IETF Logo Mail Archive

Re: JSON headers

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Sat, 09 July 2016 22:34 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85F9F12B00A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 9 Jul 2016 15:34:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.308
X-Spam-Level:
X-Spam-Status: No, score=-6.308 tagged_above=-999 required=5 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YxIoTIJh2G77 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 9 Jul 2016 15:34:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2262212B016 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 9 Jul 2016 15:34:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bM0ls-0004A8-55 for ietf-http-wg-dist@listhub.w3.org; Sat, 09 Jul 2016 22:30:48 +0000
Resent-Date: Sat, 09 Jul 2016 22:30:48 +0000
Resent-Message-Id: <E1bM0ls-0004A8-55@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <phil.hunt@oracle.com>) id 1bM0ln-00049Q-Ql for ietf-http-wg@listhub.w3.org; Sat, 09 Jul 2016 22:30:43 +0000
Received: from userp1040.oracle.com ([156.151.31.81]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <phil.hunt@oracle.com>) id 1bM0ll-0006vn-Hc for ietf-http-wg@w3.org; Sat, 09 Jul 2016 22:30:42 +0000
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u69MU9cW023419 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 9 Jul 2016 22:30:10 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u69MU9vY030125 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 9 Jul 2016 22:30:09 GMT
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u69MU6VP020503; Sat, 9 Jul 2016 22:30:08 GMT
Received: from [192.168.1.7] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 09 Jul 2016 22:30:05 +0000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (13F69)
In-Reply-To: <CAD6ztspY=NCA0cCBRtSMhzHr_VKPdsBCTf7TCLK3CNGhNkEsFg@mail.gmail.com>
Date: Sat, 09 Jul 2016 15:30:04 -0700
Cc: ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <383D0CEC-BF52-4A0E-9E74-3B288C506E06@oracle.com>
References: <74180.1468000149@critter.freebsd.dk> <A17D3EFD-A935-4971-BCF6-DC9D38302CAD@oracle.com> <CAD6ztspY=NCA0cCBRtSMhzHr_VKPdsBCTf7TCLK3CNGhNkEsFg@mail.gmail.com>
To: Kevin Marks <kevinmarks@gmail.com>
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Received-SPF: pass client-ip=156.151.31.81; envelope-from=phil.hunt@oracle.com; helo=userp1040.oracle.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.626, BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bM0ll-0006vn-Hc 08a6e08e9c9c5e26b74a1181a1401029
X-Original-To: ietf-http-wg@w3.org
Subject: Re: JSON headers
Archived-At: <http://www.w3.org/mid/383D0CEC-BF52-4A0E-9E74-3B288C506E06@oracle.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31853
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Yes. I was thinking of combining this with the JOSE specs so signing becomes possible. 

Phil

> On Jul 9, 2016, at 2:51 PM, Kevin Marks <kevinmarks@gmail.com> wrote:
> 
>> On Fri, Jul 8, 2016 at 11:44 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>> Not sure if this has been discussed. One of the biggest problems with HTTP
>> request signing has been repeat headers. It presents problem of detecting
>> which headers are intended and which header was signed first.
>> 
>> It would be nice if the JSON encoding handled arrays so that the demand for
>> duplicate headers is removed.  Signing could then be more successful and
>> could even stipulate that the presence of a repeat header in a signed
>> request is a failure condition.
> 
> JSON doesn't help with this, as key order in objects (as opposed to
> lists) is not required or defined.
> Different programming languages behave differently here when
> iterating. PHP preserves definition order, python orders by hash of
> the key, and Go randomises the  order (to prevent accidental
> dependencies).
> Parsing JSON into native form and writing it out again makes key order
> indeterminate.
> As http headers have order dependent behaviour, this is a problem with
> replacing the key: value with JSON.
>

v2.23.0 | Report a Bug | By Email