Re: [jose] Canonical JSON form

Carsten Bormann <> Sun, 18 November 2018 15:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CD6F0130DD7 for <>; Sun, 18 Nov 2018 07:00:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KC9D2TrOGpX3 for <>; Sun, 18 Nov 2018 07:00:08 -0800 (PST)
Received: from ( [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EFEDA1277BB for <>; Sun, 18 Nov 2018 07:00:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
Received: from ( [IPv6:2001:638:708:30c8:406a:91ff:fe74:f2b7]) by (8.14.5/8.14.5) with ESMTP id wAIExxEJ000777; Sun, 18 Nov 2018 16:00:04 +0100 (CET)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 42yZrZ6TNqz1Bqf; Sun, 18 Nov 2018 15:59:58 +0100 (CET)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Carsten Bormann <>
In-Reply-To: <>
Date: Sun, 18 Nov 2018 15:59:57 +0100
X-Mao-Original-Outgoing-Id: 564245992.976745-b40d6fafc45922ded49a211ee464792b
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <00ad01d460f4$69ae8a00$3d0b9e00$> <> <> <> <> <> <> <> <>
To: Anders Rundgren <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [jose] Canonical JSON form
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Nov 2018 15:00:11 -0000

On Nov 18, 2018, at 08:53, Anders Rundgren <> wrote:
> On 2018-10-11 21:03, Carsten Bormann wrote:
>> On Oct 11, 2018, at 20:23, Phil Hunt <> wrote:
>>> I am not sure of the value of canonicalization.  I prefer bytestream encoding style where the original content goes with the signature.
>> I’m afraid a lot of people are sitting in front of their screens silently agreeing, but not typing anything because their hands are tied up in an interminable facepalm.
> Those who are not stuck in an a ever-lasting facepalm may not be entirely comfortable with signature schemes that completely change the structure of signed messages.  COSE do this as well?

I don’t understand the question.  The point of COSE is that the signed message is not changed at all.
(With JOSE, it needs to be base64-encoded for transfer, but it also isn’t changed otherwise.)

> Well, you can of course add artificial unsigned layers (like the TEEP folks do), but that smells “workaround" rather than solution.

Again, I don’t understand.  But maybe what I wrote earlier is still applicable:

>> To the people asking for a c14n solution for signature: If you want XMLDSig, you know where to find it.
>> The basic approach of having humongous XML documents that get signatures added to themselves as part of the document only makes sense in certain processing models that went out of favor with XML.


>> JOSE does the right thing for more modern applications.

And this.

>> I’m not opposed to doing some “c14n” work on serialization schemes — deterministic serialization has other applications than just XMLDSig.

RFC 7049 has some recommendations for “c14n" that are being cleaned up and updated for 7049bis.
Those are implemented in a few CBOR libraries, albeit not in all.
The RFC 7049 version of “c14n” is in use in some other SDOs’ work.

>> I definitely do not like giving the message that c14n-based signatures are the new thing that will replace doing the right thing (JOSE, that is).

And this.

Grüße, Carsten