Re: [jose] Canonical JSON form

Jim Schaad <ietf@augustcellars.com> Wed, 10 October 2018 23:52 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A3E7129C6B for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 16:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpHVf7uEufKd for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 16:52:28 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 886E21271FF for <jose@ietf.org>; Wed, 10 Oct 2018 16:52:27 -0700 (PDT)
Received: from Jude (192.168.1.162) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 10 Oct 2018 16:47:42 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Bret Jordan' <jordan.ietf@gmail.com>, 'Nathaniel McCallum' <npmccallum@redhat.com>, <jose@ietf.org>
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com>
In-Reply-To: <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com>
Date: Wed, 10 Oct 2018 16:52:18 -0700
Message-ID: <00a801d460f4$494c7060$dbe55120$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00A9_01D460B9.9CEED0E0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQNnP1/vuW81sZle9dbx86Tf75xU2AFuBXA/AqJ1qI6h0uV+AA==
Content-Language: en-us
X-Originating-IP: [192.168.1.162]
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/cjdvWEIH91TBHwa22qrsCeK1ESU>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2018 23:52:32 -0000

The working group has closed and is not entertaining any new work.  You would need to create a proposal for a new working group (could have the same name) to do this.  However, trying to canonicalize JSON is generally not considered to be doable without having some external constraints added.  Consider the problem with serializing {“int”: 3} which has a large number of possible ways to encode the number 3.

 

From: jose <jose-bounces@ietf.org> On Behalf Of Bret Jordan
Sent: Wednesday, October 10, 2018 1:49 PM
To: Nathaniel McCallum <npmccallum@redhat.com>om>; jose@ietf.org
Subject: Re: [jose] Canonical JSON form

 

Would this WG be open to working on a solution to sign JSON (not a byte stream) and define a canonical representation for said JSON?

 

 

Thanks,

Bret

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."





On Oct 10, 2018, at 1:15 PM, Nathaniel McCallum <npmccallum@redhat.com <mailto:npmccallum@redhat.com> > wrote:

 

JWS signs a byte stream, not JSON. If you want to use a JWS to sign
JSON data it is your responsibility to ensure that both sides produce
an equivalent byte stream.
On Wed, Oct 10, 2018 at 3:04 PM Bret Jordan <jordan.ietf@gmail.com <mailto:jordan.ietf@gmail.com> > wrote:




Dear WG,

I was reading through RFC 7515 to see if it would work for a project I am working on.  Basically the need to sign and resign a JSON object.  However, in RFC 7515 there does not seem to be any definition for serializing a canonical form of JSON. This means that two organizations that serialize it differently would produce two different signatures.

Super simple example

{ “type” : “house”, “size” : “1000 sq feet” }



Or

{
 “type” : “house”,
 “size” : “1000 sq feet”
}



Or

{“type”:“house”,“size”:“1000 sq feet”}



Or (tabs not spaces)

{
“type” : “house”,
“size” : “1000 sq feet”
}


All four of these JSON structures would produce a different signature as defined by RFC 7515. What am I missing?


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

_______________________________________________
jose mailing list
jose@ietf.org <mailto:jose@ietf.org> 
https://www.ietf.org/mailman/listinfo/jose