Re: Web Object Encryption and Signing (WOES) at IETF

On 18 Feb 2011, at 16:48, Peter Williams wrote:

> What string embedding in der does is: work with last 5 years browsers(a goal still?), and brute canonicalization.
> 
> Making encoding rules for asn1 (to json) is no harder than it was making encoding rules for der, ber, per, XML, and lisp. Making readable json is harder though (and in w3c forum, focussing on webiness, this is an adoption dependency issue).
> 
> Without the embedding trick, one has to canonicalized the json "natively" (strictly, including char set issues, Unicode multi encodings etc). 

yes, my intervention below does not focus on encryption of JSON. That is a lot more problematic, and 
I can imagine requires an IETF working group.

For me it's easier to put all documents behind https, have users publish the public key as specified below for WebID authentication and do access control: only allow authorised users to retrieve the document. There you get on the fly encryption of any content you send.


> 
> On Feb 18, 2011, at 2:25 AM, Henry Story <henry.story@bblfish.net> wrote:
> 
>> 
>> On 18 Feb 2011, at 11:01, Peter Williams wrote:
>> 
>>> Seem two ways to approach it: just as there exist encoding rules to code asn1 abstract values (in cert type) as XML, there could be code to json, instead. or, a native structure is defined in json, assuming it can be canonicalized.
>> 
>> The simplest way to add a public key in json, is specify some public key struct and to 
>> specify the modulus and exponent. 
>> 
>> { "a": "foaf:Person",
>> "foaf:name": "Jack",
>> "webids": [ "http://example.com/#me" ]
>> "publicKeys": [ { "a": "rsa:RSAPublicKey",
>>                "modulus": "..."
>>                "exponent": "..." } ]
>> }
>> 
>> Anyway, I am not JSON expert. There are JSON Rdf notations. 
>> If not that one should tie the above to a JSON GRDDL
>> 
>>   http://buzzword.org.uk/2008/jsonGRDDL/spec
>> 
>> So that we can work with multiple formats without all needing to know the details of every
>> persons syntactic, notational preferences.
>> 
>>> A third approach does exist. A very minimal der-encoded cert exists, with 1string extension: some json with native coding of xyz control system (eg pkix). H.p and I once suggested this, where JavaScript was used rather than json values. it was laughed at, at the time (when pki was at it's zenith).
>> 
>> That is the wrong solution. To add DER into JSON, is to think that DER has some special magic about it.
>> The only place where DER is good, is in signing. But as it happens, we don't need to sign anything here, and if signing were to be useful it would be for the whole JSON. To go down to DER because of its signing capacity is very masochistic.
>> 
>> If you really want ASN.1 formats, I suggest someone spend time working on an ASN.1 GRDDL. That would allow any new format of ASN.1 to be converted to work with everything else. Though I think we may need the semweb to adopt named graphs more clearly.
>> 
>>> 
>>> 
>>> 
>>> On Feb 17, 2011, at 2:34 PM, Nathan <nathan@webr3.org> wrote:
>>> 
>>>> Peter Saint-Andre wrote:
>>>>> Dear WebID folks,
>>>>> Given the discussions here about simplifying the representation of
>>>>> public keys, you might want to know that some IETF participants have
>>>>> established a dedicated email list for discussion about requirements and
>>>>> potential implementation of JSON to provide security services for
>>>>> Web-based applications. You can subscribe here:
>>>>> https://www.ietf.org/mailman/listinfo/woes
>>>>> In addition, an informal side meeting is planned for this topic at IETF
>>>>> 80 in Prague during the week of March 28.
>>>> 
>>>> wonderful, and good to see all the sec groups getting pinged about it, we (over in this xg) should definitely keep tabs and be as involved as we can - imo of course.
>>>> 
>>>> Cheers Peter,
>>>> 
>>>> Nathan
>>>> 
>>>> 
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 

Social Web Architect
http://bblfish.net/

Received on Friday, 18 February 2011 16:30:13 UTC