I also think that it is better to have key_id for interoperability. <div><br></div><div>The delta is small enough that hopefully it should not matter too much for them to include those as well. </div><div><br></div><div>=nat</div>
<div><br><div class="gmail_quote">On Fri, Oct 8, 2010 at 1:54 AM, John Bradley <span dir="ltr"><<a href="mailto:jbradley@mac.com">jbradley@mac.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">I think Nat was proposing that if the default signing alg is HMAC-SHA256 then we would not need to insert the element containing the signing info into whatever JSON object was being signed.<div>
<br></div><div>However we have key_id as REQUIRED so we need to insert that element unless we remove the requirement.</div><div><br></div><div>I do understand that in the simplest of cases you may not need it, however I think it is better to include it.</div>
<div><br></div><div>John B.</div><div><div></div><div class="h5"><div><br></div><div><br><div><div>On 2010-10-07, at 2:44 AM, Anthony Nadalin wrote:</div><br><blockquote type="cite"><span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div lang="EN-US" link="blue" vlink="purple">
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)">I don’t see why the key_id would have to be removed</span></div>
<div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)"> </span></div>
<div><div style="border-right-style:none;border-bottom-style:none;border-left-style:none;border-width:initial;border-color:initial;border-top-style:solid;border-top-color:rgb(181, 196, 223);border-top-width:1pt;padding-top:3pt;padding-right:0in;padding-bottom:0in;padding-left:0in">
<div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><b><span style="font-size:10pt;font-family:Tahoma, sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma, sans-serif"><span> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">openid-specs-ab-bounces@lists.openid.net</a><span> </span>[mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>]<span> </span><b>On Behalf Of<span> </span></b>John Bradley<br>
<b>Sent:</b><span> </span>Wednesday, October 06, 2010 6:22 PM<br><b>To:</b><span> </span>Nat Sakimura<br><b>Cc:</b><span> </span><a href="mailto:openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b><span> </span>Re: [Openid-specs-ab] The other JSS envelope structure</span></div></div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">I see.</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">We would need to remove key_id as REQUIRED for HMAC-SHA256 to make that work.</div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
So if you are using it in a proprietary situation you could omit the key_id. </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
I think that is probably a bad idea for interoperability. It works for them because the protocol is effectively closed a RP would only ever have one key.</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">John B.</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">On 2010-10-06, at 8:48 PM, Nat Sakimura wrote:</div>
</div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><br><br></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
FYI, this is the page that describes Facebook signature. </div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div>
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><a href="http://developers.facebook.com/docs/authentication/canvas" style="color:blue;text-decoration:underline" target="_blank">http://developers.facebook.com/docs/authentication/canvas</a></div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-bottom:12pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
=nat</p><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">On Thu, Oct 7, 2010 at 9:05 AM, John Bradley <<a href="mailto:jbradley@mac.com" style="color:blue;text-decoration:underline" target="_blank">jbradley@mac.com</a>> wrote:</div>
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">Good point.</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">However without a signer reference how is the RP to know who signed it to look up the symmetric key.</div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
In the facebook case the only place it could come from is facebook so it is not a issue.</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">I need to look at that again.</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">John B.</div><div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div><div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">On 2010-10-06, at 6:56 PM, Nat Sakimura wrote:</div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
<br><br></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">There is one more benefit for using "Enveloped" approach. </div>
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
If we make HMAC-SHA256 the default and thus sig_params omit-able, then the JSON Web Token as the result of the signing is exactly what Facebook is doing right now, I think. </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-bottom:12pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">=nat</p><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
On Thu, Oct 7, 2010 at 2:27 AM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" style="color:blue;text-decoration:underline" target="_blank">sakimura@gmail.com</a>> wrote:</div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
Yes. It works for either style. Array should preserve the order - otherwise, we are in trouble. </div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">I have no strong preference on the "enveloped" or "enveloping". </div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">I will go with the majority sentiment of the group. </div></div><div>
<div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
<span style="color:rgb(136, 136, 136)">=nat</span></div><div><div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-bottom:12pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</p><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">On Thu, Oct 7, 2010 at 2:15 AM, John Bradley <<a href="mailto:jbradley@mac.com" style="color:blue;text-decoration:underline" target="_blank">jbradley@mac.com</a>> wrote:</div>
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">Using the array is a fine idea.</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">I think it would work for either style though.</div></div><div>
<div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
The encoder needs to take a bit more care not to mix up the order.</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">John B.</div></div><div><div><div><div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
On 2010-10-06, at 12:48 PM, Nat Sakimura wrote:</div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><br><br></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
Yes indeed. </div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
>From the ease of programing point of view, there are not much difference now between the proposals. </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">One thing that I like about Hideki's proposal is its reliance on the array. </div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">In the current draft, the signatures are indexed by the url of the key, duplicating them. </div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">His proposal removes this duplication. </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
Also, sloppy programmer may just look at the key url supplied in the signature block and fail to match it with the one in the sig_params block, causing vulnerability. If there is no duplicate in the signature block, then one has to go and look at the sig_params and process things correctly. </div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-bottom:12pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
=nat</p><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">On Thu, Oct 7, 2010 at 1:06 AM, John Bradley <<a href="mailto:jbradley@mac.com" style="color:blue;text-decoration:underline" target="_blank">jbradley@mac.com</a>> wrote:</div>
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">It mostly comes down to a style issue between the two as long as things that process the original JSON object will safely ignore our element or it is easily removed by the receiver.</div>
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
I admittedly tend to look at it from a XML prospective. </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">The only problem with the multiple sigs in the web token format is conflicts with what people using the MS proposed version may expect.</div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
I would want to talk to them about that. </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
John B.</div></div><div><div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div><div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
On 2010-10-06, at 3:41 AM, Nat Sakimura wrote:</div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><br><br></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
Hi John, </div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
I talked with Hideki today and now understood what he meant. </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">Basically, what he is proposing can essentially be reduced to: </div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
{<br> "oauth_token": "asdfjklsdfjwoIjfk",<br> "not_after": 12345678,<br> "user_id": 1223,<br> "profile_id": 1223 ,<br> "<a href="http://jsonenc.info/jss/sig_params" style="color:blue;text-decoration:underline" target="_blank">http://jsonenc.info/jss/sig_params</a>" :</div>
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> [</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
{</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> "certs_uri": "<a href="https://example.com/mycerts.pem" style="color:blue;text-decoration:underline" target="_blank">https://example.com/mycerts.pem</a>"</div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> },</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
{</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> "algorithm": "RSA-SHA1",</div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> "certs_uri": "<a href="https://example.org/mycerts.pem" style="color:blue;text-decoration:underline" target="_blank">https://example.org/mycerts.pem</a>"</div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> }</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
] ,</div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">}</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">AND Signed result like: </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">{</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
"type": "<a href="http://openid.net/specs/ab/1.0#signed_format" style="color:blue;text-decoration:underline" target="_blank">http://openid.net/specs/ab/1.0#signed_format</a>",</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
"data_type": "application/json",</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> "data": "eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsIjAiOiJwYXlsb2FkIn0",</div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> "sigs": [</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
"vlXgu64BQGFSQrY0ZcJBZASMvYvTHu9GQ0YM9rjPSso",</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
"cfXgu64BQGFSQrY0ZcJBZASMvYvTHu9GQ0YM9rjPSso"</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
]</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">}</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">sigs does not have to have the key_id or certs_uri because the order of the array is always preserved. </div>
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
He even goes on for Web Token to be something like: </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div>
<div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">sig1.sig2. ... .data</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">so that it can have any number of signatures. </div></div><div>
<div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
=nat</div></div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">On Wed, Oct 6, 2010 at 6:32 AM, John Bradley <<a href="mailto:jbradley@mac.com" style="color:blue;text-decoration:underline" target="_blank">jbradley@mac.com</a>> wrote:</div>
<div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">For security reasons the signature and hash algorithm need to be a part of the signed data.<br>
It would be easier if that were not the case. If there only one hash and valid signing algorithm they could also be skipped.<br><br>Allowing a attacker to modify the algorithm creates a potential security hole.<br>This was learned the hard way other places:)<br>
<br>The proposed outer envelope contains the signature and payload, there is no collision problem there.<br><br>The problem comes from trying to insert our signature elements into someone else's JSON object.<br><br>That mostly happens if they happen to be using env for something else.<br>
<br>Unless we choose a URI for our element names, we run the rusk of colliding.<br><br>Perhaps I am lazy, it just seems easier to me, to keep the objects separate.<br><br>John B.</div><div><div><p class="MsoNormal" style="margin-top:0in;margin-right:0in;margin-bottom:12pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
<br>On 2010-10-05, at 5:15 PM, nara hideki wrote:<br><br>> Thanks John,<br>><br>> I might misunderstood something, but there doesn't seems to be<br>> namespace collision because the whole (root) JSON object<br>
> including envelope JSON object is to be canonicalized in base64url<br>> format and set to "data" in JSON Serialization.<br>><br>> I'd like to know the reason why envelope JSON MUST not be included in<br>
> signature base string.<br>><br>> Regards<br>><br>> ----<br>> hdknr<br>><br>><br>> 2010/10/6 John Bradley <<a href="mailto:jbradley@mac.com" style="color:blue;text-decoration:underline" target="_blank">jbradley@mac.com</a>>:<br>
>> True, but we still have the problem of conflicting with elements in the object that we are trying to sign.<br>>><br>>> It is also harder to recover the original object at the end of the process if you don't keep it separate.<br>
>><br>>> I see this as an enveloping signature where the original JSON is contained in a single element and can be easily extracted.<br>>><br>>> You are going for more of an enveloped style where the signature elements become part of the object.<br>
>><br>>> If we weren't forced to base64 the entire thing for calculating the signature over I would probably favour your method.<br>>><br>>> It would allow for you to receive an object and ignore the sig if you don't care about it.<br>
>><br>>> We cant do that in this case because the receiver must always unwrap the base64 encoding.<br>>><br>>> So the most you can get out of the enveloped signature method is that after you receive JSON object and extract the encoded JSON object you have almost the object that you had when you started the signing process.<br>
>><br>>> In the Enveloping signature method you still need to extract the JSON form the payload. The advantage is what goes in comes out, and there are no namespace issues.<br>>><br>>> I am not super attached to the idea, but that is my reasoning.<br>
>><br>>> John B.<br>>> On 2010-10-05, at 3:42 PM, nara hideki wrote:<br>>><br>>>> John, Nat , Thank you for your description.<br>>>><br>>>> For multiple signers, this may work as well:<br>
>>><br>>>> {<br>>>> "param1" : "xxxxx",<br>>>> "param2" : "xxxxx",<br>>>> ....<br>>>> "env1": {<br>
>>> "type": "<a href="http://jsonenc.info/jss/" style="color:blue;text-decoration:underline" target="_blank">http://jsonenc.info/jss/</a>",<br>>>> "key_id": "<a href="http://signer1.com/" style="color:blue;text-decoration:underline" target="_blank">signer1.com</a>",<br>
>>> "algorithm": "HMAC-SHA256"<br>>>> ...<br>>>> },<br>>>> "env2": {<br>>>> "type": "<a href="http://jsonenc.info/jss/" style="color:blue;text-decoration:underline" target="_blank">http://jsonenc.info/jss/</a>",<br>
>>> "key_id": "<a href="http://signer2.com/" style="color:blue;text-decoration:underline" target="_blank">signer2.com</a>",<br>>>> "algorithm": "HMAC-SHA256"<br>
>>> ...<br>>>> },<br>>>> }<br>>>><br>>>> In the above implementation, "env1" and "env2" can be used as<br>>>> identifiers(indexer) for signature<br>
>>> in JSON Serialization later.<br>>>><br>>>><br>>>> For arbitrary binary enveloping, we can freely put any base64url-ed<br>>>> string in JSON fields anyway.<br>>>> For simplicity, I think that JSS should target on only JSON.<br>
>>><br>>>> ----<br>>>> hdknr<br>>>><br>>>> 2010/10/6 Nat Sakimura <<a href="mailto:sakimura@gmail.com" style="color:blue;text-decoration:underline" target="_blank">sakimura@gmail.com</a>>:<br>
>>>> There actually was another reason for having "payload" as a parameter.<br>>>>> As a generic signature mechanism, we may want to sign arbitrary binary<br>>>>> data.<br>>>>> In such a case, we can base64url encode it and put it into "payload"<br>
>>>> parameter.<br>>>>> =nat<br>>>>><br>>>>> On Wed, Oct 6, 2010 at 12:56 AM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" style="color:blue;text-decoration:underline" target="_blank">sakimura@gmail.com</a>> wrote:<br>
>>>>><br>>>>>> In this example:<br>>>>>> {<br>>>>>> "oauth_token": "asdfjklsdfjwoIjfk",<br>>>>>> "not_after": 12345678,<br>
>>>>> "user_id": 1223,<br>>>>>> "profile_id": 1223 ,<br>>>>>> "env" :<br>>>>>> {<br>>>>>> "type": "<a href="http://jsonenc.info/jss/" style="color:blue;text-decoration:underline" target="_blank">http://jsonenc.info/jss/</a>",<br>
>>>>> "sig_params": [<br>>>>>> {<br>>>>>> "key_id": "<a href="http://example.com/" style="color:blue;text-decoration:underline" target="_blank">example.com</a>",<br>
>>>>> "algorithm": "HMAC-SHA256"<br>>>>>> }<br>>>>>> ]<br>>>>>> }<br>>>>>> }<br>>>>>> I do not think we need env. That would simplify.<br>
>>>>> The reason why we put everything inside the payload was that we thought it<br>>>>>> would be easier to process. I am open to both ways.<br>>>>>> What do others think?<br>
>>>>> =nat<br>>>>>> On Wed, Oct 6, 2010 at 12:40 AM, nara hideki <<a href="mailto:hdknr@ic-tact.co.jp" style="color:blue;text-decoration:underline" target="_blank">hdknr@ic-tact.co.jp</a>> wrote:<br>
>>>>>><br>>>>>>> Hi, Nat,<br>>>>>>><br>>>>>>> This revision of envelope is literally "envelope" in which parameters<br>>>>>>> in concern are held as JSON object in "payload".<br>
>>>>>> But it looks more simpler to me if all signing parameters are held as<br>>>>>>> a JSON object in the concerned data. I mean that the following sample<br>>>>>>> :<br>
>>>>>><br>>>>>>> {<br>>>>>>> "type": "<a href="http://jsonenc.info/jss/" style="color:blue;text-decoration:underline" target="_blank">http://jsonenc.info/jss/</a>",<br>
>>>>>> "sig_params": [<br>>>>>>> {<br>>>>>>> "key_id": "<a href="http://example.com/" style="color:blue;text-decoration:underline" target="_blank">example.com</a>",<br>
>>>>>> "algorithm": "HMAC-SHA256"<br>>>>>>> }<br>>>>>>> ],<br>>>>>>> "payload": {<br>>>>>>> "oauth_token": "asdfjklsdfjwoIjfk",<br>
>>>>>> "not_after": 12345678,<br>>>>>>> "user_id": 1223,<br>>>>>>> "profile_id": 1223<br>>>>>>> }<br>
>>>>>> }<br>>>>>>><br>>>>>>> can be simplified in this JSON:<br>>>>>>><br>>>>>>> {<br>>>>>>> "oauth_token": "asdfjklsdfjwoIjfk",<br>
>>>>>> "not_after": 12345678,<br>>>>>>> "user_id": 1223,<br>>>>>>> "profile_id": 1223 ,<br>>>>>>> "env" :<br>
>>>>>> {<br>>>>>>> "type": "<a href="http://jsonenc.info/jss/" style="color:blue;text-decoration:underline" target="_blank">http://jsonenc.info/jss/</a>",<br>
>>>>>> "sig_params": [<br>>>>>>> {<br>>>>>>> "key_id": "<a href="http://example.com/" style="color:blue;text-decoration:underline" target="_blank">example.com</a>",<br>
>>>>>> "algorithm": "HMAC-SHA256"<br>>>>>>> }<br>>>>>>> ]<br>>>>>>> }<br>>>>>>> }<br>
>>>>>><br>>>>>>> because if the original parameters without a signature can be following :<br>>>>>>><br>>>>>>> {<br>>>>>>> "oauth_token": "asdfjklsdfjwoIjfk",<br>
>>>>>> "not_after": 12345678,<br>>>>>>> "user_id": 1223,<br>>>>>>> "profile_id": 1223<br>>>>>>> }<br>>>>>>><br>
>>>>>>> From the programming effort's point of view, it doesn't make any<br>>>>>>> difference.<br>>>>>>> But JSON text looks simpler.<br>>>>>>><br>
>>>>>> We don't have to define holding parameter name as "env" because JSS<br>>>>>>> JSON object MUST have<br>>>>>>> "type". In Python, this code can be tell whether a JSON is JSS-envloped<br>
>>>>>> or not:<br>>>>>>><br>>>>>>>>>> j=simplejson.loads( source_json_text )<br>>>>>>>>>> True in [ type(v)==dict and v.has_key('type') and v['type'] ==<br>
>>>>>>>>> "<a href="http://jsonenc.info/jss/" style="color:blue;text-decoration:underline" target="_blank">http://jsonenc.info/jss/</a>" for k,v in j.iteritems()]<br>>>>>>> True<br>
>>>>>><br>>>>>>> A drawback is a fact that "env" dosen't look literally an envelope.<br>>>>>>><br>>>>>>> ---<br>>>>>>> hideki<br>
>>>>>> _______________________________________________<br>>>>>>> Openid-specs-ab mailing list<br>>>>>>><span> </span><a href="mailto:Openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>>>><span> </span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:blue;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
>>>>><br>>>>>><br>>>>>><br>>>>>> --<br>>>>>> Nat Sakimura (=nat)<br>>>>>><span> </span><a href="http://www.sakimura.org/en/" style="color:blue;text-decoration:underline" target="_blank">http://www.sakimura.org/en/</a><br>
>>>>><span> </span><a href="http://twitter.com/_nat_en" style="color:blue;text-decoration:underline" target="_blank">http://twitter.com/_nat_en</a><br>>>>><br>>>>><br>>>>><br>
>>>> --<br>>>>> Nat Sakimura (=nat)<br>>>>><span> </span><a href="http://www.sakimura.org/en/" style="color:blue;text-decoration:underline" target="_blank">http://www.sakimura.org/en/</a><br>
>>>><span> </span><a href="http://twitter.com/_nat_en" style="color:blue;text-decoration:underline" target="_blank">http://twitter.com/_nat_en</a><br>>>>><br>>>>> _______________________________________________<br>
>>>> Openid-specs-ab mailing list<br>>>>><span> </span><a href="mailto:Openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>>><span> </span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:blue;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
>>>><br>>>>><br>>>> _______________________________________________<br>>>> Openid-specs-ab mailing list<br>>>><span> </span><a href="mailto:Openid-specs-ab@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
>>><span> </span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:blue;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>>><br>
>></p></div></div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><br><br clear="all"><br>--<span> </span><br>Nat Sakimura (=nat)<br>
<a href="http://www.sakimura.org/en/" style="color:blue;text-decoration:underline" target="_blank">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" style="color:blue;text-decoration:underline" target="_blank">http://twitter.com/_nat_en</a></div>
</div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div></div></div></div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
<br><br clear="all"><br>--<span> </span><br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" style="color:blue;text-decoration:underline" target="_blank">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" style="color:blue;text-decoration:underline" target="_blank">http://twitter.com/_nat_en</a></div>
</div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div></div></div></div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
<br><br clear="all"></div></div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">--</div><div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" style="color:blue;text-decoration:underline" target="_blank">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" style="color:blue;text-decoration:underline" target="_blank">http://twitter.com/_nat_en</a></div>
</div></div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"><br><br clear="all"><br>--<span> </span><br>Nat Sakimura (=nat)<br>
<a href="http://www.sakimura.org/en/" style="color:blue;text-decoration:underline" target="_blank">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" style="color:blue;text-decoration:underline" target="_blank">http://twitter.com/_nat_en</a></div>
</div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div></div></div></div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif">
<br><br clear="all"><br>--<span> </span><br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" style="color:blue;text-decoration:underline" target="_blank">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" style="color:blue;text-decoration:underline" target="_blank">http://twitter.com/_nat_en</a></div>
</div></div><div style="margin-top:0in;margin-right:0in;margin-bottom:0.0001pt;margin-left:0in;font-size:12pt;font-family:'Times New Roman', serif"> </div></div></div></div></span></blockquote></div><br></div></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>
</div>