Re: Updated: Re: Giving up on XML DSig => JSON from Jeffrey Walton on 2013-08-31 (public-webcrypto-comments@w3.org from August 2013)

From: Jeffrey Walton <noloader@gmail.com>
Date: Sat, 31 Aug 2013 15:30:48 -0400
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CAH8yC8m96K-yQ4RL+HJniGuN3u2qcbVLnZ=z8q1ViyYmUc=3sQ@mail.gmail.com>

Hi Anders,

I think these are personal nits, so take them with a grain of salt.

> Canonicalization:
> - Sort properties
So, does that mean I reject anything that is not sorted? I'm happy to
do so if that's the rules.

If properties must be sorted, then I will process a message as so:
"properties must be sorted; these are not sorted; its not a well
formed message; reject".

>     "Now": "2013-08-30T07:56:08+02:00",
>     "ID": "lADU_sO067Wlgoo52-9L",
>     "STRINGS": ["One","Two","Three"],
>     "EscapeMe": "A\\\n\"",
>     "Intra": 78,
These are on the same level, but not sorted. I would reject this message.

If people are going to following it as if its a suggestion, then you
might as well leave it out.

>         "SignatureValue": "MEYCIQCCAxLBoPw5h8hW4M...L5t0XscOTPWXE67c1SCT"
I would prefer something that acts more like a detached signature.
MessageSignature could be the tuple {MessageId, SignatureValue}, with
MessageId acting like a [untrusted] hint.

But again, this is just my personal preference.

Jeff

On Sat, Aug 31, 2013 at 2:57 PM, Anders Rundgren
<anders.rundgren.net@gmail.com> wrote:
> Hi,
> Based on the _extremely_ useful feedback received, I have decided to update the proposed clear-text JSON Signature scheme.
>
> Canonicalization:
> - Remove whitespace
> - Unescape "strings"
> - Sort properties
>
> Signature scope: a JSON Signature signs the object (including possible child objects) it is declared in.
>
> That is, the final XML DSig "leftover", the awkward Reference has been shelved.
> I expect the resulting code to be even shorter than today :-)
>
>    {
>     "@context": "http://example.com/test-signature",
>     "Now": "2013-08-30T07:56:08+02:00",
>     "ID": "lADU_sO067Wlgoo52-9L",
>     "STRINGS": ["One","Two","Three"],
>     "EscapeMe": "A\\\n\"",
>     "Intra": 78,
>     "Signature":
>       {
>         "SignatureInfo":
>           {
>             "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
>             "KeyInfo":
>               {
>                 "SignatureCertificate":
>                   {
>                     "Issuer": "CN=Demo Sub CA,DC=webpki,DC=org",
>                     "SerialNumber": 1377713637130,
>                     "Subject": "CN=example.com,O=Example Organization,C=US"
>                   },
>                 "X509CertificatePath":
>                   [
>                     "MIIClzCCAX+gAwIBAgIG...RBYG3uk9W/uNIHdoyQn19w=="
>                   ]
>               }
>           },
>         "SignatureValue": "MEYCIQCCAxLBoPw5h8hW4M...L5t0XscOTPWXE67c1SCT"
>       },
>   }
>
> The sample shows the new KeyGen2 message structure which has been derived from JSON-LD (@context)
>
> https://openkeystore.googlecode.com/svn/resources/trunk/docs/Enveloped-JSON-Signatures.pdf

Received on Saturday, 31 August 2013 19:31:16 UTC