Re: [jose] Canonical JSON form

Samuel Erdtman <samuel@erdtman.se> Sun, 28 October 2018 20:32 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 880F1127332 for <jose@ietfa.amsl.com>; Sun, 28 Oct 2018 13:32:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvJiF1oTAXub for <jose@ietfa.amsl.com>; Sun, 28 Oct 2018 13:32:17 -0700 (PDT)
Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D00561277CC for <jose@ietf.org>; Sun, 28 Oct 2018 13:32:17 -0700 (PDT)
Received: by mail-pl1-x643.google.com with SMTP id o19-v6so2766394pll.12 for <jose@ietf.org>; Sun, 28 Oct 2018 13:32:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jj4mjTCUJcUFJqFE7MJ9jfRy06oOab2rxaz2DxS8sI4=; b=LTRH2G2n+ytyuMcCYpOkZhze/bFcD+HlN7UrK/HxeiFXrgTc1hlXbDJJChiaNzbC4O 6wnX90WbsR0zN2LV0jPFiQSSx+9Wb2jjns1c31r/GIFNeFHzHLepR2oeluzbk5G7XD9G odl0n8fC+w39tFoxxHTlZtmwJPCS6R1xT3Da9SEv53geHwUnuh/LlloBUHAX7eYKwDZP lvCrmp+G86mccTzzuJbVtdTQ2v1J21mae2VxLszHY92P73kZ7UKneQH4gpJsD5u7OrOT 28Xa4eZL8fXYXXGerBXJShgu3DH5LReTqFIJskQxs2pQWqvtS+4jWUK71lUBKlOyyOJ0 koLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jj4mjTCUJcUFJqFE7MJ9jfRy06oOab2rxaz2DxS8sI4=; b=jMRNnayH+/XX59wpdlU+H2Dx7DUmYBtRB+0G5iNDxI7yqujAnIXT9QtL5TvF0IZCy/ Q/9TZbN90VGMSdnHn4yUOquAawSOxkw0dR1C/1HmMmbkSez6einfHW8Gq+F/vReXi+5m uTQXV8vm6tQ6vgPu1E97qIxXGAQCeXuBCMrIL2j3axV0o3PHpGmorXbLDtCF8LIgq9Bh jZEM/RmH0Dlvi4yMTu4zouYbgglWFlBuCNTNXE55b03qPTyit7VuN66DKzkUoEfZ+Eai UEPetBC67/gOtJny8CLXedJNb5B0964AbEMpKk6eowxBwcZKCUG7mXtXFi/ZPuAbTd7q Ur5A==
X-Gm-Message-State: AGRZ1gJAEi8PMt/50e71ZGS2rTgMKIClnmhcd2a9JPbZ/Y/YyKHmppt0 TtrDNIV56Pp2rJVJMgJaYSvC63zapNM40GrcFUEafwJR+pvC2w==
X-Google-Smtp-Source: AJdET5eMANtqoyzTgWDPRXAIp6/W3INCJ7H0mmPeaUf/TcWIWDZyHrKSreezjyVVonlKgaA2FxxQSqdueCZhHg2UQ28=
X-Received: by 2002:a17:902:904a:: with SMTP id w10-v6mr11323006plz.225.1540758736956; Sun, 28 Oct 2018 13:32:16 -0700 (PDT)
MIME-Version: 1.0
References: <12DD2F97-80C3-4606-9C6B-03F7A4BF19DE@gmail.com> <D21F3A95-0085-4DB7-A882-3496CC091B34@gmail.com> <CAOASepM=hB_k7Syqw4+b7L2vd6E_J0DSAAW0mHYdLExBZ6VBuw@mail.gmail.com> <00ad01d460f4$69ae8a00$3d0b9e00$@augustcellars.com> <8436AEE7-B25A-4538-B8F6-16D558D9A504@gmail.com> <MEAPR01MB35428606C09BF315DE04CC79E5E10@MEAPR01MB3542.ausprd01.prod.outlook.com> <CAHbuEH6DCD7Zc+PK3TnCBkKv1esnROwyCcDb8ZR+TKwgQQ+yXQ@mail.gmail.com> <0E6BD488-74D5-4640-BC31-5E45B0531AFC@gmail.com> <CAHbuEH5oH-Km6uAjrSr0pEHswFBLuDpfVweQ+gpj472yk+8iTQ@mail.gmail.com> <073CB50F-8D91-4EF6-90BE-FC897D557AA6@oracle.com> <A37D69B1-6B77-4E11-8BB9-A0209C77752C@tzi.org> <45bf6c0f-e510-4afc-4277-bdd486a8ce8c@gmail.com> <213796DB-D875-46B0-9F3C-1A56F9E154BA@gmail.com> <ff1dcd4e-2bf4-b85b-dde3-2cc8fe29fb17@gmail.com> <447AB837-7208-4A96-91CC-89D30A2734FA@gmail.com> <24cc6bb7-ea40-1a9c-8847-8d6c74131587@gmail.com> <92B9F9AF-BBCA-472D-9155-935F695CE7CE@gmail.com> <3b6a338b-5588-deb2-9a9c-23e0cc24a2f1@gmail.com> <FE6C1732-D16A-4D97-99F4-1350AF23A748@alkaline-solutions.com> <1B3A97D9-06BE-4225-BF8D-DE55C7FBF2DF@tzi.org>
In-Reply-To: <1B3A97D9-06BE-4225-BF8D-DE55C7FBF2DF@tzi.org>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sun, 28 Oct 2018 21:32:05 +0100
Message-ID: <CAF2hCbaPEdULLX41DeA_RMePZostcM46_eimQoR-NeE-JveHzg@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: david@alkaline-solutions.com, jordan.ietf@gmail.com, Anders Rundgren <anders.rundgren.net@gmail.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, jose@ietf.org, James.H.Manger@team.telstra.com, Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="00000000000033857305794fd919"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/xYGBPv4jQ5WfRjejFzGj5ZqnsLA>
Subject: Re: [jose] Canonical JSON form
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Oct 2018 20:32:21 -0000

In my opinion we can create a good canonicalization format for JSON to be
used to sign cleartext JSON.

As can be seen on this list many are skeptical so my approach would be to
publish easy to use open source implementations. If we do that and there is
real interest then we might be able to convince people here about the need.
In line with this ambition I have done the JS and Java publications. This
might also show there is no actual interest and then that is also an
outcome.

Best regards
//Samuel


On Mon, Oct 22, 2018 at 8:44 AM Carsten Bormann <cabo@tzi.org> wrote:

> On Oct 22, 2018, at 04:47, David Waite <david@alkaline-solutions.com>
> wrote:
> >
> > intermittent interoperability failures until a new language runtime
> release which revises the numerical print and parse functions
>
> Note that this is not a theoretical concern, as CVE-2010-4476 and
> CVE-2010-4645 amply demonstrate, nicely underscored by the re-occurrence of
> the latter in
> https://www.exploringbinary.com/php-converts-2-2250738585072012e-308-incorrectly/
>
> Grüße, Carsten
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>