Re: [jose] Canonical JSON form

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 29 October 2018 08:33 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 929C5130DC2 for <jose@ietfa.amsl.com>; Mon, 29 Oct 2018 01:33:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gwJg9DFxUWGn for <jose@ietfa.amsl.com>; Mon, 29 Oct 2018 01:33:16 -0700 (PDT)
Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A01B12D4EC for <jose@ietf.org>; Mon, 29 Oct 2018 01:33:16 -0700 (PDT)
Received: by mail-wm1-x344.google.com with SMTP id l26-v6so7235808wmh.3 for <jose@ietf.org>; Mon, 29 Oct 2018 01:33:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=H1Z6Tl4SK++WeB2+UUWGu+mfuqBT7JZziEyP6namgoI=; b=hXQY6EzOg5ZyXSnr7Tct13PZcLRTtsf6Na+uoBwvAhxi6w7YXN3x4LqQ6XhXlZEUBB HHl0WZp7n/19nMdvn1/OH6pRjle7OCsubQc2HsEFrgzQ7Tj56Pyll3A+ltsQ1LeqjQA1 vX2qGeTWc0A0i5SSmnGE9J0UReAlQaKRCVZmxIoCEAiUtesE+OBLNV4Rzzvr8/905ngn 869QZmzLDYz7VZgX4aT0kAzwHbVpkmgWEmAoleXpJIrlSFPUpJiKwMU7rSHZywQm9ltB YOGS5qiO3wJzSEqWWmFx0/4jHyWjusY/V8B8bI51TaP09FxJS5c07Za4ebj7rDpNU9Nd 7L2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=H1Z6Tl4SK++WeB2+UUWGu+mfuqBT7JZziEyP6namgoI=; b=bERPnptxtSX/+iyekKad6LBYItpKF+1vayLEi/5QSL7B5ITTcG1P9+VbViWRlwSUQ0 6X7hXw6nQnrx7n+4mWACr5YWTv7XpA1n0Fxelil+F+l8JWQEk7VZx3hkYxhv0b29RjTS rAFLhM8KLxGa6d4fxL6+zxTayWufmE/r0ROkWwWwbdB0DCiHK6f6eRygF3Ho2ogFt0TW KyDCya7YRBgH7nvfrkihNBgZ0y51KxIK4Va5VJsrEMqx1zcGAShX++3lMUUbJzGrsNXE FkOu0lt+EK4CoRJwm2oTX2M2c7RBoFOs0uRNU8ZZDyG/xFcnYCflcYSGeiIE3dY8Cs5P SApg==
X-Gm-Message-State: AGRZ1gIDqvptWtthLZCL+tm3sbcjCHqTOGeoSk89Q4X1xgqdu5SS6Fzc ASAqZZ1lbSSxUnQQt83LNb0=
X-Google-Smtp-Source: AJdET5eP8hUz8KUPy72quQu+TfrGDoLs7eL6XbwMw8esYG1fGnrBaLL3lIfbhiRf9Jdx5nGND2qI2Q==
X-Received: by 2002:a1c:4489:: with SMTP id r131-v6mr3233358wma.121.1540801994648; Mon, 29 Oct 2018 01:33:14 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id t82-v6sm11103754wme.30.2018.10.29.01.33.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Oct 2018 01:33:13 -0700 (PDT)
To: Samuel Erdtman <samuel@erdtman.se>, Carsten Bormann <cabo@tzi.org>
Cc: david@alkaline-solutions.com, jordan.ietf@gmail.com, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, jose@ietf.org, James.H.Manger@team.telstra.com, Phil Hunt <phil.hunt@oracle.com>
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <8436AEE7-B25A-4538-B8F6-16D558D9A504@gmail.com> <MEAPR01MB35428606C09BF315DE04CC79E5E10@MEAPR01MB3542.ausprd01.prod.outlook.com> <CAHbuEH6DCD7Zc+PK3TnCBkKv1esnROwyCcDb8ZR+TKwgQQ+yXQ@mail.gmail.com> <0E6BD488-74D5-4640-BC31-5E45B0531AFC@gmail.com> <CAHbuEH5oH-Km6uAjrSr0pEHswFBLuDpfVweQ+gpj472yk+8iTQ@mail.gmail.com> <073CB50F-8D91-4EF6-90BE-FC897D557AA6@oracle.com> <A37D69B1-6B77-4E11-8BB9-A0209C77752C@tzi.org> <45bf6c0f-e510-4afc-4277-bdd486a8ce8c@gmail.com> <213796DB-D875-46B0-9F3C-1A56F9E154BA@gmail.com> <ff1dcd4e-2bf4-b85b-dde3-2cc8fe29fb17@gmail.com> <447AB837-7208-4A96-91CC-89D30A2734FA@gmail.com> <24cc6bb7-ea40-1a9c-8847-8d6c74131587@gmail.com> <92B9F9AF-BBCA-472D-9155-935F695CE7CE@gmail.com> <3b6a338b-5588-deb2-9a9c-23e0cc24a2f1@gmail.com> <FE6C1732-D16A-4D97-99F4-1350AF23A748@alkaline-solutions.com> <1B3A97D9-06BE-4225-BF8D-DE55C7FBF2DF@tzi.org> <CAF2hCbaPEdULLX41DeA_RMePZostcM46_eimQoR-NeE-JveHzg@mail.gmail.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <2c5aa692-3458-b36f-23ae-c56d41deeff1@gmail.com>
Date: Mon, 29 Oct 2018 09:33:10 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAF2hCbaPEdULLX41DeA_RMePZostcM46_eimQoR-NeE-JveHzg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/jHbVAtVJfN4f9OF04EWtRa97JWY>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2018 08:33:18 -0000

On 2018-10-28 21:32, Samuel Erdtman wrote:
> In my opinion we can create a good canonicalization format for JSON to be used to sign cleartext JSON.
> 
> As can be seen on this list many are skeptical so my approach would be to publish easy to use open source implementations.

Yes, and part of that is supplying test data like: https://github.com/cyberphone/json-canonicalization/tree/master/testdata
The Microsoft folks developing "Chakra" (their JS engine) already use the 100 million reference values.


> If we do that and there is real interest then we might be able to convince people here about the need. In line with this ambition I have done the JS and Java publications. This might also show there is no actual interest and then that is also an outcome.

Well, another part of the standards puzzle is getting early work into real products and services.

FWIW, I'm personally involved in a couple of efforts using clear text JSON signatures:
- Saturn, an open payment authorization scheme based on an enhanced "four corner" trust model which aims giving banks an upper hand against Apple Pay, Google Pay, PayPal, etc.
- Mobile ID, an open, PKI-based, multi-issuer mobile authentication and signature solution for e-governments.

Regards,
Anders

> Best regards
> //Samuel
> 
> 
> On Mon, Oct 22, 2018 at 8:44 AM Carsten Bormann <cabo@tzi.org <mailto:cabo@tzi.org>> wrote:
> 
>     On Oct 22, 2018, at 04:47, David Waite <david@alkaline-solutions.com <mailto:david@alkaline-solutions.com>> wrote:
>      >
>      > intermittent interoperability failures until a new language runtime release which revises the numerical print and parse functions
> 
>     Note that this is not a theoretical concern, as CVE-2010-4476 and CVE-2010-4645 amply demonstrate, nicely underscored by the re-occurrence of the latter in https://www.exploringbinary.com/php-converts-2-2250738585072012e-308-incorrectly/
> 
>     Grüße, Carsten
> 
>     _______________________________________________
>     jose mailing list
>     jose@ietf.org <mailto:jose@ietf.org>
>     https://www.ietf.org/mailman/listinfo/jose
>