Re: [jose] Canonical JSON form

Anders Rundgren <> Sun, 18 November 2018 07:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9879A130E09 for <>; Sat, 17 Nov 2018 23:53:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jYtnRF_YOb4W for <>; Sat, 17 Nov 2018 23:53:54 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9951612F1AC for <>; Sat, 17 Nov 2018 23:53:53 -0800 (PST)
Received: by with SMTP id u5-v6so23512666wrn.9 for <>; Sat, 17 Nov 2018 23:53:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=FnN28ajLiy3kZx914l3qFZJ7mEWL0ZwFCyBQBbLncd0=; b=qIgTos6Ot6+55L2scrhCFHOp9DuDucW2VuTx/gBssSEdrZN6Pm03nlJ5M57DHr/fIn uG92+UmCrtEszoO6EBxOTxrM3qtsq2QqQTesssNTvlWrD3uhoJJEckBYvNdXWk7uR0TL r9/pgKd3pqCHDciKNSSmh7b1rzkh1o0AOgRYy9u0RY2rwXepZ6g5yWaul/GMIXkMVM71 TNyXKjpub/X5LhTh06FeVAbYAUCwTSvKDlz5KRYvk/eBjiU+UxBn9j94MlkObe7X+HM0 nwTJ7sIr69jrjHaa4+suGpraZPlC94nw10ru5OQtdBI1a4rUQIw23dMWvu7YTmCXc1tN OSWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=FnN28ajLiy3kZx914l3qFZJ7mEWL0ZwFCyBQBbLncd0=; b=OXJQnXSBHB2oFw0B8BvoupcCN9VWG01fHntVtn/UeDeej62zwyxWDRlaX3zZDkEVGC eTt/1IlyHbihUAM8SK6NnVDiMrMW+zRSnxEWoQhOS00JUHHIUakxPmXZYoDRI0AZUvhy ABl+tFngMwLHRCG3aFs9Fg0v8sBHO0lydtNZX6WSpJ+NfHpxrow3alyAmKHzy+TNWVsx T4L7KC6Fpviy6u34QZMjvVPp9C8P/INAFAx5b4+rFvkRdJ03p3/6E93NcaBGO7FMiBiZ bTd4Y7EM2SXROqg/cXP6l9pfL3u3M20RjnU6mhlR7HQXsbIowZ2bKIiTbRhrUh6uhE8O pDiQ==
X-Gm-Message-State: AGRZ1gLJfoqxlfIg9oaayMgWMG1EncOhsvJMtpuEDxaG8J+Hcz+yWc38 q9m1LTUUMrHHzojA2cMezu0P87cK
X-Google-Smtp-Source: AJdET5d+JTdI50O+K02qepoC0UvhfXSRsRUlEiTjXm6pS/KtSPCMgPjJgDd5h7yWfZEDMAxmlNdtpg==
X-Received: by 2002:a5d:6105:: with SMTP id v5mr14142466wrt.63.1542527631528; Sat, 17 Nov 2018 23:53:51 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id t4sm14819610wrm.6.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 Nov 2018 23:53:50 -0800 (PST)
To: Carsten Bormann <>
References: <> <> <> <> <00ad01d460f4$69ae8a00$3d0b9e00$> <> <> <> <> <> <> <>
From: Anders Rundgren <>
Message-ID: <>
Date: Sun, 18 Nov 2018 08:53:49 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [jose] Canonical JSON form
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Nov 2018 07:53:55 -0000

On 2018-10-11 21:03, Carsten Bormann wrote:
> On Oct 11, 2018, at 20:23, Phil Hunt <> wrote:
>> I am not sure of the value of canonicalization.  I prefer bytestream encoding style where the original content goes with the signature.
> I’m afraid a lot of people are sitting in front of their screens silently agreeing, but not typing anything because their hands are tied up in an interminable facepalm.

Those who are not stuck in an a ever-lasting facepalm may not be entirely comfortable with signature schemes that completely change the structure of signed messages. COSE do this as well?

Well, you can of course add artificial unsigned layers (like the TEEP folks do), but that smells "workaround" rather than solution.


> So, for the record:
> To the people asking for a c14n solution for signature: If you want XMLDSig, you know where to find it.
> The basic approach of having humongous XML documents that get signatures added to themselves as part of the document only makes sense in certain processing models that went out of favor with XML.
> JOSE does the right thing for more modern applications.
> I’m not opposed to doing some “c14n” work on serialization schemes — deterministic serialization has other applications than just XMLDSig.
> That would be work for a JSONbis WG (but I fear the interest level among JSON experts will be low).
> I definitely do not like giving the message that c14n-based signatures are the new thing that will replace doing the right thing (JOSE, that is).
> Grüße, Carsten
> _______________________________________________
> jose mailing list