Re: M2M DID Auth from Anders Rundgren on 2020-05-28 (public-credentials@w3.org from May 2020)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 28 May 2020 05:09:44 +0200
To: Leonard Rosenthol <lrosenth@adobe.com>, Justin Richer <jricher@mit.edu>
Cc: Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" <public-credentials@w3.org>, Annabelle Richard Backman <richanna@amazon.com>
Message-ID: <a460d343-46a1-a64a-5c65-cde068d6bec3@gmail.com>

On 2020-05-27 22:37, Leonard Rosenthol wrote:
> Thanks for the detailed response, Justin!  I will take this back with me to ETSI and make sure that we align…
> 
> I’ll do my best to participate where and when I can…appreciate the links.
> 
> Leonard

For completeness:

A method for canonicalizing JSON (or to be more correct the I-JSON subset), is currently in the RFC editor's queue in the form of an Independent Stream submission:
https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-17

JCS enables "Clear text signed JSON" in the same manner as XMLDsig did but at 5% of the complexity.
The Nodejs version has been downloaded millions of times so apparently there is some interest in this as well.

JCS can easily be combined with JWS which you can test in an on-line service: https://mobilepki.org/jws-jcs/home

Personally, I have taken this one step further since Base64Url encoding of header data is entirely redundant if you have canonicalization: https://cyberphone.github.io/doc/security/jsf.html

How does this relate to "Signed HTTP" you may rightfully wonder.  Well, the pragmatic approach I have taken in Saturn has proved to be quite useful.  That is, don't use HTTP headers for conveying data that needs to be signed with the URL as the sole exception.

Then you end-up with messages like:
{
   "recipientUrl": "https://example.com/transact",
   "timeStamp": "2020-05-20T10:00:00Z",

      ...other JSON data

    "signature": {
       "algorithm": "ES256",
       "publicKey": {
         "kty": "EC",
         "crv": "P-256",
         "x": "censDzcMEkgiePz6DXB7cDuwFemshAFR90UNVQFCg8Q",
         "y": "xq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeY"
       },
       "value": "EaGSWKQK6DFHVe8RJHlhA5c3qKSN1Gjh....Pdi6vaxdA8ofiAW6Py-wxWUNFxybSTAA"
    }
}

Unlike the "detached" solutions that are currently on the table, this method enables serialization, embedding, and counter-signing of HTTP requests.

Sincerely,
Anders Rundgren
https://cyberphone.github.io/openbankingwallet/

Received on Thursday, 28 May 2020 03:10:00 UTC