W3C home > Mailing lists > Public > public-credentials@w3.org > December 2014

Re: JOSE author didn't use JWS. Was: Digital Signatures for Credentials

From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 2 Dec 2014 10:32:44 -0800
Message-ID: <CAL02cgSWO854fRBCcEy-z5zLaWErYUnv7Ntfv7Q2FtR1Ndi20A@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org
On Tue, Dec 2, 2014 at 10:29 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2014-12-02 19:09, Richard Barnes wrote:
>
>> Human-readability is only a very minor part of the objectives here.
>> Base64 deserialization is not a major issue.
>>
>
> This departs from the thoughts behind JSON's predecessor, XML.
>
> Anyway, I'm sure many other organizations will use JSON clear-text
> signatures
> (home-brewed though since there is no such standard), particularly since
> it has
> been found out to be compliant with at least the browser parsers.  That
> this
> is the case has a trivial explanation:
>
> Only a bad programmer would design a parser so it would output data
> in a different order than it was supplied in, even if the "standard"
> allowed that.
>

http://memedad.com/meme/343043




>
> Anders
>
>
>> On Tue, Dec 2, 2014 at 9:57 AM, Anders Rundgren <
>> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
>> wrote:
>>
>>     On 2014-12-02 18:20, Richard Barnes wrote:
>>
>>         When I wrote that, there was no flattened serialization.  I'm
>> currently revising to use JWS.
>>
>>
>>     So ACME will go from:
>>
>>     {
>>         "type": "certificateRequest",
>>         "csr": "5jNudRx6Ye4HzKEqT5...__FS6aKdZeGsysoCo4H9P",
>>         "signature": {
>>           "alg": "RS256",
>>           "nonce": "h5aYpWVkq-xlJh6cpR-3cw",
>>           "sig": "KxITJ0rNlfDMAtfDr8eAw...__fSSoehDFNZKQKzTZPtQ",
>>           "jwk": {
>>             "kty":"RSA",
>>             "e":"AQAB",
>>             "n":"KxITJ0rNlfDMAtfDr8eAw...__fSSoehDFNZKQKzTZPtQ"
>>           }
>>         }
>>     }
>>
>>     to:
>>
>>     {
>>       "payload":"<payload contents>",
>>       "protected":"<integrity-__protected header contents>",
>>       "header":<non-integrity-__protected header contents>,
>>       "signature":"<signature contents>"
>>     }
>>
>>     That's not so cool (you don't see what it is anymore...), not to
>> mention how poorly
>>     it matches the JSON schema validation ACME seems to use.
>>
>>     JSON Cleartext Signatures rocks :-)
>>
>>     Anders
>>
>>
>>
>>         On Mon, Dec 1, 2014 at 9:02 PM, Manu Sporny <
>> msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com> <mailto:
>> msporny@digitalbazaar.__com <mailto:msporny@digitalbazaar.com>>> wrote:
>>
>>              Richard,
>>
>>              Quick question for you re: ACME - why did you decide to not
>> use the JWS
>>              base64-encoding mechanism in the signature for ACME?
>> Particularly,
>>              you've specified multiple canonicalization mechanisms
>> (signature-input).
>>
>>              The reason I'm asking is because we're trying to get some
>> insight into
>>              whether or not the base64-encoded approach should be used
>> when digitally
>>              signing credentials in the Credentials Community Group, or
>> if you
>>              suggest we specify our own canonicalization mechanism and
>> re-use the JWS
>>              alg/nonce/sig fields?
>>
>>              On 11/28/2014 09:04 AM, Anders Rundgren wrote:
>>               > https://github.com/__letsencrypt/acme-spec/blob/__
>> master/draft-barnes-acme.md <https://github.com/
>> letsencrypt/acme-spec/blob/master/draft-barnes-acme.md>
>>               >
>>               > {
>>               >   "type": "certificateRequest",
>>               >   "csr": "5jNudRx6Ye4HzKEqT5...__FS6aKdZeGsysoCo4H9P",
>>               >   "signature": {
>>               >     "alg": "RS256",
>>               >     "nonce": "h5aYpWVkq-xlJh6cpR-3cw",
>>               >     "sig": "KxITJ0rNlfDMAtfDr8eAw...__
>> fSSoehDFNZKQKzTZPtQ",
>>               >     "jwk": {
>>               >       "kty":"RSA",
>>               >       "e":"AQAB",
>>               >       "n":"KxITJ0rNlfDMAtfDr8eAw...__fSSoehDFNZKQKzTZPtQ"
>>               >     }
>>               >   }
>>               > }
>>
>>              -- manu
>>
>>              --
>>              Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu
>> Sporny)
>>              Founder/CEO - Digital Bazaar, Inc.
>>              blog: The Marathonic Dawn of Web Payments
>>         http://manu.sporny.org/2014/__dawn-of-web-payments/ <
>> http://manu.sporny.org/2014/dawn-of-web-payments/>
>>
>>
>>
>>
>>
>
Received on Tuesday, 2 December 2014 18:33:12 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:21 UTC