Re: [jose] Canonical JSON form

Wed, 10 Oct 2018 16:53:13 -0700 

The working group has closed and is not entertaining any new work.  You would 
need to create a proposal for a new working group (could have the same name) to 
do this.  However, trying to canonicalize JSON is generally not considered to 
be doable without having some external constraints added.  Consider the problem 
with serializing {“int”: 3} which has a large number of possible ways to encode 
the number 3.

 

From: jose <[email protected]> On Behalf Of Bret Jordan
Sent: Wednesday, October 10, 2018 1:49 PM
To: Nathaniel McCallum <[email protected]>; [email protected]
Subject: Re: [jose] Canonical JSON form

 

Would this WG be open to working on a solution to sign JSON (not a byte stream) 
and define a canonical representation for said JSON?

 

 

Thanks,

Bret

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not 
be unscrambled is an egg."





On Oct 10, 2018, at 1:15 PM, Nathaniel McCallum <[email protected] 
<mailto:[email protected]> > wrote:

 

JWS signs a byte stream, not JSON. If you want to use a JWS to sign
JSON data it is your responsibility to ensure that both sides produce
an equivalent byte stream.
On Wed, Oct 10, 2018 at 3:04 PM Bret Jordan <[email protected] 
<mailto:[email protected]> > wrote:




Dear WG,

I was reading through RFC 7515 to see if it would work for a project I am 
working on.  Basically the need to sign and resign a JSON object.  However, in 
RFC 7515 there does not seem to be any definition for serializing a canonical 
form of JSON. This means that two organizations that serialize it differently 
would produce two different signatures.

Super simple example

{ “type” : “house”, “size” : “1000 sq feet” }



Or

{
 “type” : “house”,
 “size” : “1000 sq feet”
}



Or

{“type”:“house”,“size”:“1000 sq feet”}



Or (tabs not spaces)

{
“type” : “house”,
“size” : “1000 sq feet”
}


All four of these JSON structures would produce a different signature as 
defined by RFC 7515. What am I missing?


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not 
be unscrambled is an egg."

_______________________________________________
jose mailing list
[email protected] <mailto:[email protected]> 
https://www.ietf.org/mailman/listinfo/jose

 


_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to