<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<div name="messageBodySection">
<div dir="auto">Just a comment about ASCII Armouring relational. Actually, it is not about the vulnerabilities but the brittleness of the signature verification due to some middleware meddling with Unicode, spaces, etc. </div>
</div>
<div name="messageSignatureSection"><br />
<div dir="auto">Nat Sakimura Chairman, OpenID Foundation https://nat.sakimura.org</div>
</div>
<div name="messageReplySection">2019年5月13日 7:31 +0200、Anders Rundgren via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>のメール:<br />
<blockquote type="cite" class="spark_quote" style="margin: 5px 5px; padding-left: 10px; border-left: thin solid #1abc9c;">It has been claimed that the RECOMMENDED way using JWS is ASCII-armoring through Base64Url encoding because otherwise you bring in security vulnerabilities. However, none of the Open Banking APIs have chosen that path.<br />
<br />
In addition, RFC7515 (JWS RFC) also defines a detached mode but doesn't speak a word about vulnerabilities, it only says that the detached data must be reconstructed in an exact manner which of course is true. If you fail to do that the only thing that happens (in a properly designed application NB), is that you get a signature validation error leading to a rejected request or similar.<br />
<br />
Question: Can we maybe put the ASCII-armoring as a hard requirement to rest [1] ?<br />
<br />
If this is the case, I claim that simple "hashable" serialization schemes like JCS are more robust than HTTP bindings. Other benefits include:<br />
- HTTP requests become self-contained, serializable, embeddable and fully JSON compliant objects<br />
- A method that can be applied to any other JSON object needing a signature<br />
<br />
These were the issues raise at IETF-104 in Prague: https://cyberphone.github.io/ietf-json-canon/ietf-104-report.html<br />
<br />
thanx,<br />
Anders<br />
<br />
1] URL-safe operation is another thing.<br />
<br />
_______________________________________________<br />
Openid-specs-fapi mailing list<br />
Openid-specs-fapi@lists.openid.net<br />
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<br /></blockquote>
</div>
</body>
</html>