Setting aside the JSON canonicalization issue, I think that locking in
a signature algorithm (esp. one that already is showing weakness such
as SHA-1) is a mistake. The digest key should go to an object that
has the algorithm and data properties.
Instead of this:
"digest": "pFCzUK7yuO0dWtm0oATB7ag6vj0="
use this:
"digest": {"algorithm": "SHA1", "data": "pFCzUK7yuO0dWtm0oATB7ag6vj0="}
It may be the case that SHA1 is the default for the near future, but
this choice will probably not be the default by the time Couch hits
2.0...
Now that I think about it a bit more, perhaps the digest should be a
nested object with being the algorithm identifier and data being the
hash value for that particular algorithm. This also means that the
"signed" object would need to be a similarly nested object with
algorithm/hash-signature pairs, but it does give more flexibility and
a small bit of future-compatibility.
jim
