Re: [jose] Canonical JSON form

Bret Jordan <> Mon, 29 October 2018 03:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7E4D012F1A6 for <>; Sun, 28 Oct 2018 20:04:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TSxRWhTtL7rV for <>; Sun, 28 Oct 2018 20:04:29 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::b42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2DD991286D9 for <>; Sun, 28 Oct 2018 20:04:29 -0700 (PDT)
Received: by with SMTP id p144-v6so2824706yba.11 for <>; Sun, 28 Oct 2018 20:04:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=hUjJJbMgU5hE6UF3KALkucLinGJOFIbPAQt6QmhMyHA=; b=E6FmKAgELWVqbVk7gzDsqsrS+XVPoujOpbwXn2Gvw0KG0pnjS251E8GbX3aKlFVSSl SkIjRxvZ8ttY7Vp24yaPhD+zolh0BeM5TxUs17ijcGGkMTnxPi3Ag0splSwq1R41hwrE Pa/Cymwpi1N9jWjG3Bt43SIZpIKqeG9MVMoNBmack3IdeLhsYC1RK3gmWfHpSpblnueA ze1ywpGnBLrfPA+G5eMy/aC3R9ap3dbI3POBCWJyQWLfO+BvS2ZmFHeQi8kqHnzKiTEk NIoq0TVkKh5chljAa1ME4/H1E+2Weno4B+jW9GowzW/zEpFZn/HkRtD0O3Dm232xo1sr GHng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=hUjJJbMgU5hE6UF3KALkucLinGJOFIbPAQt6QmhMyHA=; b=JJEWLsDobAaYaXVDz99CrPuGPdLYJKEY5X4DvhRcrK2rWbZa/uqISCTzzgwZveEzFK iT9+YD7JQjUDjaPN37f3fIzJTt8ceOirpSVsXW1lv9AfZ3Y3mTf1lYFxRNP7JnmjhlLX 50/w840Vg6TRtQRZ7TIi2KeP812mRwCliq/d9PWiAGCLRBfY/5N+T+NgsVx2P27aDmDd B8WIdzhazxPOFuPsAt+05oCL5RaBR9wGVRJVNPA1Se1wSt4IQ7LkoZpndzhojLotGsGS cQPHT4dxbVyzrrV9aEP9VRyabBIRdj4WSv5dlQsj0otJ3J2z/6GXWECIdDJ0ghBrlX41 ZOUA==
X-Gm-Message-State: AGRZ1gLVhzlH+oZ5cvMKUe951zYZEokSooITT7rfs+ynESfQ7/vUR5cB 6c1dQFePCj+48PIDmPJ/mYQ=
X-Google-Smtp-Source: AJdET5c/oNa3qwPuVQAkvYoynNKk10DTY/SiAyr8HypLp25NtI2Csg29n+xRh7kBknXNW8a9HnRReg==
X-Received: by 2002:a25:69cd:: with SMTP id e196-v6mr12144809ybc.439.1540782268409; Sun, 28 Oct 2018 20:04:28 -0700 (PDT)
Received: from ?IPv6:2605:a601:3260:266:5108:ee4b:f209:8e5e? ([2605:a601:3260:266:5108:ee4b:f209:8e5e]) by with ESMTPSA id 84-v6sm4508629ywp.69.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 Oct 2018 20:04:27 -0700 (PDT)
From: Bret Jordan <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_79A40714-EF0D-41BF-ABD0-455F33191D36"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Sun, 28 Oct 2018 21:04:20 -0600
In-Reply-To: <>
Cc: Carsten Bormann <>,, Anders Rundgren <>, Kathleen Moriarty <>,,, Phil Hunt <>
To: Samuel Erdtman <>
References: <> <> <> <00ad01d460f4$69ae8a00$3d0b9e00$> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [jose] Canonical JSON form
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Oct 2018 03:04:32 -0000

Oh there is real need.  Several standards and implementations inside the IETF and outside the IETF in other SDOs need this.  So in my view there are a few options:

1) Try and convince a working group here in the IETF that this is a good idea so we can actually work on it. 

2) Work on this in another SDO outside the IETF (ETSI, OASIS, ITU, etc etc etc)

3) Do this work as an industry standard similar to what happened between W3C and WHATWG. 

I would personally prefer that this work be done here in the IETF.  But there seems to be a lot of resistance here. I am willing to work on this and help make this a reality.  There is a lot of great prior work on this.  

Maybe we can have a meeting in Prague?  Or I can setup a Telepresence WebEx after Bangkok and all those that are interested can join and we can discuss next steps. 

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 28, 2018, at 2:32 PM, Samuel Erdtman <> wrote:
> In my opinion we can create a good canonicalization format for JSON to be used to sign cleartext JSON.
> As can be seen on this list many are skeptical so my approach would be to publish easy to use open source implementations. If we do that and there is real interest then we might be able to convince people here about the need. In line with this ambition I have done the JS and Java publications. This might also show there is no actual interest and then that is also an outcome.
> Best regards
> //Samuel
> On Mon, Oct 22, 2018 at 8:44 AM Carsten Bormann < <>> wrote:
> On Oct 22, 2018, at 04:47, David Waite < <>> wrote:
> > 
> > intermittent interoperability failures until a new language runtime release which revises the numerical print and parse functions
> Note that this is not a theoretical concern, as CVE-2010-4476 and CVE-2010-4645 amply demonstrate, nicely underscored by the re-occurrence of the latter in <>
> Grüße, Carsten
> _______________________________________________
> jose mailing list
> <>
> <>