Re: [jose] Canonical JSON form

Nathaniel McCallum <npmccallum@redhat.com> Wed, 10 October 2018 21:03 UTC

Return-Path: <nmccallu@redhat.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71E8E128CB7 for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 14:03:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_XYij4bXOJ4 for <jose@ietfa.amsl.com>; Wed, 10 Oct 2018 14:03:03 -0700 (PDT)
Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B506E128A6E for <jose@ietf.org>; Wed, 10 Oct 2018 14:03:03 -0700 (PDT)
Received: by mail-qt1-f175.google.com with SMTP id l9-v6so7431122qtf.5 for <jose@ietf.org>; Wed, 10 Oct 2018 14:03:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=r/s/FxAsBn0lslghM63Ys2Q8fdvHaqVBLgQdm2W/gtc=; b=nVvzPbY/kdpu0rM6P5Xa4zY4O9DY8bYIXGmMnm74DWzBbTWs2aijwN0kRGiEzqPCe3 c1x3KMt14uGx4v9Z7hnhq2jP/bXCw8Vog/dhkbZlOGSAtkjrCC/RMMdZeTNnwXURMmTP RyQsosJ5pA7dv18HY2dsvZDMGdugm6jtSkPZT4CdoL7p06cQl/B4+XN920C+uWmS3vMh B1nY6cjilPTgLWbPnZAIwO4iOhnCjIKDWq8duCbHLQzL+HWv0LtpJCejefxjRaj3gOFU h15bdwThIWqninWAPBPUIjBQVm5xdg9FooFbLB+T78bSqL71gLmSYFYKKG1u1tOVU7ML RkTg==
X-Gm-Message-State: ABuFfoiXZ3o/eX5MfFbEZCqXELCEDgPzkfpwMzO8gEti0Kiou9VGd1Gl 7gxYJzvZ4agLM0D+2Lk3bnOm8l1NT4LlnzuNy6ZUkmDn
X-Google-Smtp-Source: ACcGV61f8CWT1V8Sf2oABpZkOKVI/PGwbjd3h/tBgG+YyK+TduxHU/6T+L3Qp5/QkMJdN95DIO5L9OtDZEhvOlvX+2o=
X-Received: by 2002:ac8:67d7:: with SMTP id r23-v6mr5879753qtp.355.1539205382708; Wed, 10 Oct 2018 14:03:02 -0700 (PDT)
MIME-Version: 1.0
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <CAOASepNX4aYVmPWXyODn0E2Om_rimACPECqJBvZSOXVVd_p8LA@mail.gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com>
In-Reply-To: <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Wed, 10 Oct 2018 17:02:51 -0400
Message-ID: <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com>
To: jordan.ietf@gmail.com
Cc: jose@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/w40dnzLfTZryHbszkjiyEzcSvqE>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2018 21:03:07 -0000

I can't speak for the WG. However, I think such is unnecessary. It is
long standing custom, when working with JSON (with or without JOSE),
to serialize without whitespace and with sorted keys. Every single
JSON implementation I've ever come across gives you the ability to do
this.
On Wed, Oct 10, 2018 at 4:49 PM Bret Jordan <jordan.ietf@gmail.com> wrote:
>
> Would this WG be open to working on a solution to sign JSON (not a byte stream) and define a canonical representation for said JSON?
>
>
> Thanks,
> Bret
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>
> On Oct 10, 2018, at 1:15 PM, Nathaniel McCallum <npmccallum@redhat.com> wrote:
>
> JWS signs a byte stream, not JSON. If you want to use a JWS to sign
> JSON data it is your responsibility to ensure that both sides produce
> an equivalent byte stream.
> On Wed, Oct 10, 2018 at 3:04 PM Bret Jordan <jordan.ietf@gmail.com> wrote:
>
>
> Dear WG,
>
> I was reading through RFC 7515 to see if it would work for a project I am working on.  Basically the need to sign and resign a JSON object.  However, in RFC 7515 there does not seem to be any definition for serializing a canonical form of JSON. This means that two organizations that serialize it differently would produce two different signatures.
>
> Super simple example
>
> { “type” : “house”, “size” : “1000 sq feet” }
>
>
>
> Or
>
> {
>  “type” : “house”,
>  “size” : “1000 sq feet”
> }
>
>
>
> Or
>
> {“type”:“house”,“size”:“1000 sq feet”}
>
>
>
> Or (tabs not spaces)
>
> {
> “type” : “house”,
> “size” : “1000 sq feet”
> }
>
>
> All four of these JSON structures would produce a different signature as defined by RFC 7515. What am I missing?
>
>
> Thanks,
> Bret
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>