How many of you would be interested in helping open a new working group to work on this sort of thing?
Maybe I am missing something, but there has to be a way of dealing with this. Maybe just treat the entire JSON object has a string to be passed in to a signing function ? Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." > On Oct 10, 2018, at 5:52 PM, Jim Schaad <[email protected]> wrote: > > The working group has closed and is not entertaining any new work. You would > need to create a proposal for a new working group (could have the same name) > to do this. However, trying to canonicalize JSON is generally not considered > to be doable without having some external constraints added. Consider the > problem with serializing {“int”: 3} which has a large number of possible ways > to encode the number 3. > > From: jose <[email protected]> On Behalf Of Bret Jordan > Sent: Wednesday, October 10, 2018 1:49 PM > To: Nathaniel McCallum <[email protected]>; [email protected] > Subject: Re: [jose] Canonical JSON form > > Would this WG be open to working on a solution to sign JSON (not a byte > stream) and define a canonical representation for said JSON? > > > Thanks, > Bret > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can > not be unscrambled is an egg." > > >> On Oct 10, 2018, at 1:15 PM, Nathaniel McCallum <[email protected] >> <mailto:[email protected]>> wrote: >> >> JWS signs a byte stream, not JSON. If you want to use a JWS to sign >> JSON data it is your responsibility to ensure that both sides produce >> an equivalent byte stream. >> On Wed, Oct 10, 2018 at 3:04 PM Bret Jordan <[email protected] >> <mailto:[email protected]>> wrote: >> >>> >>> Dear WG, >>> >>> I was reading through RFC 7515 to see if it would work for a project I am >>> working on. Basically the need to sign and resign a JSON object. However, >>> in RFC 7515 there does not seem to be any definition for serializing a >>> canonical form of JSON. This means that two organizations that serialize it >>> differently would produce two different signatures. >>> >>> Super simple example >>> >>> { “type” : “house”, “size” : “1000 sq feet” } >>> >>> >>> >>> Or >>> >>> { >>> “type” : “house”, >>> “size” : “1000 sq feet” >>> } >>> >>> >>> >>> Or >>> >>> {“type”:“house”,“size”:“1000 sq feet”} >>> >>> >>> >>> Or (tabs not spaces) >>> >>> { >>> “type” : “house”, >>> “size” : “1000 sq feet” >>> } >>> >>> >>> All four of these JSON structures would produce a different signature as >>> defined by RFC 7515. What am I missing? >>> >>> >>> Thanks, >>> Bret >>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can >>> not be unscrambled is an egg." >>> >>> _______________________________________________ >>> jose mailing list >>> [email protected] <mailto:[email protected]> >>> https://www.ietf.org/mailman/listinfo/jose >>> <https://www.ietf.org/mailman/listinfo/jose>
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
