FW: [openc2-comment] OpenC2 Signature suggestion

[duncan sfractal.com <duncan@sfractal.com>]

This was received on the public comment channel. We are not required to accept input from non-members but we are allowed to if  they are submitted to the public channel (this was) and any member thinks it would be useful.  I (as sFractal) think it is worthy of discussion by the language subcommittee so I am forwarding. If we have questions for Danny about this, they can be asked by replying to his email on the public channel.

 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

From: <openc2-comment@lists.oasis-open.org> on behalf of "Martinez, Danny (HII-TSD)" <danny.martinez@hii-tsd.com>
Date: Tuesday, August 4, 2020 at 10:08 PM
To: "openc2-comment@lists.oasis-open.org" <openc2-comment@lists.oasis-open.org>
Subject: [openc2-comment] OpenC2 Signature suggestion

 

OpenC2 TC,

 

This is my first time using this method, I hope it works as intended. Since my organization is temporarily no longer a member of Oasis I am using this method to make suggestions.

 

Enclosed I have attached my "rough" suggestion for a signature scheme in OpenC2 in relation to LSC issue #363. The general suggestion involves detaching and attaching a signature field to a pre-made OpenC2 payload encompassing headers and content as suggested by Dave Kemp in issue #353. 

 

Since the particular way in which a signature is applied is serialization dependent I suggest that we use best practices for each serialization and define what those are for OpenC2.  In this case I utilized JSON serialization as an example. The RFCs (JWS and JCS) referenced as best practice will be specific to JSON serialization only.

 

PS: I know it needs a little something, but perhaps this will start that conversation.

 

V/R

 

Danny Martinez

Principal Cyber Security Engineer

HII Mission Driven Innovative Solutions (HII-MDIS)

Technical Solutions Division

302 Sentinel Drive, Suite 300 | Annapolis Junction, MD 20701

Mobile (407) 257-0031

 

Confidentiality Statement: HUNTINGTON INGALLS INDUSTRIES PROPRIETARY - This e-mail contains information proprietary or private to Huntington Ingalls Industries, Inc., and is not to be disclosed to, copied by, or used in any manner by others without the prior express, written permission. If you are not the intended recipient, please delete without copying and kindly advise the sender by e-mail of the mistake in delivery.

Attachment: OpenC2 Message Signature.docx
Description: OpenC2 Message Signature.docx

-- 
This publicly archived list offers a means to provide input to
the OASIS Open Command and Control (OpenC2) TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: openc2-comment-subscribe@lists.oasis-open.org
Unsubscribe: openc2-comment-unsubscribe@lists.oasis-open.org
List help: openc2-comment-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/openc2-comment/
Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Committee: http://www.oasis-open.org/committees/openc2/
Join OASIS: http://www.oasis-open.org/join/