Re: [jose] draft-jones-jose-jws-signing-input-options 00
"Jim Schaad" <ietf@augustcellars.com> Fri, 18 September 2015 19:49 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C15B11B3319 for <jose@ietfa.amsl.com>; Fri, 18 Sep 2015 12:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehXe8IZBscQm for <jose@ietfa.amsl.com>; Fri, 18 Sep 2015 12:49:51 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BCE41B3317 for <jose@ietf.org>; Fri, 18 Sep 2015 12:49:51 -0700 (PDT)
Received: from hebrews (unknown [98.203.170.101]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id B3CC138F09; Fri, 18 Sep 2015 12:49:50 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Sergey Beryozkin' <sberyozkin@gmail.com>
References: <041c01d0cda1$16b7fe10$4427fa30$@augustcellars.com> <BY2PR03MB442CFD69CA29CD1AB023D2BF5700@BY2PR03MB442.namprd03.prod.outlook.com> <002f01d0d33b$e43febf0$acbfc3d0$@augustcellars.com> <BY2PR03MB4429E9046EA98DA60846EECF55D0@BY2PR03MB442.namprd03.prod.outlook.com> <55F69B27.2050102@gmail.com>
In-Reply-To: <55F69B27.2050102@gmail.com>
Date: Fri, 18 Sep 2015 12:47:28 -0700
Message-ID: <00d401d0f24a$d9ba20a0$8d2e61e0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQILygi2CSFxH1Eo8wINc0yOYtNZgQJJC0G2Ac3A/qYCS5lgIgFAFH3znY/tFTA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/pQ376S7foZ-r9Tc__XT4haug8GU>
Cc: jose@ietf.org
Subject: Re: [jose] draft-jones-jose-jws-signing-input-options 00
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2015 19:49:52 -0000
Yes I think you have missed the point of the discussion. The question was dealing with the possibility of doing a content transfer encoding using %## in order to make unsafe content safe. The value to be signed was not going to change. This is the same as looking at "$.02" and "\u0024.02" where both are legal JSON encodings of the same string and the internal representation is going to be the same even if the string in the file is different. Jim > -----Original Message----- > From: Sergey Beryozkin [mailto:sberyozkin@gmail.com] > Sent: Monday, September 14, 2015 3:02 AM > To: Mike Jones <Michael.Jones@microsoft.com>; Jim Schaad > <ietf@augustcellars.com>; draft-jones-jose-jws-signing-input- > options@tools.ietf.org > Cc: jose@ietf.org > Subject: Re: [jose] draft-jones-jose-jws-signing-input-options 00 > > Hi Mike, Jim, All, > > Only one comment, > > > > Are % characters URL safe? What if my content for compact is > > %24.02 > > > > > (or whatever the correct code for $ is). Would I remove that > > serialization as well? > > > > That's a good question. More to the point, would we want to consider > > allowing the period to also be escaped by representing "$.02" as > > "%24%2E02", rendering the payload URL-safe and parseable. It would > > mean that we would end up defining that RFC 3986 percent-encoding be > > used for unencoded JWS Compact Serialization payloads, when needed. > > > > What do others think about whether we should go there or not? To me, > > it seems like a worthwhile experiment to at least write it down and > > see what we think of it. > > > > Mike> Per RFC 3986, % is not URL-safe (although is it used for > > www-form-url-encoding of characters as %<hex><hex>). If we allow %, > > it opens up a Pandora's box of a bunch of choices we need to make, as > > well as possibilities. I'll send a message specifically about those > > choices and possibilities to the working group (but not tonight). > > > Sorry if I just missed the point, but IMHO processing the payload should be left > up to the application which gets it from a JWS. > I.e, > > "$.02" > "%24%2E02" > > are two different representations for the purpose of signing/validating them. > "b64" does not only help making JWS JSON payload easier to understand by > humans (in logs or tcp traces) but is also an optimization (no need to base64- > encode). Having to check every character in such a payload to make sure '.' is > percent-encoded kind makes this optimization much less effective, IMHO. > Besides, JWS JSON are not meant to be URI safe payloads, I recall reading about > it. > May be it is more useful for detached payloads... > > Thanks, Sergey
- [jose] draft-jones-jose-jws-signing-input-options… Jim Schaad
- [jose] draft-jones-jose-jws-signing-input-options… Anders Rundgren
- Re: [jose] draft-jones-jose-jws-signing-input-opt… Nat Sakimura
- Re: [jose] draft-jones-jose-jws-signing-input-opt… Mike Jones
- Re: [jose] draft-jones-jose-jws-signing-input-opt… Jim Schaad
- Re: [jose] draft-jones-jose-jws-signing-input-opt… Mike Jones
- Re: [jose] draft-jones-jose-jws-signing-input-opt… Mike Jones
- Re: [jose] draft-jones-jose-jws-signing-input-opt… Sergey Beryozkin
- Re: [jose] draft-jones-jose-jws-signing-input-opt… Jim Schaad