On 2018-10-29 14:38, Tim Bray wrote:
I like Samuel Erdtman's idea of starting with an open-source implementation.
If I see one of those, with a convincing set of test cases, I'd be inclined to
make the case for spinning up a working group.
The argument isn't "Would it be useful?" it's "Can it be done?" So, start by
proving it can.
Things are progressing:
https://github.com/dotnet/coreclr/pull/20707#issuecomment-435536433
A coming version of the .NET platform should then be fully compatible with the
proposed scheme.
Anyway, since there are two quite distinct ways of addressing this topic, I'm
thinking about a BoF session in Prague as a possible next step.
WDYT?
Anders
On Mon., Oct. 29, 2018, 1:33 a.m. Anders Rundgren <[email protected]
<mailto:[email protected]> wrote:
On 2018-10-28 21:32, Samuel Erdtman wrote:
> In my opinion we can create a good canonicalization format for JSON to
be used to sign cleartext JSON.
>
> As can be seen on this list many are skeptical so my approach would be
to publish easy to use open source implementations.
Yes, and part of that is supplying test data like:
https://github.com/cyberphone/json-canonicalization/tree/master/testdata
The Microsoft folks developing "Chakra" (their JS engine) already use the
100 million reference values.
> If we do that and there is real interest then we might be able to
convince people here about the need. In line with this ambition I have done the JS
and Java publications. This might also show there is no actual interest and then
that is also an outcome.
Well, another part of the standards puzzle is getting early work into real
products and services.
FWIW, I'm personally involved in a couple of efforts using clear text JSON
signatures:
- Saturn, an open payment authorization scheme based on an enhanced "four
corner" trust model which aims giving banks an upper hand against Apple Pay, Google
Pay, PayPal, etc.
- Mobile ID, an open, PKI-based, multi-issuer mobile authentication and
signature solution for e-governments.
Regards,
Anders
> Best regards
> //Samuel
>
>
> On Mon, Oct 22, 2018 at 8:44 AM Carsten Bormann <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
>
> On Oct 22, 2018, at 04:47, David Waite <[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>> wrote:
> >
> > intermittent interoperability failures until a new language
runtime release which revises the numerical print and parse functions
>
> Note that this is not a theoretical concern, as CVE-2010-4476 and
CVE-2010-4645 amply demonstrate, nicely underscored by the re-occurrence of the
latter in
https://www.exploringbinary.com/php-converts-2-2250738585072012e-308-incorrectly/
>
> Grüße, Carsten
>
> _______________________________________________
> jose mailing list
> [email protected] <mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
> https://www.ietf.org/mailman/listinfo/jose
>
_______________________________________________
jose mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
