)
>
>     Anders
>
>
>
>         On Mon, Dec 1, 2014 at 9:02 PM, Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com> <mailto:msporny@digitalbazaar.__com <mailto:msporny@digitalbazaar.com>>> wrote:
>
>              Richard,
>
>              Quick question for you re: ACME - why did you decide to not use the JWS
>              base64-encoding mechanism in the signature for ACME? Particularly,
>              you've specified multiple canonicalization mechanisms (signature-input).
>
>              The reason I'm asking is because we're trying to get some insight into
>              whether or not the base64-encoded approach should be used when digitally
>              signing credentials in the Credentials Community Group, or if you
>              suggest we specify our own canonicalization mechanism and re-use the JWS
>              alg/nonce/sig fields?
>
>              On 11/28/2014 09:04 AM, Anders Rundgren wrote:
>               > https://github.com/__letsencrypt/acme-spec/blob/__master/draft-barnes-acme.md <https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md>
>               >
>               > {
>               >   "type": "certificateRequest",
>               >   "csr": "5jNudRx6Ye4HzKEqT5...__FS6aKdZeGsysoCo4H9P",
>               >   "signature": {
>               >     "alg": "RS256",
>               >     "nonce": "h5aYpWVkq-xlJh6cpR-3cw",
>               >     "sig": "KxITJ0rNlfDMAtfDr8eAw...__fSSoehDFNZKQKzTZPtQ",
>               >     "jwk": {
>               >       "kty":"RSA",
>               >       "e":"AQAB",
>               >       "n":"KxITJ0rNlfDMAtfDr8eAw...__fSSoehDFNZKQKzTZPtQ"
>               >     }
>               >   }
>               > }
>
>              -- manu
>
>              --
>              Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
>              Founder/CEO - Digital Bazaar, Inc.
>              blog: The Marathonic Dawn of Web Payments
>         http://manu.sporny.org/2014/__dawn-of-web-payments/ <http://manu.sporny.org/2014/dawn-of-web-payments/>
>
>
>
>
Received on Tuesday, 2 December 2014 18:30:25 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:21 UTC