Re: [jose] Canonical JSON form

David Waite <> Mon, 22 October 2018 02:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3FFBA130DC3 for <>; Sun, 21 Oct 2018 19:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HfwhfDcOrI8c for <>; Sun, 21 Oct 2018 19:47:04 -0700 (PDT)
Received: from ( [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by (Postfix) with ESMTP id CCBDE12F1AC for <>; Sun, 21 Oct 2018 19:47:04 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:4179:bfa3:f068:e354] (unknown [IPv6:2601:282:202:b210:4179:bfa3:f068:e354]) by (Postfix) with ESMTPSA id C60B8315EC; Mon, 22 Oct 2018 02:47:02 +0000 (UTC)
From: David Waite <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F1BE2A4F-7738-4F90-AB91-21D42B34D033"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.100.43\))
Date: Sun, 21 Oct 2018 20:47:01 -0600
In-Reply-To: <>
Cc: Bret Jordan <>, Carsten Bormann <>, "Manger, James" <>, Kathleen Moriarty <>,, Phil Hunt <>
To: Anders Rundgren <>
References: <> <> <> <00ad01d460f4$69ae8a00$3d0b9e00$> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.100.43)
Archived-At: <>
Subject: Re: [jose] Canonical JSON form
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Oct 2018 02:47:06 -0000

> On Oct 19, 2018, at 10:55 PM, Anders Rundgren <> wrote:
> There is also a (very active) W3C community group working with a similar concept so clear-text signatures based on JSON canonicalization will probably reach the market regardless of IETF's position on the matter:

This document is not on a standards track. The group which published this it is not a standards group. So this isn’t currently on track to reach the market as a IETF or W3 standard.

It also is based on RDF canonicalization; it canonicalized a specific format expressed in JSON, not arbitrary JSON. 

That isn't to say that there couldn’t be multiple canonicalization formats supported, possibly built as filters so you could combine them together, such as existed with XML-DSIG. Then you have a compatibility matrix to deal with.

This still doesn’t solve the problem that many internal representations of JSON will not preserve the full data set you are representing in your canonical form. 

From my development experience with XML-DSIG, this is most commonly that tools will discard information they do not understand, such as properties which aren’t part of the public schema. For developers who do not understand the additional restrictions a cleartext signature is placing on them, this causes issues that only come up late in broad interoperability testing, that can only be resolved through per-vendor workarounds or reimplementation to use different tools. This actually occurred multiple times across different implementations, sometimes when leveraging libraries that did claim to preserve the full information set of the XML document.

> The 1 million of random and "edge" JSON Numbers used for testing the devised JSON canonicalization scheme, uncovered flaws in other systems as well...
> <>

This yet another case against canonical JSON, is it not? Or rather, how are people expected to deal with intermittent interoperability failures until a new language runtime release which revises the numerical print and parse functions comes out?