Re: [jose] Canonical JSON form

Jim Schaad <> Mon, 29 October 2018 18:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 99EBC131059 for <>; Mon, 29 Oct 2018 11:46:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QOzyTozxx0FT for <>; Mon, 29 Oct 2018 11:46:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B291C124408 for <>; Mon, 29 Oct 2018 11:46:22 -0700 (PDT)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 29 Oct 2018 11:41:26 -0700
From: Jim Schaad <>
To: 'Bret Jordan' <>, 'Samuel Erdtman' <>
CC: 'Anders Rundgren' <>, 'Kathleen Moriarty' <>, <>, <>, 'Carsten Bormann' <>, <>, 'Phil Hunt' <>
References: <> <> <> <00ad01d460f4$69ae8a00$3d0b9e00$> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <FE6C1732-D16A-4D97-99F4> <> <> <>
In-Reply-To: <>
Date: Mon, 29 Oct 2018 11:46:06 -0700
Message-ID: <037201d46fb7$a9355510$fb9fff30$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0373_01D46F7C.FCD91520"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQNnP1/vuW81sZle9dbx86Tf75xU2AKidaiOAXg4vdwBstG6fgKFRrXIAVkN6LgBzAWdjwID7Z18AaJkkZwCVO0YrgES4VnfAyA/SKgB4E14ZQF6wVvjAk4krsABSXh5BAIL2re6AZkRWd0CVOgU4wLuhyqdAGL1rE0CxUFUoqDLo5rQ
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [jose] Canonical JSON form
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Oct 2018 18:46:27 -0000

I would look at creating a new working group in the IETF rather than using an existing one.


1.	Get a personal draft published
2.	Find a cadre of people who are interested and think it is solvable
3.	Write a charter
4.	Talk to the ADs about getting the WG formed by holding a BOF


The first three should be really easy to do.  The fourth may take a bit of work but should be doable.  The trick with the IETF is to find people who want to work on things and not to worry over much about the people who don’t think it is solvable.  If necessary write the charter to say you are not going to cover some things or that you are going to require specific environments for your solution.  The tighter the requirements the easier the solution but the less harder it might be to get the cadre of people.


You should be looking at 1) one or more authors, 2) half a dozen or more reviewers, 3) at least a couple of people who think they are going to get this implemented.





From: jose <> On Behalf Of Bret Jordan
Sent: Sunday, October 28, 2018 8:04 PM
To: Samuel Erdtman <>
Cc: Anders Rundgren <>om>; Kathleen Moriarty <>om>;;; Carsten Bormann <>rg>;; Phil Hunt <>
Subject: Re: [jose] Canonical JSON form


Oh there is real need.  Several standards and implementations inside the IETF and outside the IETF in other SDOs need this.  So in my view there are a few options:


1) Try and convince a working group here in the IETF that this is a good idea so we can actually work on it. 


2) Work on this in another SDO outside the IETF (ETSI, OASIS, ITU, etc etc etc)


3) Do this work as an industry standard similar to what happened between W3C and WHATWG. 


I would personally prefer that this work be done here in the IETF.  But there seems to be a lot of resistance here. I am willing to work on this and help make this a reality.  There is a lot of great prior work on this.  


Maybe we can have a meeting in Prague?  Or I can setup a Telepresence WebEx after Bangkok and all those that are interested can join and we can discuss next steps. 




PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Oct 28, 2018, at 2:32 PM, Samuel Erdtman < <> > wrote:


In my opinion we can create a good canonicalization format for JSON to be used to sign cleartext JSON.


As can be seen on this list many are skeptical so my approach would be to publish easy to use open source implementations. If we do that and there is real interest then we might be able to convince people here about the need. In line with this ambition I have done the JS and Java publications. This might also show there is no actual interest and then that is also an outcome.


Best regards




On Mon, Oct 22, 2018 at 8:44 AM Carsten Bormann < <> > wrote:

On Oct 22, 2018, at 04:47, David Waite < <> > wrote:
> intermittent interoperability failures until a new language runtime release which revises the numerical print and parse functions

Note that this is not a theoretical concern, as CVE-2010-4476 and CVE-2010-4645 amply demonstrate, nicely underscored by the re-occurrence of the latter in

Grüße, Carsten

jose mailing list <>