Re: [jose] Canonical JSON form

Bret Jordan <> Thu, 11 October 2018 14:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D41F4130E9E for <>; Thu, 11 Oct 2018 07:40:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1-aApinPBw8S for <>; Thu, 11 Oct 2018 07:40:54 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::c2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BD5D6126CC7 for <>; Thu, 11 Oct 2018 07:40:48 -0700 (PDT)
Received: by with SMTP id v1-v6so3671606ywv.6 for <>; Thu, 11 Oct 2018 07:40:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=mHuktTF5YUdXQY/UqIIXx2vM8upFAWnK8FeJsv+xzS8=; b=JUsKRYB0A91/UeBjIXzQDMjW9x2xbKscNUIq+cqZ1nh+mjWHYlZKPApTWQ3835FsPD DPfvkCKWkLG8dqtt5rw4t/PtUMhTxdDGvO4KWLdInyRNf4A7p6RnMjHWNW+7Eo2bEEG+ u8yrH1MXu395ngXkag3d+OHUQ4jzeDyd7PHVQNERRwiKsn8FboS5vEDeAFNkCK4NSF3r yboD6Gae4lg/DW5P84DpZcucFahlJbXADCrycpHYsrSoRJBe9fTZQ+UHXwLLR6rwoG9I J6rnHmq0E3+Yg5MzjR1sidpr7UYBn+aR2tfnFNhj9WtQP2ksdA9nAXFgUZzAqhjICfMl fEYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=mHuktTF5YUdXQY/UqIIXx2vM8upFAWnK8FeJsv+xzS8=; b=PUFQh3VAdczPLyGu+Ruphd6jrUsQu89MiHmaBAxpgzI9V/K5FmsYsofZbEuOA8e28b SBH9WUq4VCun3QCuqwMbN9tSH7voqJLT76aSojfwNipDS5OtdQvcOneeYVYBlCS1rbRg y+pmEyuvPv0SsHJHXXZQ4ZXDtJsp99Sx4F60mwrQAWQKbUDMohOQr8Dt6lGMXmV8yp9E vQs89nYTvfNCwGej0IwFDF6TI0iOLkmS7CWH/ooMY2ixty8Nea9KYZAkcJeXTj+75WB6 KkvJdyN4PUY4Be8XV1CpNFZKURkLvwVVyl6NGL51JRG39ZsJiiDEePhb+3PQANb9vQdd 7K2g==
X-Gm-Message-State: ABuFfoh1uIjJMStstn8q0YvOvKDBNSEmymxv53NYl+RoObZsyASBSOrk 3EHuQxrLCr1jwZ+Nk6TUYO4=
X-Google-Smtp-Source: ACcGV62YFNT+8j1dUGub+Pahi4dMYVOC3vKCfH6vCNGqx2xqtdtxKUt1fs9WZsoXS+RQPdylsHjYZA==
X-Received: by 2002:a81:5489:: with SMTP id i131-v6mr985428ywb.87.1539268847655; Thu, 11 Oct 2018 07:40:47 -0700 (PDT)
Received: from ?IPv6:2605:a601:3260:266:7534:8ac9:bb4c:ce9d? ([2605:a601:3260:266:7534:8ac9:bb4c:ce9d]) by with ESMTPSA id s3-v6sm11098071ywc.72.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Oct 2018 07:40:46 -0700 (PDT)
From: Bret Jordan <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_27BC8545-66B3-423F-B814-ED4D8E69AB19"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 11 Oct 2018 08:40:41 -0600
In-Reply-To: <>
Cc:, Jim Schaad <>,,
To: Samuel Erdtman <>
References: <> <> <> <> <00ad01d460f4$69ae8a00$3d0b9e00$> <> <> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [jose] Canonical JSON form
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Oct 2018 14:40:57 -0000

There is a lot of value that the market could gain from something like this.  I think it would be great if we could do this work here in the IETF.  I for one would be willing to spend some time on it if we can somehow get the work kickstarted.  

I know of several large projects (most outside the IETF, but one is an upcoming IETF project) that need this for their solutions. For the IETF one, we will be hosting a WebEx to talk through it on the 24th, see the CACAO mailing list if you are interested. 

Things that I see we need to figure out are:

1) Canonicalization of JSON to enable round-tripping 

2) Ability to sign JSON string data

3) Ability to have JSON signatures located in the content themselves with nested signatures and partial tree signatures

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 11, 2018, at 12:44 AM, Samuel Erdtman <> wrote:
> I for one think this is interesting.
> I have published two implementations of the draft James mentions, draft-rundgren-json-canonicalization-scheme <>, (Java <> and JavaScript <>) and I know Anders (the author of the draft) has implementations in .NET and Python too (all working well together).
> The I have my self been part in writing a draft that uses this canonicalization mechanism to create signed cleartext JSON (draft-erdtman-jose-cleartext-jws <>). I have ported a JavaScript JOSE implementation to this new schema without any issues and Anders has at least a Java implementation.
> Finally there was a resent conversation about this subject on the OAuth mailing-list <> recently.
> Best regards
> //Samuel
> On Thu, Oct 11, 2018 at 7:33 AM Neil Madden < <>> wrote:
> > On 11 Oct 2018, at 01:02, Bret Jordan < <>> wrote:
> > 
> >> 
> >> Other implementations say that you should preserver the order of the fields you read when serialized which is part of JSON for the browser implementations but not necessarily elsewhere.
> > 
> > Preserving order is hard.  Depending on your programming language you might be deserializing the content in to a struct or you may be using a map. 
> > 
> > What I need is a way for individuals and organizations to be able to pass around and share JSON data and collaboratively work on that JSON data and sign the parts that they have done. 
> Have you considered Git with PGP-signed commits? It solves this use-case extremely well.
> — Neil
> _______________________________________________
> jose mailing list
> <>
> <>