OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Digital Signatures for STIX


I have been working on a proposal for digital signatures for STIX.  The document is available at:

There have been some discussions on this on the #signatures slack channel.

This does not address how to handle trusting of keys (web of trust, CA, DANE, other?) or key rotation, but I believe that those options can be added w/o too much difficulty once the more core parts have been decided upon.

One major part of this proposal is formatting of the objects for signing.  There is not an existing JSON canonical format, so I had to define one.  John Wunder provided some great comments and so I defined the format more explicitly after his comments.  The biggest issue is around int/float, and their representation.  I'm most nervous about floats, and the issues relating to precision and decimal (JSON)/binary (computer) representation issues for round tripping the data, that is, after parsing, can someone safely emit the same/matching data for verification of the signature.  Since we define that floats are double-precision, this may not be as bad as expected.  As white space between JSON elements may be modified, and objects encapsulated in other JSON objects (bundles), signing the received data is not a very good option and hence why this other problem is opened up.

Though I know a good amount of crypto, I'm not a cryptographer, and this proposal has not been reviewed by a cryptographer yet.  I am in the process of enlisting OASIS resources for this, along w/ getting an out side review.

Let me know if you have comments on this.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]