Re: [jose] Review Comments: Web Payments, Secure Messaging, and JOSE
Manu Sporny <msporny@digitalbazaar.com> Mon, 23 December 2013 22:31 UTC
Return-Path: <msporny@digitalbazaar.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7498E1AE229 for <jose@ietfa.amsl.com>; Mon, 23 Dec 2013 14:31:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.896
X-Spam-Level:
X-Spam-Status: No, score=0.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrQP-I4Q2M8G for <jose@ietfa.amsl.com>; Mon, 23 Dec 2013 14:31:25 -0800 (PST)
Received: from mail.digitalbazaar.com (unknown [216.252.204.51]) by ietfa.amsl.com (Postfix) with ESMTP id 0A1AE1AE0B0 for <jose@ietf.org>; Mon, 23 Dec 2013 14:31:25 -0800 (PST)
Received: from [192.168.100.5] by mail.digitalbazaar.com with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1VvE1v-00005U-RZ for jose@ietf.org; Mon, 23 Dec 2013 17:31:21 -0500
Message-ID: <52B8B9B2.1040309@digitalbazaar.com>
Date: Mon, 23 Dec 2013 17:31:14 -0500
From: Manu Sporny <msporny@digitalbazaar.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.4) Gecko/20120510 Icedove/10.0.4
MIME-Version: 1.0
To: JOSE WG <jose@ietf.org>
References: <52A8DCBC.6030801@digitalbazaar.com> <255B9BB34FB7D647A506DC292726F6E115376CFF47@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E115376CFF47@WSMSG3153V.srv.dir.telstra.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [jose] Review Comments: Web Payments, Secure Messaging, and JOSE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2013 22:31:26 -0000
On 12/16/2013 06:34 PM, Manger, James wrote: > There might be some nice ideas in the JSON-LD-based Secure > Messaging. However, a crypto spec that uses encryption without > authentication (no AEAD), uses raw CBC mode, The spec has been updated, it uses GCM now. We thought picking the final authenc algorithm now would be premature. We had considered that the side-channel attacks would be a problem for reviewers but hadn't updated the spec because we wanted to have a more detailed discussion w/ the security community before picking an authenc algorithm. We may not pick GCM in the end, but just picked that one right now so that this wouldn't continue to be a distraction. The spec is rough, implementations lead it by many months. What we're trying to get feedback on right now is the overall approach. We'll put more work into polishing up the spec as soon as we've determined that there are no serious issues with the approach. > thinks CBC stands for *cyclic* block chaining, A typo in the spec, fixed. > puts "BEGIN *PRIVATE* KEY" in a field named publicKeyPem, A typo in the blog post, fixed. > requires RDF Graph Normalization that seems far removed from JSON, We actually started out with a JSON-based normalization algorithm. We quickly discovered that we could generalize the normalization to not just JSON, but a general graph-based data model. This is useful when you're exchanging Linked Data like the Web Payments work does. We are able to use the same normalization scheme for a variety of Linked Data languages (JSON-LD, RDFa, Microdata, Turtle, NQuads, etc.). So, one could express the data in HTML5+RDFa (via a web page) or JSON-LD (via a REST API) and share the same digital signature since the sig is on the information and not the structure of the JSON message. That's not to say that the normalization algorithm couldn't be switched out pretty easily, but to date we haven't had a need for another one that is JSON specific. If that need arises, the only modification to the Secure Messaging spec that would be needed would be to define the @type of that normalization algorithm. For example: "signature": { "@type": "JsonSignature2014", <-- this is the only change necessary "creator": "http://example.org/manu/keys/5", "created": "2013-08-04T17:39:53Z", "signatureValue": "OGQzN ... IyZTk=" } JSON-LD[1] expresses Linked Data[2]. The data model is a graph of information (like the Web). We digitally sign that information at the data model layer, not the JSON syntax layer. Doing so allows us to use the same digital signature across a variety of syntaxes. It's more flexible than just hard coding the normalization algorithm to JSON. -- manu [1] http://www.youtube.com/watch?v=vioCbTo3C-4 [2] http://www.youtube.com/watch?v=4x_xzT5eF5Q -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: The Worlds First Web Payments Workshop http://www.w3.org/2013/10/payments/
- [jose] Review Comments: Web Payments, Secure Mess… Manu Sporny
- Re: [jose] Review Comments: Web Payments, Secure … Harry Halpin
- Re: [jose] Review Comments: Web Payments, Secure … Karen O'Donoghue
- Re: [jose] Review Comments: Web Payments, Secure … Luke Howard
- Re: [jose] Review Comments: Web Payments, Secure … John Bradley
- Re: [jose] Review Comments: Web Payments, Secure … Anders Rundgren
- Re: [jose] Review Comments: Web Payments, Secure … Dirkjan Ochtman
- Re: [jose] Review Comments: Web Payments, Secure … Manu Sporny
- Re: [jose] Review Comments: Web Payments, Secure … Manu Sporny
- Re: [jose] Review Comments: Web Payments, Secure … Manger, James
- Re: [jose] Review Comments: Web Payments, Secure … Manu Sporny
- Re: [jose] Review Comments: Web Payments, Secure … Manu Sporny
- Re: [jose] Review Comments: Web Payments, Secure … Manu Sporny
- Re: [jose] Review Comments: Web Payments, Secure … Luke Howard
- [jose] Base64-encoded signed data sux big-time. W… Anders Rundgren
- Re: [jose] Review Comments: Web Payments, Secure … Manu Sporny
- Re: [jose] Review Comments: Web Payments, Secure … Luke Howard
- Re: [jose] Review Comments: Web Payments, Secure … Axel Nennker
- Re: [jose] Review Comments: Web Payments, Secure … Peter Saint-Andre
- Re: [jose] Review Comments: Web Payments, Secure … Anders Rundgren
- Re: [jose] Review Comments: Web Payments, Secure … Manu Sporny
- Re: [jose] Review Comments: Web Payments, Secure … Axel Nennker
- Re: [jose] Review Comments: Web Payments, Secure … Anders Rundgren