On 2014-01-07 12:04, Carsten Bormann wrote:
> On 07 Jan 2014, at 11:37, Anders Rundgren <[email protected]>
> wrote:
>
>> If this makes the entire concept invalid that's a valid opinion, however it
>> is not a fact.
>
> It’s not the concept that is invalid.
>
> When people read “JSON”, they expect to be able to make use of the vast JSON
> ecosystem.
> That is not the case with the syntax that you are proposing.
> So it is more honest not to call it JSON.
> (Not beyond “leveraging JSON syntax for a new data interchange format”, that
> is.)
The only real snag with JCS which I'm aware of is that you cannot [safely]
validate
such a signature when expressed as a JavaScript object literal:
var nonVerifiableSignedData = {
"unnormalizedNumber", 4.50,
"Signature":
{
...
}
};
It would require a patch i JavaScript itself to solve that (which is hardly an
option).
That is, in a JS environment, you have to pass JCS objects through a separate
[enhanced] JSON parser as valid JS strings.
Given the fact that you should verify security protocol data thoroughly and
base64
decode etc., it seems that no matter what you do there are additional parsing
steps
involved which IMO makes the problem above fairly unimportant.
I'm currently integrating JCS with WebCrypto. It's not easy but this has more
to
do with my n00b-status on JS programming than with any fundamental problems in
the syntax or architecture.
It is possible that calling this JSON is false marketing, I leave that to the
market to decide :-)
Anders
>
> Grüße, Carsten
>
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
