Re: Note on JSON signing from Roger Bass on 2016-03-14 (public-interledger@w3.org from March 2016)

From: Roger Bass <roger@traxiant.com>
Date: Mon, 14 Mar 2016 13:58:40 -0700
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Stefan Thomas <stefan@ripple.com>, Dave Longley <dlongley@digitalbazaar.com>, Shane McCarron <shane@spec-ops.io>, Adrian Hope-Bailie <adrian@hopebailie.com>, Jehan Tremback <jehan.tremback@gmail.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, Interledger Community Group <public-interledger@w3.org>
Message-ID: <CA+nC-XuZy2m6t47-EKL8TYUoUFvibcaP_m1ERD18g2-5bV57Dw@mail.gmail.com>

@Stefan,

You mention you're drafting an email on why you didn't think the W3C Secure
Messaging spec was a good solution, as well as asking Melvin about his
implementation.

I hesitate to jump in on this, as I'm not really qualified to engage on the
technology issues per se. However, without fully understanding the
technical requirements or issues at the messaging level, I wanted to note
some other Secure and Reliable Messaging standards in different but related
domains that may be emerging as global standards. (Indeed, I happen to
think that these will either eventually converge, or one of them will
definitively win).

   - B2B: ebMS 3.0, and specifically its simplified profile, AS4 (spec here
   <http://t.sidekickopen41.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDM1sVRYyfn4XXSbTVd0r_-56dVbMd4C5Ts02?t=http%3A%2F%2Fdocs.oasis-open.org%2Febxml-msg%2Febms%2Fv3.0%2Fprofiles%2FAS4-profile%2Fv1.0%2Fos%2FAS4-profile-v1.0-os.html&si=6060383291310080&pi=2b7738da-663a-4070-de28-61e00730d91e>,
   news release here
   <http://t.sidekickopen41.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDM1sVRYyfn4XXSbTVd0r_-56dVbMd4C5Ts02?t=https%3A%2F%2Fwww.oasis-open.org%2Fnews%2Fpr%2Fas4-profile-of-ebms-3-0-becomes-oasis-standard&si=6060383291310080&pi=2b7738da-663a-4070-de28-61e00730d91e>,
   Holodeck open source implementation here
   <http://t.sidekickopen41.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDM1sVRYyfn4XXSbTVd0r_-56dVbMd4C5Ts02?t=http%3A%2F%2Fholodeck-b2b.org%2F&si=6060383291310080&pi=2b7738da-663a-4070-de28-61e00730d91e>).
   ebMS 3.0 was based on a convergence of the earlier ebMS B2B messaging
   standard, and related Web Services standards
   - Middleware: AMQP (main site
   <http://t.sidekickopen41.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDM1sVRYyfn4XXSbTVd0r_-56dVbMd4C5Ts02?t=https%3A%2F%2Fwww.amqp.org%2F&si=6060383291310080&pi=2b7738da-663a-4070-de28-61e00730d91e>,
   spec
   <http://t.sidekickopen41.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDM1sVRYyfn4XXSbTVd0r_-56dVbMd4C5Ts02?t=https%3A%2F%2Fwww.rabbitmq.com%2Fresources%2Fspecs%2Famqp0-9-1.pdf&si=6060383291310080&pi=2b7738da-663a-4070-de28-61e00730d91e>,
   and RabbitMQ open source implementation
   <http://t.sidekickopen41.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDM1sVRYyfn4XXSbTVd0r_-56dVbMd4C5Ts02?t=https%3A%2F%2Fwww.rabbitmq.com%2Fprotocol.html&si=6060383291310080&pi=2b7738da-663a-4070-de28-61e00730d91e>
   )

If even the W3C Secure Messaging spec is not a good fit, then perhaps these
other specs are an even less good fit. But there may be some offsetting
advantages to consider.

Doubtless there's some additional complexity in these specifications vs
lighter weight alternatives that may be under consideration. But to the
extent that robust open source implementations are available, I wonder what
the residual difference in complexity really is. On a more positive note,
there are presumably some non-trivial advantages in using a Secure and
Reliable Messaging spec that already has material traction and adoption
elsewhere.

If there's any interest in discussing their potential applicability on this
list, I'd be happy to invite someone with more technical expertise than me
to participate.

Regards,
Roger






On Mon, Mar 14, 2016 at 1:27 PM, Melvin Carvalho <melvincarvalho@gmail.com>
wrote:

>
>
> On 14 March 2016 at 21:01, Stefan Thomas <stefan@ripple.com> wrote:
>
>> @Dave: Thanks for the link. Can you explain the relationship between
>> Secure Messaging 1.0 [1] and Linked Data Signatures? That was one of the
>> things I was confused about.
>>
>> @Melvin: I'm working on an email to provide more detail as to why I
>> didn't think Secure Messaging would be a good solution. You say that you've
>> used it, if you could link me to your implementation that would help. (I
>> found an implementation for Linked Data Signatures [2], but not Secure
>> Messaging.)
>>
>
> OK, sorry, didnt realize you had yet to reply.  I saw you reply to some
> others, and thought my response didnt get thru.
>
> Normalization is really easy, its in the json ld npm library:
>
> // normalize a document using the RDF Dataset Normalization Algorithm
> // (URDNA2015), see: http://json-ld.github.io/normalization/spec/
> jsonld.normalize(doc, {
>   algorithm: 'URDNA2015',
>   format: 'application/nquads'
> }, function(err, normalized) {
>   // normalized is a string that is a canonical representation of the document
>   // that can be used for hashing, comparison, etc.
> });
>
> https://www.npmjs.com/package/jsonld
>
>
>
>
>>
>> [1]
>> https://web-payments.org/specs/source/secure-messaging/#message-signature-algorithm
>> [2] https://github.com/digitalbazaar/jsonld-signatures
>>
>> On Mon, Mar 14, 2016 at 12:48 PM, Dave Longley <
>> dlongley@digitalbazaar.com> wrote:
>>
>>> On 03/14/2016 02:47 PM, Shane McCarron wrote:
>>>
>>>> Hmm - Melvin, do you have a pointer to the normalize spec?  Sorry -
>>>> there are a lot of specs flying around.
>>>>
>>>
>>> This is RDF Dataset Normalization (Canonicalization):
>>>
>>> https://json-ld.github.io/normalization/spec/
>>>
>>> This is Linked Data Signatures, which uses it:
>>>
>>> https://web-payments.org/specs/source/ld-signatures/
>>>
>>>
>>> --
>>> Dave Longley
>>> CTO
>>> Digital Bazaar, Inc.
>>> http://digitalbazaar.com
>>>
>>
>>
>

Received on Monday, 14 March 2016 22:23:01 UTC