Re: [jose] Canonical JSON form

Jim Schaad <ietf@augustcellars.com> Wed, 10 October 2018 23:53 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC6E1130DBE for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 16:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIZWZMrtxLDA for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 16:53:21 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 835FD1271FF for <jose@ietf.org>; Wed, 10 Oct 2018 16:53:20 -0700 (PDT)
Received: from Jude (192.168.1.162) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 10 Oct 2018 16:48:37 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Nathaniel McCallum' <npmccallum@redhat.com>, <jordan.ietf@gmail.com>
CC: <jose@ietf.org>
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com> <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com>
In-Reply-To: <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com>
Date: Wed, 10 Oct 2018 16:53:13 -0700
Message-ID: <00ad01d460f4$69ae8a00$3d0b9e00$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQNnP1/vuW81sZle9dbx86Tf75xU2AFuBXA/AqJ1qI4BeDi93KHHJDlw
Content-Language: en-us
X-Originating-IP: [192.168.1.162]
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/Hxj3DLC-9OunuIdsOqq8gakChTs>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2018 23:53:23 -0000


> -----Original Message-----
> From: jose <jose-bounces@ietf.org> On Behalf Of Nathaniel McCallum
> Sent: Wednesday, October 10, 2018 2:03 PM
> To: jordan.ietf@gmail.com
> Cc: jose@ietf.org
> Subject: Re: [jose] Canonical JSON form
> 
> I can't speak for the WG. However, I think such is unnecessary. It is long
> standing custom, when working with JSON (with or without JOSE), to serialize
> without whitespace and with sorted keys. Every single JSON implementation
> I've ever come across gives you the ability to do this.

Other implementations say that you should preserver the order of the fields you read when serialized which is part of JSON for the browser implementations but not necessarily elsewhere.

Jim

> On Wed, Oct 10, 2018 at 4:49 PM Bret Jordan <jordan.ietf@gmail.com> wrote:
> >
> > Would this WG be open to working on a solution to sign JSON (not a byte
> stream) and define a canonical representation for said JSON?
> >
> >
> > Thanks,
> > Bret
> > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
> >
> > On Oct 10, 2018, at 1:15 PM, Nathaniel McCallum
> <npmccallum@redhat.com> wrote:
> >
> > JWS signs a byte stream, not JSON. If you want to use a JWS to sign
> > JSON data it is your responsibility to ensure that both sides produce
> > an equivalent byte stream.
> > On Wed, Oct 10, 2018 at 3:04 PM Bret Jordan <jordan.ietf@gmail.com>
> wrote:
> >
> >
> > Dear WG,
> >
> > I was reading through RFC 7515 to see if it would work for a project I am
> working on.  Basically the need to sign and resign a JSON object.  However, in
> RFC 7515 there does not seem to be any definition for serializing a canonical
> form of JSON. This means that two organizations that serialize it differently
> would produce two different signatures.
> >
> > Super simple example
> >
> > { “type” : “house”, “size” : “1000 sq feet” }
> >
> >
> >
> > Or
> >
> > {
> >  “type” : “house”,
> >  “size” : “1000 sq feet”
> > }
> >
> >
> >
> > Or
> >
> > {“type”:“house”,“size”:“1000 sq feet”}
> >
> >
> >
> > Or (tabs not spaces)
> >
> > {
> > “type” : “house”,
> > “size” : “1000 sq feet”
> > }
> >
> >
> > All four of these JSON structures would produce a different signature as
> defined by RFC 7515. What am I missing?
> >
> >
> > Thanks,
> > Bret
> > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
> >
> > _______________________________________________
> > jose mailing list
> > jose@ietf.org
> > https://www.ietf.org/mailman/listinfo/jose
> >
> >
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose