IETF Logo Mail Archive

Re: [jose] Canonical JSON form

Bret Jordan <jordan.ietf@gmail.com> Sat, 03 November 2018 12:55 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43AB6128CF3 for <jose@ietfa.amsl.com>; Sat, 3 Nov 2018 05:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vq9LBAzRlM8u for <jose@ietfa.amsl.com>; Sat, 3 Nov 2018 05:55:54 -0700 (PDT)
Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9A4E128CB7 for <jose@ietf.org>; Sat, 3 Nov 2018 05:55:54 -0700 (PDT)
Received: by mail-pg1-x542.google.com with SMTP id q5-v6so2184040pgv.0 for <jose@ietf.org>; Sat, 03 Nov 2018 05:55:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=2hbcEVOTVdfPDy4xC4KzLYvuLYmT/JgOFr+ssEavKpA=; b=sejkVWx9TKJf47Px2QCnj1j6WfZjeERpkwSlS7d8Y5wLMyAnXg86WZj0i/9bConVEp RgHknBPsvwSgkpnPUqJxMvX1LWYmgTRZq3QUvHxNeGDjjIVgoMeySKbaRepu+qICCdW/ 6N+LR/SCwx85wsQgXYLV8cdMEfDS72y76qxbrWIWWewT3JsMezzdwoKFWAovtEMNzOkC wire/95OXismnFKYW+zR2qSnNqU327k7fCxOGcL7/Wb3raNbtGrN9tCNPI392IyTdoqQ RpA2og+FG2Pi3zNfK+uIOngzJlglvUHn7ikb0b3Nq02y1cz5U6TO4u1Me79XUb32DEj9 PkmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=2hbcEVOTVdfPDy4xC4KzLYvuLYmT/JgOFr+ssEavKpA=; b=lrlzxXTnlNnPjkAHd2jOdgfD02vwg+ad/ZKhK7DaPjljtsNE2r4AHoCEkVqnMiSWjP IewcxwlC4AxAszTwwxnWfwwKCLT0hCYhApyxzonMMDexttiQyMQfLHdg6WSu9BrMk0BI NKHqZed5ZaLRelC0Yh1nXONd4w3t7z9Kpm0u4t2Q23ck2d1oAJPBprtS53h0rCxN1Nvz KrSjYHj8Wxfl1USKR3UMMdywq1i+4gA0a5tKscAkZat+E/uJa+KjjnP6tHt4GPUu2gFi rZ3kYKx1ScwkvsH96ZGziLxDx00hjVjDucS1Ky3KU+jq/7bzDX6FnPghaLbKhxjL0rMN W5Wg==
X-Gm-Message-State: AGRZ1gJwdn4lBnnTU4ljuU5EVZX7XUlrfB881Vo+gLOQDz6tw1Caeko2 uRtLhCxXkpcK2zTYqlp4c/Y=
X-Google-Smtp-Source: AJdET5c1o7r4pZVgAzqyz5PRYi0gavr2H0X8l7MoAzZZn84e/3fv5dmy3rfnmi3KZqIK8xNineSUmw==
X-Received: by 2002:a62:7f8c:: with SMTP id a134-v6mr15746153pfd.22.1541249754176; Sat, 03 Nov 2018 05:55:54 -0700 (PDT)
Received: from [172.20.24.247] (110-170-235-6.static.asianet.co.th. [110.170.235.6]) by smtp.gmail.com with ESMTPSA id a189-v6sm5188320pfa.116.2018.11.03.05.55.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 03 Nov 2018 05:55:53 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <5E2A6E0A-970D-42F1-B536-DB2C064325A2@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_194F4F08-2BA7-4DA5-B9E5-65341A0B7959"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Sat, 03 Nov 2018 19:55:39 +0700
In-Reply-To: <9c7361de-8591-db6a-6d27-d33de7a1fa08@gmail.com>
Cc: Tim Bray <tbray@textuality.com>, Samuel Erdtman <samuel@erdtman.se>, Carsten Bormann <cabo@tzi.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, jose@ietf.org, david@alkaline-solutions.com, James.H.Manger@team.telstra.com, Phil Hunt <phil.hunt@oracle.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAHbuEH6DCD7Zc+PK3TnCBkKv1esnROwyCcDb8ZR+TKwgQQ+yXQ@mail.gmail.com> <0E6BD488-74D5-4640-BC31-5E45B0531AFC@gmail.com> <CAHbuEH5oH-Km6uAjrSr0pEHswFBLuDpfVweQ+gpj472yk+8iTQ@mail.gmail.com> <073CB50F-8D91-4EF6-90BE-FC897D557AA6@oracle.com> <A37D69B1-6B77-4E11-8BB9-A0209C77752C@tzi.org> <45bf6c0f-e510-4afc-4277-bdd486a8ce8c@gmail.com> <213796DB-D875-46B0-9F3C-1A56F9E154BA@gmail.com> <ff1dcd4e-2bf4-b85b-dde3-2cc8fe29fb17@gmail.com> <447AB837-7208-4A96-91CC-89D30A2734FA@gmail.com> <24cc6bb7-ea40-1a9c-8847-8d6c74131587@gmail.com> <92B9F9AF-BBCA-472D-9155-935F695CE7CE@gmail.com> <3b6a338b-5588-deb2-9a9c-23e0cc24a2f1@gmail.com> <FE6C1732-D16A-4D97-99F4-1350AF23A748@alkaline-solutions.com> <1B3A97D9-06BE-4225-BF8D-DE55C7FBF2DF@tzi.org> <CAF2hCbaPEdULLX41DeA_RMePZostcM46_eimQoR-NeE-JveHzg@mail.gmail.com> <2c5aa692-3458-b36f-23ae-c56d41deeff1@gmail.com> <CAHBU6isO0Z0E9HihgGJuEykWpgpq0j=YReMFT=9U1Nd+F7dWog@mail.gmail.com> <9c7361de-8591-db6a-6d27-d33de7a1fa08@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/KdRz48hwwqAoxFsktV2v0CkIKFc>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 12:55:57 -0000

I would love to attend the BOF in Prague on this topic.


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Nov 3, 2018, at 11:52 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> On 2018-10-29 14:38, Tim Bray wrote:
>> I like Samuel Erdtman's idea of starting with an open-source implementation.  If I see one of those, with a convincing set of test cases, I'd be inclined to make the case for spinning up a working group.
>> The argument isn't "Would it be useful?" it's "Can it be done?" So, start by proving it can.
> 
> Things are progressing:
> https://github.com/dotnet/coreclr/pull/20707#issuecomment-435536433
> A coming version of the .NET platform should then be fully compatible with the proposed scheme.
> 
> Anyway, since there are two quite distinct ways of addressing this topic, I'm thinking about a BoF session in Prague as a possible next step.
> 
> WDYT?
> 
> Anders
> 
>> On Mon., Oct. 29, 2018, 1:33 a.m. Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> wrote:
>>    On 2018-10-28 21:32, Samuel Erdtman wrote:
>>     > In my opinion we can create a good canonicalization format for JSON to be used to sign cleartext JSON.
>>     >
>>     > As can be seen on this list many are skeptical so my approach would be to publish easy to use open source implementations.
>>    Yes, and part of that is supplying test data like: https://github.com/cyberphone/json-canonicalization/tree/master/testdata
>>    The Microsoft folks developing "Chakra" (their JS engine) already use the 100 million reference values.
>>     > If we do that and there is real interest then we might be able to convince people here about the need. In line with this ambition I have done the JS and Java publications. This might also show there is no actual interest and then that is also an outcome.
>>    Well, another part of the standards puzzle is getting early work into real products and services.
>>    FWIW, I'm personally involved in a couple of efforts using clear text JSON signatures:
>>    - Saturn, an open payment authorization scheme based on an enhanced "four corner" trust model which aims giving banks an upper hand against Apple Pay, Google Pay, PayPal, etc.
>>    - Mobile ID, an open, PKI-based, multi-issuer mobile authentication and signature solution for e-governments.
>>    Regards,
>>    Anders
>>     > Best regards
>>     > //Samuel
>>     >
>>     >
>>     > On Mon, Oct 22, 2018 at 8:44 AM Carsten Bormann <cabo@tzi.org <mailto:cabo@tzi.org> <mailto:cabo@tzi.org <mailto:cabo@tzi.org>>> wrote:
>>     >
>>     >     On Oct 22, 2018, at 04:47, David Waite <david@alkaline-solutions.com <mailto:david@alkaline-solutions.com> <mailto:david@alkaline-solutions.com <mailto:david@alkaline-solutions.com>>> wrote:
>>     >      >
>>     >      > intermittent interoperability failures until a new language runtime release which revises the numerical print and parse functions
>>     >
>>     >     Note that this is not a theoretical concern, as CVE-2010-4476 and CVE-2010-4645 amply demonstrate, nicely underscored by the re-occurrence of the latter in https://www.exploringbinary.com/php-converts-2-2250738585072012e-308-incorrectly/
>>     >
>>     >     Grüße, Carsten
>>     >
>>     >     _______________________________________________
>>     >     jose mailing list
>>     > jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org <mailto:jose@ietf.org>>
>>     > https://www.ietf.org/mailman/listinfo/jose
>>     >
>>    _______________________________________________
>>    jose mailing list
>>    jose@ietf.org <mailto:jose@ietf.org>
>>    https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email