This may not sound like a security related issue but it actually is...
Although entirely uncoordinated, there are several "standards" in the workings based on creating JSON-based clear text alternatives to IETF's JWS signature scheme (which encodes data in Base64Url). All of these schemes share a common and quite intricate interoperability issue, namely serialization of the JSON "Number" type. Fortunately, ECMA who defines JavaScript have defined a strict format which is already implemented in Node.js (V8), Chrome, Firefox, and Safari. I would therefore propose that the Double object (Number are always stored as double) is augmented with an additional method like toJsonNotation(). I'm currently relying on code that was featured in a previous version of JDK (Rhino): https://github.com/cyberphone/openkeystore/blob/master/library/src/org/webpki/json/JSONObjectWriter.java#L188 Newer versions of JDK use another JS engine which produces non-compliant strings :-( WDYT? Anders https://cyberphone.github.io/doc/security/jsonsignatures.html
