>> Why would "/" be escaped? > Well, the example shows a JSON object and then it would be logical to > escape / since this is a part of the JSON "standard".
You can escape / as \/ in JSON, but you don't have to. "/" and "\/" are both equally valid JSON strings representing the same 1-character logical value. Any JSON parser needs to support both. I believe the one useful use of \/ is to escape "</script>" as "<\/script>" when it appears as a JSON string in HTML so the HTML parser does not misinterpret it as the end of the script. In a canonical form of JSON one form needs to be chosen: "/" is the best choice; it is the choice of ECMAScript’s JSON.stringify. JOSE does not require a canonical form so "http://example.com"; and "http:\/\/example.com" are both acceptable. I'm glad the former is chosen for the JOSE examples. > However, when looking further I note that JOSE requires some kind of > non-standard/additional JSON normalizing before applying base64url: > > http://tools.ietf.org/id/draft-ietf-jose-json-web-signature-14.html#rfc.section.5.3 No. The string comparison rules are just trying to be clear that JOSE implementations are expected to compare logical string values (not JSON serializations, which are not unique due to optional escape sequences) and are not expected to perform any Unicode normalization, such as NFC or NFKD. -- James Manger _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
