W3C home > Mailing lists > Public > public-credentials@w3.org > December 2014

Re: JOSE author didn't use JWS. Was: Digital Signatures for Credentials

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 02 Dec 2014 20:00:28 +0100
Message-ID: <547E0C4C.2080107@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
CC: Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org
On 2014-12-02 19:32, Richard Barnes wrote:

 > http://memedad.com/meme/343043

Of course I don't object to that :-)

What I do object to is the idea that it would be impossible/bad/whatever
stretching Tim Bray's JSON-I spec. so that it mandated that compliant
JSON-I parsers would not be allowed to "reorganize" input data.

Anders

>
>
> On Tue, Dec 2, 2014 at 10:29 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2014-12-02 19:09, Richard Barnes wrote:
>
>         Human-readability is only a very minor part of the objectives here.  Base64 deserialization is not a major issue.
>
>
>     This departs from the thoughts behind JSON's predecessor, XML.
>
>     Anyway, I'm sure many other organizations will use JSON clear-text signatures
>     (home-brewed though since there is no such standard), particularly since it has
>     been found out to be compliant with at least the browser parsers.  That this
>     is the case has a trivial explanation:
>
>     Only a bad programmer would design a parser so it would output data
>     in a different order than it was supplied in, even if the "standard"
>     allowed that.
>
>
> http://memedad.com/meme/343043
>
>
>
>     Anders
>
>
>         On Tue, Dec 2, 2014 at 9:57 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@__gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote:
>
>              On 2014-12-02 18:20, Richard Barnes wrote:
>
>                  When I wrote that, there was no flattened serialization.  I'm currently revising to use JWS.
>
>
>              So ACME will go from:
>
>              {
>                  "type": "certificateRequest",
>                  "csr": "5jNudRx6Ye4HzKEqT5...____FS6aKdZeGsysoCo4H9P",
>                  "signature": {
>                    "alg": "RS256",
>                    "nonce": "h5aYpWVkq-xlJh6cpR-3cw",
>                    "sig": "KxITJ0rNlfDMAtfDr8eAw...____fSSoehDFNZKQKzTZPtQ",
>                    "jwk": {
>                      "kty":"RSA",
>                      "e":"AQAB",
>                      "n":"KxITJ0rNlfDMAtfDr8eAw...____fSSoehDFNZKQKzTZPtQ"
>                    }
>                  }
>              }
>
>              to:
>
>              {
>                "payload":"<payload contents>",
>                "protected":"<integrity-____protected header contents>",
>                "header":<non-integrity-____protected header contents>,
>                "signature":"<signature contents>"
>              }
>
>              That's not so cool (you don't see what it is anymore...), not to mention how poorly
>              it matches the JSON schema validation ACME seems to use.
>
>              JSON Cleartext Signatures rocks :-)
>
>              Anders
>
>
>
>                  On Mon, Dec 1, 2014 at 9:02 PM, Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com> <mailto:msporny@digitalbazaar.__com <mailto:msporny@digitalbazaar.com>> <mailto:msporny@digitalbazaar. <mailto:msporny@digitalbazaar.>____com <mailto:msporny@digitalbazaar.__com <mailto:msporny@digitalbazaar.com>>>> wrote:
>
>                       Richard,
>
>                       Quick question for you re: ACME - why did you decide to not use the JWS
>                       base64-encoding mechanism in the signature for ACME? Particularly,
>                       you've specified multiple canonicalization mechanisms (signature-input).
>
>                       The reason I'm asking is because we're trying to get some insight into
>                       whether or not the base64-encoded approach should be used when digitally
>                       signing credentials in the Credentials Community Group, or if you
>                       suggest we specify our own canonicalization mechanism and re-use the JWS
>                       alg/nonce/sig fields?
>
>                       On 11/28/2014 09:04 AM, Anders Rundgren wrote:
>                        > https://github.com/____letsencrypt/acme-spec/blob/____master/draft-barnes-acme.md <https://github.com/__letsencrypt/acme-spec/blob/__master/draft-barnes-acme.md> <https://github.com/__letsencrypt/acme-spec/blob/__master/draft-barnes-acme.md <https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md>>
>                        >
>                        > {
>                        >   "type": "certificateRequest",
>                        >   "csr": "5jNudRx6Ye4HzKEqT5...____FS6aKdZeGsysoCo4H9P",
>                        >   "signature": {
>                        >     "alg": "RS256",
>                        >     "nonce": "h5aYpWVkq-xlJh6cpR-3cw",
>                        >     "sig": "KxITJ0rNlfDMAtfDr8eAw...____fSSoehDFNZKQKzTZPtQ",
>                        >     "jwk": {
>                        >       "kty":"RSA",
>                        >       "e":"AQAB",
>                        >       "n":"KxITJ0rNlfDMAtfDr8eAw...____fSSoehDFNZKQKzTZPtQ"
>                        >     }
>                        >   }
>                        > }
>
>                       -- manu
>
>                       --
>                       Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
>                       Founder/CEO - Digital Bazaar, Inc.
>                       blog: The Marathonic Dawn of Web Payments
>         http://manu.sporny.org/2014/____dawn-of-web-payments/ <http://manu.sporny.org/2014/__dawn-of-web-payments/> <http://manu.sporny.org/2014/__dawn-of-web-payments/ <http://manu.sporny.org/2014/dawn-of-web-payments/>>
>
>
>
>
>
>
Received on Tuesday, 2 December 2014 19:01:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:21 UTC