W3C home > Mailing lists > Public > public-webpayments@w3.org > September 2013

Re: Updated: Re: Giving up on XML DSig => JSON

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 01 Sep 2013 20:46:13 +0200
Message-ID: <52238B75.2090807@gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
CC: public-webpayments@w3.org
On 2013-09-01 18:36, Manu Sporny wrote:
> On 08/30/2013 11:21 PM, Anders Rundgren wrote:
>>         "SignatureInfo":
>>           {
>>             "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
>>             "KeyInfo":
>>               {
>>                 "SignatureCertificate":
>>                   {
>>                     "Issuer": "CN=Demo Sub CA,DC=webpki,DC=org",
>>                     "SerialNumber": 1377713637130,
>>                     "Subject": "CN=example.com,O=Example Organization,C=US"
>>                   },
>>                 "X509CertificatePath":
>>                   [
>>                     "MIIClzCCAX+gAwIBAgIG...RBYG3uk9W/uNIHdoyQn19w=="
>>                   ]
>>               }
>>           },
> 
> Why don't you just condense the entire KeyInfo object into a URL? Why
> not express the key data in PEM format, since you're already depending
> on X509? This is what we do for the Web Payments stuff. Look at the
> "creator" entry in the "signature":
> 
> https://payswarm.com/specs/source/vocabs/security#signature

I think there are multiple reasons to why it looks as it does.

First, the initial (maybe the only) application for this scheme
is KeyGen2 which is a system for issuing and managing keys.
To implement it requires very detailed knowledge of keys and
algorithms in both ends.  PEM would obscure the keys which
isn't ideal for KeyGen2.

The keys are only occasionally available on the Internet so
URLs wouldn't cover the most likely [KeyGen2] use-case where a client
sends a generated public key to the issuer.

http://webpki.org/papers/keygen2/keygen2.junit.run.html#KeyCreationRequest.ServerCertificate.1

However, I have added URL as one variant of "KeyInfo".
https://openkeystore.googlecode.com/svn/resources/trunk/docs/JSON-Clear-Text-Signature-Scheme.pdf

But I guess the most important reason for using keys with parameters
is because that is already standard in XML and ASN.1-based schemes.
The crypto "elite" (which I don't belong to) demand these parameters :-)

Cheers,
Anders

> 
> Do this to get an example of what one of the keys looks like:
> 
> curl -H "https://dev.payswarm.com/i/manu/keys/20"
> 
> -- manu
> 
Received on Sunday, 1 September 2013 18:46:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:24 UTC