Re: [jose] Canonical JSON form

Samuel Erdtman <samuel@erdtman.se> Thu, 11 October 2018 06:44 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF48130E3E for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 23:44:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kEwxoYkWe9SS for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 23:44:16 -0700 (PDT)
Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0850130E3B for <jose@ietf.org>; Wed, 10 Oct 2018 23:44:15 -0700 (PDT)
Received: by mail-pg1-x542.google.com with SMTP id 23-v6so3684067pgc.8 for <jose@ietf.org>; Wed, 10 Oct 2018 23:44:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/6hS6yjSfKkysiqu7NcWm1pdHAYXTFyCb9NMt2g9SvM=; b=R3atSymlGlKZSzRsfRLXxsjc5nWrQEejre/U3kNRCTDGVroLmUJZtXD2kGlLBhtBVL bVZnXszJJIw9QMidqzcLxTKHTCqgj0+QAwV/X2MsM3qDi0iQUqiTp0yZG4KRhyK9ol57 bY59K5CjibvKcoFIsR56BHTs+2O9T4I7VLvsUzxy3U5XtEkpH7eI0A8MqOGAPfi8mxiC IpcF3D21Qc0md9W9F1ZX4+FfunjCc5DzLMi424Lmpi5HQ86YOZl9vSttFGVt4EYvrIdJ tY9j0hL+cZmg+P1Sya3hHjDy4IDG828rUspGRHmgtYL9RLvXgAvjozaKgF2XTBPussy+ YZ+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/6hS6yjSfKkysiqu7NcWm1pdHAYXTFyCb9NMt2g9SvM=; b=nTN4x/+muCj4wchHrxRGNQy+6JV3fnNo6mLoZ3lHDML0nUKkK59fc5jb7e4A2QgrUB Pfudam2V5uA8KSVTQHdAscD61j8vsG4F6JaKGRB3fR+eO4EmoAMI1x0I+IcZipegPe2l bdAzlUL37lllMj68y2KMauw/WjIKC2fp4poybTrFK1lEmOFgYQTLKDI8ddWuZ6gQH3Cq y3CECRbdxkYZOrPNQFhEI4DobfVyvuMiIOp9m3sfj46PLCnF415PHmnn047tJ4Nsv9+f 2ANf1bbtCevz127C4485utJ+jatvTNnJ0Jo2Z25DZhE3/FyI/tzMkihAOgeBOFxbwfdd u1Ug==
X-Gm-Message-State: ABuFfoh2ydxMmVPyAmmw15Hm6eGSTJR7r15ORDxZVXIO7VXzkrYMD6Hr ILyemG6/OGpRFh3RQYMqc2PW/3kxZCpiAR5AUunbmA==
X-Google-Smtp-Source: ACcGV60Jk6uvVBJnBLkSvFdB+IWwTATvTxMDmepnOngMsO8R/LqzEW1Twn5Nk9pfaJWmG/xEQgb7BgihJUuH8YJq1co=
X-Received: by 2002:a65:648f:: with SMTP id e15-v6mr311252pgv.250.1539240254798; Wed, 10 Oct 2018 23:44:14 -0700 (PDT)
MIME-Version: 1.0
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com> <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com> <00ad01d460f4$69ae8a00$3d0b9e00$@augustcellars.com> <8436AEE7-B25A-4538-B8F6-16D558D9A504@gmail.com> <69EB3C20-0863-4D00-948B-989EB69D67CD@forgerock.com>
In-Reply-To: <69EB3C20-0863-4D00-948B-989EB69D67CD@forgerock.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Thu, 11 Oct 2018 08:44:04 +0200
Message-ID: <CAF2hCbZU51q4RMrbNW+9HnsmH8XDVHkYR3at6LXLz1z6Lu1gOA@mail.gmail.com>
To: neil.madden@forgerock.com
Cc: jordan.ietf@gmail.com, Jim Schaad <ietf@augustcellars.com>, npmccallum@redhat.com, jose@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009c95840577ee4cf6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/hBFq10eweBYTUPiDjW66bUqhhGo>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2018 06:44:18 -0000

I for one think this is interesting.

I have published two implementations of the draft James mentions,
draft-rundgren-json-canonicalization-scheme
<https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme>, (
Java
<https://search.maven.org/artifact/io.github.erdtman/java-json-canonicalization/1.1/jar>
and JavaScript <https://www.npmjs.com/package/canonicalize>) and I know
Anders (the author of the draft) has implementations in .NET and Python too
(all working well together).

The I have my self been part in writing a draft that uses this
canonicalization mechanism to create signed cleartext JSON (
draft-erdtman-jose-cleartext-jws
<https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-01>). I have
ported a JavaScript JOSE implementation to this new schema without any
issues and Anders has at least a Java implementation.

Finally there was a resent conversation about this subject on the OAuth
mailing-list
<https://mailarchive.ietf.org/arch/msg/oauth/YL29UE_gNj73mChXTr9FgkCF5Kg>
recently.

Best regards
//Samuel


On Thu, Oct 11, 2018 at 7:33 AM Neil Madden <neil.madden@forgerock.com>
wrote:

>
> > On 11 Oct 2018, at 01:02, Bret Jordan <jordan.ietf@gmail.com> wrote:
> >
> >>
> >> Other implementations say that you should preserver the order of the
> fields you read when serialized which is part of JSON for the browser
> implementations but not necessarily elsewhere.
> >
> > Preserving order is hard.  Depending on your programming language you
> might be deserializing the content in to a struct or you may be using a
> map.
> >
> > What I need is a way for individuals and organizations to be able to
> pass around and share JSON data and collaboratively work on that JSON data
> and sign the parts that they have done.
>
> Have you considered Git with PGP-signed commits? It solves this use-case
> extremely well.
>
> — Neil
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>