I would love to attend the BOF in Prague on this topic.
Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." > On Nov 3, 2018, at 11:52 AM, Anders Rundgren <[email protected]> > wrote: > > On 2018-10-29 14:38, Tim Bray wrote: >> I like Samuel Erdtman's idea of starting with an open-source implementation. >> If I see one of those, with a convincing set of test cases, I'd be inclined >> to make the case for spinning up a working group. >> The argument isn't "Would it be useful?" it's "Can it be done?" So, start by >> proving it can. > > Things are progressing: > https://github.com/dotnet/coreclr/pull/20707#issuecomment-435536433 > A coming version of the .NET platform should then be fully compatible with > the proposed scheme. > > Anyway, since there are two quite distinct ways of addressing this topic, I'm > thinking about a BoF session in Prague as a possible next step. > > WDYT? > > Anders > >> On Mon., Oct. 29, 2018, 1:33 a.m. Anders Rundgren >> <[email protected] <mailto:[email protected]> wrote: >> On 2018-10-28 21:32, Samuel Erdtman wrote: >> > In my opinion we can create a good canonicalization format for JSON to >> be used to sign cleartext JSON. >> > >> > As can be seen on this list many are skeptical so my approach would be >> to publish easy to use open source implementations. >> Yes, and part of that is supplying test data like: >> https://github.com/cyberphone/json-canonicalization/tree/master/testdata >> The Microsoft folks developing "Chakra" (their JS engine) already use the >> 100 million reference values. >> > If we do that and there is real interest then we might be able to >> convince people here about the need. In line with this ambition I have done >> the JS and Java publications. This might also show there is no actual >> interest and then that is also an outcome. >> Well, another part of the standards puzzle is getting early work into >> real products and services. >> FWIW, I'm personally involved in a couple of efforts using clear text >> JSON signatures: >> - Saturn, an open payment authorization scheme based on an enhanced "four >> corner" trust model which aims giving banks an upper hand against Apple Pay, >> Google Pay, PayPal, etc. >> - Mobile ID, an open, PKI-based, multi-issuer mobile authentication and >> signature solution for e-governments. >> Regards, >> Anders >> > Best regards >> > //Samuel >> > >> > >> > On Mon, Oct 22, 2018 at 8:44 AM Carsten Bormann <[email protected] >> <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> > >> > On Oct 22, 2018, at 04:47, David Waite >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> wrote: >> > > >> > > intermittent interoperability failures until a new language >> runtime release which revises the numerical print and parse functions >> > >> > Note that this is not a theoretical concern, as CVE-2010-4476 and >> CVE-2010-4645 amply demonstrate, nicely underscored by the re-occurrence of >> the latter in >> https://www.exploringbinary.com/php-converts-2-2250738585072012e-308-incorrectly/ >> > >> > Grüße, Carsten >> > >> > _______________________________________________ >> > jose mailing list >> > [email protected] <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> >> > https://www.ietf.org/mailman/listinfo/jose >> > >> _______________________________________________ >> jose mailing list >> [email protected] <mailto:[email protected]> >> https://www.ietf.org/mailman/listinfo/jose >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
