[jose] Firefox/IE/Safari/Chrome - JCS Compatibility Test

Anders Rundgren <anders.rundgren.net@gmail.com> Sun, 26 October 2014 09:31 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 127921A6FFB for <jose@ietfa.amsl.com>; Sun, 26 Oct 2014 02:31:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.68
X-Spam-Level: *
X-Spam-Status: No, score=1.68 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FF_IHOPE_YOU_SINK=2.166, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_RHS_DOB=1.514] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id LLBulqs84WXk for <jose@ietfa.amsl.com>; Sun, 26 Oct 2014 02:31:06 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 759E91A0021 for <jose@ietf.org>; Sun, 26 Oct 2014 02:31:06 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id b13so3707707wgh.0 for <jose@ietf.org>; Sun, 26 Oct 2014 02:31:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=k9I/5hF8iqRgrswN/EfelXVTjaLYTuhKktbVpbdBpKQ=; b=VEVflVXdLB+P54F3WfjvGwlchc8qDKKUL+MP/i6xFtl9b0GQ/5knqbLD4BWcxelSsX oUpjDGlWenVJov/k1nqXKGtsyz3EqsnKQKQakNKeqUY52gfK4zHhhKN7Mvz9LN7O0H52 ZnLHAhxiSZ8q9+L2guG0+SOJ3iwugEXfPh3nbA6sys/W9YXhUEbWZkFpTuXgGqD6eGzb NtFhJCJw3DjWukFWNVZUhu6HEGd1E+8G5eQCjJJXMc49ETu+CGlXca3reMfblQR5U3Vv UW2dZsXDMRmrZSJ5K78DIJTPoFwoPOzyceE1tZAbNMd8lUJd+tkW15vifj2JGD6sOeRI Lwdg==
X-Received: by with SMTP id x13mr14771140wiv.6.1414315865042; Sun, 26 Oct 2014 02:31:05 -0700 (PDT)
Received: from [] ( []) by mx.google.com with ESMTPSA id mc4sm7700805wic.6.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 26 Oct 2014 02:31:04 -0700 (PDT)
Message-ID: <544CBF4B.90703@gmail.com>
Date: Sun, 26 Oct 2014 10:30:51 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/DjH_Yivj_eFxPep51De-i4iqeNo
Subject: [jose] Firefox/IE/Safari/Chrome - JCS Compatibility Test
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Oct 2014 09:31:08 -0000

Dear List,

Although JSON-I says that preserving the order of properties shouldn't be counted on,
the JSON implementations in browsers *seem* to do that anyway.  This also means
that at least on the browser-side there there's no problem supporting clear-text signatures
( https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html )
like featured in the following authentic example created with Chrome and WebCrypto:

Well, there *is* indeed one thing that doesn't work out-of-the-box and that are floating-point numbers:

For JSON applications using floating point numbers, JWS, "upgraded" parsers (like the one I
have built), or putting floating point numbers in strings are the [currently] only ways ahead.

Note: The idea with JCS is in *no way* competing with JOSE but offering an alternative
for those who (like me) are in the process migrating traditional business applications
from XML to JSON.  If you apply JWS on the counter-signed message above I have a
feeling that not everybody would be completely thrilled.

BTW, there's is one thing I lack in the browser parsers which I have used extensively
on the server-side and that is the ability to test that all properties actually have been
read (=no unexpected).  This can (at least for low-to-medium complex systems) together
with strict "reader" code, pretty well compensate for the lack of a JSON schema.