[dispatch] JSON Canonicalization - IETF-104 Meeting Summary

Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 10 May 2019 05:40 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B773120169 for <dispatch@ietfa.amsl.com>; Thu, 9 May 2019 22:40:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sAr1O_p8v6WK for <dispatch@ietfa.amsl.com>; Thu, 9 May 2019 22:40:35 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F049212015D for <dispatch@ietf.org>; Thu, 9 May 2019 22:40:34 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id d12so6080285wrm.8 for <dispatch@ietf.org>; Thu, 09 May 2019 22:40:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=5VCm1yyjvlSzjfvlpN6grJArDixDC0mO13tjfhMgu40=; b=DgSmf6iuZY7M6M/f9ubaX2SOBeXS4x/2FWVQKCoo1NFvxhHomoksiyx/vrXQlavXtD TMmUDwovA9ZwlnNtOqmSVf/kTJxhbOxmrl/aCSiAIj0g6wocGOhOb070vHGySsqBN5YU 1e3OOiNO7NWhFVZtlhCql8ak2LPtqoNOIbtFdOxZsV9Zc1NgbUtIGBeaa3Y6MZg6D0Fw eaxOHAGbs+PFifYp91NxJ3w1csLTHjj65QvzXztbuRfdGi45M4veNGzKfcG63sbcXajo qqLeTKugKy2W/l2cSy6bqTSfOWSQ15SyOBWTmYBfxUSpjA31swKUQh5IiFTScljPOIWl U5oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=5VCm1yyjvlSzjfvlpN6grJArDixDC0mO13tjfhMgu40=; b=s6j1HIK314JVlhFuedbuWqG5Un9gR/iaUGfKvefdTMEKj+gJqaQ0qHbDOUJFriKjnO hbYvEBWy0b22ixNsVoS9iHDWlCxyDuGdKcuTeLXA5EtRHwOC6TqhnsuqDMiPgYnkESVq KZ8XbZBi6VzKIbo0H/Sg0KBjamCyGdkNGQ4g48XGI0JFql/LZ4VervPC5n3Wb4rpSTcb LhOqw/ag7dx5zgvqkP5qrpY5ZKHGCg7Y9HV+/3Fa2Ie+8tvf8Fg4LwbbnU/NkMWEs5NX Qh3QjMlMaFU4Ul7bFq8Seiyq/sqflOQ+RQpUtxbmBPa0tRs2ueMy3qomnoErsQDHth2Y mOfQ==
X-Gm-Message-State: APjAAAWc7zd8K20rs8LBVqdK//Ye7Y3f/HHt5zHp+t+YeEUTBtwbQyJC jwZQ+AsVBDfwaorJwLMHbxvH3v7lu+4=
X-Google-Smtp-Source: APXvYqyMllRKMPxNn3X9pDrEroU1on0+QXVi1XRR6htflTiqSeu9lyD6D0RccLvwgjavtIvt5VEaFA==
X-Received: by 2002:a5d:4707:: with SMTP id y7mr6514397wrq.59.1557466833202; Thu, 09 May 2019 22:40:33 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id o6sm10762925wrh.55.2019.05.09.22.40.31 for <dispatch@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 May 2019 22:40:32 -0700 (PDT)
To: DISPATCH <dispatch@ietf.org>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <dee9a309-dcac-b32b-6d02-372309176bc4@gmail.com>
Date: Fri, 10 May 2019 07:40:30 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/xWA1yBKfkf-mxxvt1O9KC5rbrqE>
Subject: [dispatch] JSON Canonicalization - IETF-104 Meeting Summary
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 05:40:37 -0000

Hi Guys,

I have tried to the best of my ability to collect and comment on the issues raised during the 3 meetings held at IETF-104:
https://cyberphone.github.io/ietf-json-canon/ietf-104-report.html

I have just been made aware of that IETF's maybe most ambitious effort creating signed HTTP requests[1] was shot down, making another, less known scheme[2] to some people's dismay turning into a de-facto standard for (at least) Open Banking.  Why was it shot down?  Because it wouldn't work reliable in inferior server configurations which IMO sounds like a pretty unreasonable requirement.

Yes, JCS also won't work satisfactory in every possible scenario but it is clearly stated what the lower bar is:
- JSON Numbers MUST conceptually be treated as IEEE-754 double precision data during parsing/serialization
- JSON Strings MUST (modulo escaping) be treated as immutable during parsing/serialization
The rest is close to trivial.

Thanx,
Anders

1] https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
2] https://datatracker.ietf.org/doc/draft-cavage-http-signatures/