IETF Logo Mail Archive

Re: [Json-canon] Dropping "Comparable" JSON

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 14 February 2019 06:03 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: json-canon@ietfa.amsl.com
Delivered-To: json-canon@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 068BE131133 for <json-canon@ietfa.amsl.com>; Wed, 13 Feb 2019 22:03:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0ow9bwLDt2O for <json-canon@ietfa.amsl.com>; Wed, 13 Feb 2019 22:03:48 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D592E131016 for <json-canon@ietf.org>; Wed, 13 Feb 2019 22:03:47 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id c8so5073424wrs.4 for <json-canon@ietf.org>; Wed, 13 Feb 2019 22:03:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=76IoYRSF5ndstyePFAhLtbvY/b1PpYCbUg1QrCJhGqI=; b=agzznfx1deIHVfWrUNSRGJY3CyQ//cjRhXAtc3ci+TJqLFUL9FGEIUd94vzrqPFUNv S6r6I8Az9uaLeYXmGMVmnI69Yb+6k7gR08ig4/BfdT3Sxw5A/zsCeLUqbad1wY5OXD5a xJ17AEQsoki6e2m2tQywZxcT10IvWYe5Lx4vJBZOu9eMSkyB5zLma8nthQirzVWm8K4U 9yo405HrXDtoSGWoyWXXCkVSezSjPKT/y6QksA+KsaxxmNHUvzyk3/OG7Te9sat3Hr5T b94WeKfiao5TEd8hqlcNdLcAcyY+saucc5jHcBy/4x70HCwJQ3+a3OIfrTD1/wVI/+nM KKyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=76IoYRSF5ndstyePFAhLtbvY/b1PpYCbUg1QrCJhGqI=; b=TROtLCjBQBPczhknQQ58hwPe6NuIRqrIA0dzHeX2YJHUZnxACS2qzwLFwQETAoyemv CRJ48jvUR/eelUrmBX+dzXzjgamnub5J8Ph+sw9+pikR8e824rA4MfAV5I17tjlmRtzT /dCdrvSwexANzpVoNXpAt6M0C9SNpwCiuoTfCJ5dyv8XLdWLo9+FcvvID8uTuBwXEAIz 1PfhJkikdprumnNYh0TRU7UpxXZngQwefDWsUptk3uIPDXiAXM/dQUgaIf3T5OphM9Ul IsEujpmhXrW6x5ekEwc66iel9koVblRXwJhPDmDKHYxDNigLs/wWajMXgVm+Q0R978Mk yspw==
X-Gm-Message-State: AHQUAuZJGLooCvqy9Wavk8/VpYX9zq0VoZ8qsUVfXcTe/M2K/FVDDLBW +1KkqW3Bmhf90S8aXIZoJF0=
X-Google-Smtp-Source: AHgI3IbV7bpI+75ZHjEjkv5wXbTVUw9tKqWD9R++YMRO+9tT828q5Gv0bGsxZLlsKTMCdbrT2Ro38A==
X-Received: by 2002:adf:a104:: with SMTP id o4mr1214349wro.244.1550124226268; Wed, 13 Feb 2019 22:03:46 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id p16sm1607803wro.25.2019.02.13.22.03.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Feb 2019 22:03:44 -0800 (PST)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: json-canon@ietf.org, Samuel Erdtman <samuel@erdtman.se>, Bret Jordan <jordan.ietf@gmail.com>
References: <00dc01d4b51c$618cdbc0$24a69340$@augustcellars.com> <f4b64343-e8db-57cf-152e-aeba44dc4863@gmail.com> <060401d4c035$d35d3e10$7a17ba30$@augustcellars.com> <7f7557ae-c86a-013a-6758-279034728be5@gmail.com> <F80FF7EB-B1A2-4337-8BC7-86E6C1AB725D@tzi.org>
Message-ID: <fea41437-88b8-c6aa-8e6e-b3d4c2bf5892@gmail.com>
Date: Thu, 14 Feb 2019 07:03:31 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <F80FF7EB-B1A2-4337-8BC7-86E6C1AB725D@tzi.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/json-canon/45zNdPpBKjO9VDjFIm4OgzHPrYw>
Subject: Re: [Json-canon] Dropping "Comparable" JSON
X-BeenThere: json-canon@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: JSON Canonicalization <json-canon.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json-canon>, <mailto:json-canon-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json-canon/>
List-Post: <mailto:json-canon@ietf.org>
List-Help: <mailto:json-canon-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json-canon>, <mailto:json-canon-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 06:03:50 -0000

Carsten,

Starting in another end...

As you probably know REST is a established way of architecting Web applications.  A fly in the soup is that there is no standard for creating signed REST requests.

Instead proprietary signature schemes based on detached clear text JSON data and HTTP bindings have become the norm while the JOSE WG has been concluded.  It has been claimed that the "right" solution (encoding and embedding the request data to be signed in the signature container itself) eventually will win.  However, I haven't seen this happening.  Maybe somebody can provide a link to such an activity?

In addition to be useful in entirely different contexts, JCS may function as a building block for future work in the REST space since it offers advantages over detached formats and HTTP bindings.

"Hashable" is a term I got from a related discussion on the ES-mozilla list.  In a JCS context "Hashable" means that a producer of (I-)JSON data can calculate a hash or signature over the data to be sent while the consumer of that data can use the hash or signature to verify the correctness of the received data. "Hashable" is obviously a lower form of canonicalization than required for comparing JSON data from arbitrary sources.

Regarding interoperability: With the (recently added...) constraint that the parsing of a JSON String followed by a serialization MUST return the same string you have together with the core JCS algorithm all the interoperability needed for supporting cryptographic methods.

Anders


On 2019-02-12 18:02, Carsten Bormann wrote:
> On Feb 9, 2019, at 08:05, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>> I begin to wonder if "Comparable" JSON (in the draft named "true" canonicalization) shouldn't be a "Feature at Risk" as the W3C folks call this.
> 
> Well, first of all, there is no “feature” here — the current draft just points out that deterministic encoding (“canonicalization”) reaches up to the application using JSON wherever that does its own encoding work.
> 
> That is a fact that is good to know, but nothing is contributed to interoperability by this document.
> 
> To do so, one would need a way to describe elements of the application data model and constrain the application data encoding decisions made on the way to the JSON data model.  We don’t have a good way to do this at the moment (even if the document misleadingly mentions the “schema” word).
> 
> Actually, the document about deterministic encoding of JSON (your “Hashable” thing — I still have no idea where these confused terms came from) could be stating this fact, if only as a matter of delineating what is *not* being defined in that document.
> 
> The document currently does not say how it was intended to be developed further.  As it stands, it is indeed of little use.  Collecting a set of preferred application-data-model to JSON-data-model encoding decisions, however, might be a useful undertaking, somewhat unrelated to the constraints on serializing the JSON data model that the other document wants to define, and probably on a much longer time scale.
> 
> Grüße, Carsten
>

v2.23.0 | Report a Bug | By Email