Gautam Arvind | 19 Nov 13:58 2014
Picon

Dskpp support in servers

Hi
Is there any trial version or test server supporting dskpp way of provisioning?

<div><p>Hi<br>
Is there any trial version or test server supporting dskpp way of provisioning?<br></p></div>
RFC Errata System | 25 Nov 11:45 2013

[Technical Errata Reported] RFC6030 (3811)

The following errata report has been submitted for RFC6030,
"Portable Symmetric Key Container (PSKC)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6030&eid=3811

--------------------------------------
Type: Technical
Reported by: Ivan Micanovic <ivan.micanovic@...>

Section: 4.1.

Original Text
-------------
All the elements listed above (and those defined in the future)
      obey a simple structure in that they MUST support child elements
      to convey the data value in either plaintext or encrypted format:

      Plaintext:  The <PlainValue> element carries a plaintext value
         that is typed, for example, to xs:integer.

      Encrypted:  The <EncryptedValue> element carries an encrypted
         value.

Corrected Text
--------------

Notes
-----
In case that <Counter>, <Time>, <TimeInterval> or <TimeDrift> are encrypted in the PSKC file, the
standard doesn't say anything about how to interpret this encrypted data.
After decrypting those values we have byte array. 

Example: 
   Counter plain text value: 10000 decimal

   In the case that this value is encrypted and later decrypted what should we expect?
   Byte content 0x27 0x10 or 0x01 0x00 0x00 or something else?

   1. Byte content 0x27 0x10 is interpreted as 10000 decimal if this bytes are interpreted as binary data (Big
endian). 
   2. Byte content 0x01 0x00 0x00 is interpreted as 10000 decimal if this bytes are interpreted as hex data (Big endian).
      Each hex digit will be mapped to a resulting decimal digit. From my point of view this way is a bit confusing.

My proposal to solve this issue is described in 1.

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC6030 (draft-ietf-keyprov-pskc-09)
--------------------------------------
Title               : Portable Symmetric Key Container (PSKC)
Publication Date    : October 2010
Author(s)           : P. Hoyer, M. Pei, S. Machani
Category            : PROPOSED STANDARD
Source              : Provisioning of Symmetric Keys
Area                : Security
Stream              : IETF
Verifying Party     : IESG
Anders Rundgren | 7 Oct 22:22 2013
Picon

KeyGen2 - XML Exodus Completed

https://openkeystore.googlecode.com/svn/resources/trunk/docs/sks-api-arch.pdf

The resulting JSON implementation is about 200,000 lines shorter.

Cheers,
Anders
Anders Rundgren | 18 Sep 17:07 2013
Picon

Converting enrollment protocols from XML to JSON

I have "amused" myself with some initial conversions of KeyGen2 from XML to JSON.
The following shows one of the ten KeyGen2 message objects:
  
    {

        " <at> context": "http://xmlns.webpki.org/keygen2/201309018",
        " <at> qualifier": "KeyCreationRequest",
        "ServerSessionID": "S-140f2b70a3e4eefe1627b141e20",
        "ClientSessionID": "C-140f2b70ba0812f22188454b453",
        "SubmitURL": "http://issuer.example.com/keygen",
        "PUKPolicy": 
            [{
                 "ID": "PUK.1",
                 "Format": "numeric",
                 "RetryLimit": 3,
                 "Value": "mjRuOhjhtfg6d6d51Oqw",
                 "MAC": "xPr65fxq5hwvUX94Btpp5tey+yHH9iBrMLO7wQ2k5/0=",
                 "PINPolicy": 
                     [{
                          "ID": "PIN.1",
                          "Grouping": "shared",
                          "Format": "numeric",
                          "MinLength": 4,
                          "MaxLength": 8,
                          "RetryLimit": 3,
                          "PatternRestrictions": ["three-in-a-row","sequence"],
                          "MAC": "Hlzek4waNiqnWwrK83cvHE6MyoQh7N5frLEH4I3DpZ0=",
                          "KeyEntry": 
                              [{
                                   "ID": "Key.1",
                                   "KeyAlgorithm": "http://xmlns.webpki.org/sks/algorithm#ec.p256",
                                   "AppUsage": "authentication",
                                   "MAC": "idpbhr/L/4BnaLaxz5VJHC4/XPoyp3kR/s7Dcb7ywTM="
                               },
                               {
                                   "ID": "Key.2",
                                   "KeyAlgorithm": "http://xmlns.webpki.org/sks/algorithm#rsa2048",
                                   "AppUsage": "encryption",
                                   "MAC": "6KCho59vdV3hyXlKaQl3HQFPO32GzfXFbkJh4jsbQKA="
                               }]
                      }]
             }]
    }

This should be interpreted as a request for an EC key and an RSA key where both keys are protected by a single (shared) user-defined (within the specified policy limits) PIN. The PIN is in turn governed by an issuer-defined, protocol-wise secret PUK.

Since multiple instances of properties is considered as a bad JSON practice, arrays have been used instead.
For those who are versed in XML Schemas, <at> context is essentially the same as targetNameSpace while <at> qualifier represents an "emulation" of the top-level element in an XML instance document.

The original version in XML looks considerably cooler but machines probably don't care :-)

Cheers,
Anders
<div>
    <span>I have "amused" myself with some initial conversions of
        KeyGen2 from XML to JSON.<br>
        The following shows one of the ten KeyGen2 message objects:<br>
        &nbsp;&nbsp; <br>
        &nbsp;&nbsp;&nbsp; {</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span> <at> context<span>":&nbsp;"</span><a class="moz-txt-link-freetext" href="http://xmlns.webpki.org/keygen2/201309018">http://xmlns.webpki.org/keygen2/201309018</a><span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span> <at> qualifier<span>":&nbsp;"</span>KeyCreationRequest<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>ServerSessionID<span>":&nbsp;"</span>S-140f2b70a3e4eefe1627b141e20<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>ClientSessionID<span>":&nbsp;"</span>C-140f2b70ba0812f22188454b453<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>SubmitURL<span>":&nbsp;"</span><a class="moz-txt-link-freetext" href="http://issuer.example.com/keygen">http://issuer.example.com/keygen</a><span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>PUKPolicy<span>":&nbsp;</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[{</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>ID<span>":&nbsp;"</span>PUK.1<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>Format<span>":&nbsp;"</span>numeric<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>RetryLimit<span>":&nbsp;</span>3<span>,</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>Value<span>":&nbsp;"</span>mjRuOhjhtfg6d6d51Oqw<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>MAC<span>":&nbsp;"</span>xPr65fxq5hwvUX94Btpp5tey+yHH9iBrMLO7wQ2k5/0=<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>PINPolicy<span>":&nbsp;</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[{</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>ID<span>":&nbsp;"</span>PIN.1<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>Grouping<span>":&nbsp;"</span>shared<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>Format<span>":&nbsp;"</span>numeric<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>MinLength<span>":&nbsp;</span>4<span>,</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>MaxLength<span>":&nbsp;</span>8<span>,</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>RetryLimit<span>":&nbsp;</span>3<span>,</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>PatternRestrictions<span>":&nbsp;["</span>three-in-a-row<span>","</span>sequence<span>"],</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>MAC<span>":&nbsp;"</span>Hlzek4waNiqnWwrK83cvHE6MyoQh7N5frLEH4I3DpZ0=<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>KeyEntry<span>":&nbsp;</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[{</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>ID<span>":&nbsp;"</span>Key.1<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>KeyAlgorithm<span>":&nbsp;"</span><a class="moz-txt-link-freetext" href="http://xmlns.webpki.org/sks/algorithm#ec.p256">http://xmlns.webpki.org/sks/algorithm#ec.p256</a><span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>AppUsage<span>":&nbsp;"</span>authentication<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>MAC<span>":&nbsp;"</span>idpbhr/L/4BnaLaxz5VJHC4/XPoyp3kR/s7Dcb7ywTM=<span>"</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>ID<span>":&nbsp;"</span>Key.2<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>KeyAlgorithm<span>":&nbsp;"</span><a class="moz-txt-link-freetext" href="http://xmlns.webpki.org/sks/algorithm#rsa2048">http://xmlns.webpki.org/sks/algorithm#rsa2048</a><span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>AppUsage<span>":&nbsp;"</span>encryption<span>",</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"</span>MAC<span>":&nbsp;"</span>6KCho59vdV3hyXlKaQl3HQFPO32GzfXFbkJh4jsbQKA=<span>"</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}]</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}]</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}]</span><br><span>&nbsp;&nbsp;&nbsp;&nbsp;}<br><br>
        This should be interpreted as a request for an EC key and an RSA
        key where both keys are protected by a single (shared)
        user-defined (within the specified policy limits) PIN. The PIN
        is in turn governed by an issuer-defined, protocol-wise secret
        PUK.<br><br>
        Since multiple instances of properties is considered as a bad
        JSON practice, arrays have been used instead.<br>
        For those who are versed in XML Schemas,  <at> context is essentially
        the same as targetNameSpace while  <at> qualifier represents an
        "emulation" of the top-level element in an XML instance
        document.<br><br>
        The original version in XML looks considerably cooler but
        machines probably don't care :-)<br><br>
        Cheers,<br>
        Anders<br></span>
  </div>
Simon Josefsson | 17 Sep 22:29 2013

OCRA test vectors for 4, 5, 7, 9 and 10 digit outputs

Could any implementer share test vectors for these cases?  They aren't
found in the RFC.  Contact me privately if you want.

/Simon
Simon Josefsson | 17 Sep 22:27 2013

OCRA without truncation

Hi,

I'm merging OCRA support into my OATH Toolkit implementation
(<http://www.nongnu.org/oath-toolkit/>) and we are discussing how OCRA
without truncation is supposed to work.

I haven't been able to figure out from the RFC what the output should be
when t=0.  There are no test vectors for that case.

A naive reader would notice this definition in section 5:

   In a nutshell,
                     OCRA = CryptoFunction(K, DataInput)

together with this from section 4.1:

   As a reminder:
                     HOTP(K,C) = Truncate(HMAC-SHA1(K,C))

and section 5.2 which specify the CryptoFunction:

   We define the HOTP family of functions as an extension to HOTP:

   1.  HOTP-H-t: these are the different possible truncated versions of
       HOTP, using the dynamic truncation method for extracting an HOTP
       value from the HMAC output

   2.  We will denote HOTP-H-t as the realization of an HOTP function
       that uses an HMAC function with the hash function H, and the
       dynamic truncation as described in [RFC4226] to extract a t-digit
       value

   3.  t=0 means that no truncation is performed and the full HMAC value
       is used for authentication purposes

so one could interpret this as when t=0, the Truncate function is not
invoked at all, and instead OCRA takes on the output value of the
HMAC-SHA1 function, which is a binary string.

Are there any implementation of OCRA with t=0?  What encoding, if any,
of the HMAC output is used?  Decimal, hex, binary?

The sample code in the RFC will always output the static code "1" as the
OCRA code for t=0, if I read the code correctly, which seems like a bug.

/Simon
Anders Rundgren | 5 Sep 21:47 2013
Picon

JCS - JSON Clear Text Signature Scheme

New name and updated documentation.

https://openkeystore.googlecode.com/svn/resources/trunk/docs/JSON-Clear-Text-Signature-Scheme.pdf

Enjoy!

Anders

Anders Rundgren | 31 Aug 05:22 2013
Picon

Updated: Re: Giving up on XML DSig => JSON

Hi,
Based on the _extremely_ useful feedback received, I have decided to update the proposed clear-text JSON
Signature scheme.

Canonicalization:
- Remove whitespace
- Unescape "strings"
- Sort properties

Signature scope: a JSON Signature signs the object (including possible child objects) it is declared in.

That is, the final XML DSig "leftover", the awkward Reference has been shelved.
I expect the resulting code to be even shorter than today :-)

   {
    " <at> context": "http://example.com/test-signature",
    "Now": "2013-08-30T07:56:08+02:00",
    "ID": "lADU_sO067Wlgoo52-9L",
    "STRINGS": ["One","Two","Three"],
    "EscapeMe": "A\\\n\"",
    "Intra": 78,
    "Signature":
      {
        "SignatureInfo":
          {
            "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
            "KeyInfo":
              {
                "SignatureCertificate":
                  {
                    "Issuer": "CN=Demo Sub CA,DC=webpki,DC=org",
                    "SerialNumber": 1377713637130,
                    "Subject": "CN=example.com,O=Example Organization,C=US"
                  },
                "X509CertificatePath":
                  [
                    "MIIClzCCAX+gAwIBAgIG...RBYG3uk9W/uNIHdoyQn19w=="
                  ]
              }
          },
        "SignatureValue": "MEYCIQCCAxLBoPw5h8hW4M...L5t0XscOTPWXE67c1SCT"
      },
  }

The sample shows the new KeyGen2 message structure which has been derived from JSON-LD ( <at> context)

Cheers
Anders
Anders Rundgren | 29 Aug 14:43 2013
Picon

IBM patent on JSON Signatures

http://patents.justia.com/patent/20100185869

This patent doesn't appear to apply to JWS but to my take on JSON signatures:

https://openkeystore.googlecode.com/svn/resources/trunk/docs/Enveloped-JSON-Signatures.pdf

I got this information from the patentee :-(

It is of course a bit reassuring to not be alone with an idea...

Cheers
Anders
Anders Rundgren | 29 Aug 08:53 2013
Picon

Giving up on XML DSig => JSON

Since Google doesn't support XSD or XML DSig in Android I began looking at other alternatives.
There were none :-( Now there is :-)

https://openkeystore.googlecode.com/svn/resources/trunk/docs/Enveloped-JSON-Signatures.pdf

Comments are welcome!

Cheers
Anders
Anders Rundgren | 10 Jul 07:00 2013
Picon

QR ID => OTP is approaching EOL

https://openkeystore.googlecode.com/svn/resources/trunk/docs/QR-ID-presentation.pdf

Since seeing is believing you may also try it in practice by installing
https://play.google.com/store/apps/details?id=org.webpki.mobile.android
in an Android phone.

Testing can be performed through a public web-site at:
https://mobilepki.org/scc
https://mobilepki.org/login

Anders

Gmane