There is a lot of value that the market could gain from something like this. I think it would be great if we could do this work here in the IETF. I for one would be willing to spend some time on it if we can somehow get the work kickstarted.
I know of several large projects (most outside the IETF, but one is an upcoming IETF project) that need this for their solutions. For the IETF one, we will be hosting a WebEx to talk through it on the 24th, see the CACAO mailing list if you are interested. Things that I see we need to figure out are: 1) Canonicalization of JSON to enable round-tripping 2) Ability to sign JSON string data 3) Ability to have JSON signatures located in the content themselves with nested signatures and partial tree signatures Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." > On Oct 11, 2018, at 12:44 AM, Samuel Erdtman <[email protected]> wrote: > > I for one think this is interesting. > > I have published two implementations of the draft James mentions, > draft-rundgren-json-canonicalization-scheme > <https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme>, > (Java > <https://search.maven.org/artifact/io.github.erdtman/java-json-canonicalization/1.1/jar> > and JavaScript <https://www.npmjs.com/package/canonicalize>) and I know > Anders (the author of the draft) has implementations in .NET and Python too > (all working well together). > > The I have my self been part in writing a draft that uses this > canonicalization mechanism to create signed cleartext JSON > (draft-erdtman-jose-cleartext-jws > <https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-01>). I have > ported a JavaScript JOSE implementation to this new schema without any issues > and Anders has at least a Java implementation. > > Finally there was a resent conversation about this subject on the OAuth > mailing-list > <https://mailarchive.ietf.org/arch/msg/oauth/YL29UE_gNj73mChXTr9FgkCF5Kg> > recently. > > Best regards > //Samuel > > > On Thu, Oct 11, 2018 at 7:33 AM Neil Madden <[email protected] > <mailto:[email protected]>> wrote: > > > On 11 Oct 2018, at 01:02, Bret Jordan <[email protected] > > <mailto:[email protected]>> wrote: > > > >> > >> Other implementations say that you should preserver the order of the > >> fields you read when serialized which is part of JSON for the browser > >> implementations but not necessarily elsewhere. > > > > Preserving order is hard. Depending on your programming language you might > > be deserializing the content in to a struct or you may be using a map. > > > > What I need is a way for individuals and organizations to be able to pass > > around and share JSON data and collaboratively work on that JSON data and > > sign the parts that they have done. > > Have you considered Git with PGP-signed commits? It solves this use-case > extremely well. > > — Neil > _______________________________________________ > jose mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/jose > <https://www.ietf.org/mailman/listinfo/jose>
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
