Re: [jose] Canonical JSON form

Anders Rundgren <> Fri, 12 October 2018 06:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A412130DE2 for <>; Thu, 11 Oct 2018 23:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vt3Rr3G7gIeQ for <>; Thu, 11 Oct 2018 23:38:40 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 89C9E130DFD for <>; Thu, 11 Oct 2018 23:38:40 -0700 (PDT)
Received: by with SMTP id a13-v6so12147851wrt.5 for <>; Thu, 11 Oct 2018 23:38:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Uvx8P4j31X5/CgA3tSl7JTOgFQiqeHy/ehE1fvGL9aA=; b=D/oq7+yFzEWM2SXphxIE96YOZdJcWMffMm/xzgyRLY47ZIFFCXAL2mwtP6ne5xkuvk Flgc+Tfi0ScAIS/oaZaTyZB48xxoyL+QHUctB1Qr2cJoMhYlHtxusr2tHwkkiGHA0ItO Qelc5EQ6WW1C/V/FxhIKray66/LPsD9D3IsW40H7/43O5AmuutwnQvMOup/bVB0hbPgX OLU9nioXBaIwz6EYCL1mCp7rxqh9dlNIs0PgLuXoMBiHs0nIgcLtw0aBnSHJHcNGpMbF f9QU5hsJ3M2Nyqchzo0tXuepKmOupmILYlUN4TvTIPM6jQLVr2gOI4RpMhQ7bvn/QRYJ gAEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Uvx8P4j31X5/CgA3tSl7JTOgFQiqeHy/ehE1fvGL9aA=; b=Zn340r75L7ATsXKe0dfpyqM6k6wT4ITtgZa8qk88DUyJil6B2AvFcXsp7Ri7udWQ0y D1GzMdHFlUCm0gxx2U3ReCdsHyG7PQRFrB7/70li2jRrk4LBxAz8SeN7rITORllE6Q0Y W1LtEUXO5FaPT22ufKYLcMzRGkQ941fwV7N93FwsBTb7bodg67OGsZ2JBeMtmL2SGI7G wB35+UfHKao4CYraP11ufmfsYkXmD0TvGb1F9vWJboUAAJ9v0kg+0YB6+SCbmb4TJ5oS moe7jD9NJphxQdW7oiZtkOdpYn4EU9olnN/a4Q4jtX0poHGSYIBl8HaqRKQy7oBHgf73 D0fQ==
X-Gm-Message-State: ABuFfojXl616R0bAzXFy8yzydWSNsp0af8bT7Yz+sbxwhQmJYvY4h2Uv u1W6IFwkXaTbotYb40Xov4EajQPu
X-Google-Smtp-Source: ACcGV62aLw7MwhXX/RVTfJWUWfdkf/1+2xyV4Wg/ftJBLfe+Bs6Ytj9pmtgjLEZ4LezAlebbe+05ng==
X-Received: by 2002:a5d:52ce:: with SMTP id r14-v6mr3934034wrv.123.1539326318394; Thu, 11 Oct 2018 23:38:38 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id 90-v6sm343820wrg.86.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Oct 2018 23:38:37 -0700 (PDT)
To: Bret Jordan <>
Cc: Carsten Bormann <>, Phil Hunt <>, Kathleen Moriarty <>, "Manger, James" <>,
References: <> <> <> <> <00ad01d460f4$69ae8a00$3d0b9e00$> <> <> <> <> <> <> <> <> <>
From: Anders Rundgren <>
Message-ID: <>
Date: Fri, 12 Oct 2018 08:38:33 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [jose] Canonical JSON form
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Oct 2018 06:38:43 -0000

On 2018-10-11 22:05, Bret Jordan wrote:
> Anders,
> I really like what you have done with this.  I am trying to figure out if it will work 100% for my needs, or if it will need some tweaking.  If it does work, then I think we should really try and figure out how we get your work standardized.

Thanx Bret!

The I-D provides quite a lot of features including an extension option that can be used for adding possibly missing functionality.

There is one thing that is good to know for anyone thinking about standardizing Canonical JSON and that's the fact that canonicalization also can be performed on the text level as described by:

This has the advantage that it is very simple and supports the entire JSON RFC without restrictions.

So why didn't I took this [superficially obvious] route? There are several reasons for that:

A downside of source level canonicalization is that it doesn't integrate with JSON parsers and serializers. was explicitly designed to eventually be an option of a standard JSON serializer as it already is in my Java reference implementation.

Another issue is that it is unclear what the value is with using the JSON "Number" format outside of the IEEE range.  In fact, it excludes parsers like JavaScript's JSON.parse() unless JavaScaript would be updated to always use a "BigNumber" as fundamental numeric type.