IETF Logo Mail Archive

Re: [Json] JSON Concluded? Well, maybe not

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 01 January 2018 17:55 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7464F1267BB for <json@ietfa.amsl.com>; Mon, 1 Jan 2018 09:55:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZ-PZM5LN9Aq for <json@ietfa.amsl.com>; Mon, 1 Jan 2018 09:55:07 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 323F912025C for <json@ietf.org>; Mon, 1 Jan 2018 09:55:07 -0800 (PST)
Received: by mail-wm0-x22e.google.com with SMTP id g75so58339991wme.0 for <json@ietf.org>; Mon, 01 Jan 2018 09:55:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=O1UkisssM/8leCRxAcz3WgudI9nxZNx2yT+7vPygXqk=; b=p8MKI0uxt+k7TAwCHJxdpwS+Yj8JKhfIF1CaHDLgyP9tK159pdFVhVWDObku8CFgjf HAqJMIBWBLkv7qQsYiLHNIttM9Vk6bjr8w64/LAefC7VgngCGWhJOJZO6po7mIu6/+HJ 7WedXMh3GQAZJj6NB5UBKQveqNz72TsrL9CSTHKIi+N4fKCgbOWgP2Syc922cwW2LSAn CNgfwzaGE1/NAroMBOcTOKRkt8Si8ZZxnBDMDF2dTG/CuIS6tRfXwyPwx8uFNAM+DlMp Pg7FmhD5ucB+maNBXZpGv421pfiXP6dHndQV4polmgc+o+YttXiVTBPAYK53BO7uW1y1 e4ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=O1UkisssM/8leCRxAcz3WgudI9nxZNx2yT+7vPygXqk=; b=KgtLN7hy4j8dPxPILKfen0qZAmPQ+iR6Y+L+soNFhHybBVmOskZLllG/QH8NtZrmwh Np089hhdNhRK3s0zZiZY+o/KCvfMllxIRYwr58v3cQ0+PvrBBOh8PIgW7PB77Ya6Mk0r 9oCZ1ADZ9C3czyPevO8t6z3xm7cBl2+XJQ+mNpcR97ESrNHZ1zVDj+PC2a4oE9E88UNb Td2Vv9xfMFKWKM66EtE0xFvOBC/JJTXkWoG8+ZiaNWd1LvxqUUfQ1sf1aIv+YmkRg1Q6 dDJK9Na4Tb3P6RWWGr7a6HA4hkIq73vBn/+D87nZ0dvGCjtUK7EgAuSlMUyWejfMiVfJ l9LQ==
X-Gm-Message-State: AKGB3mLbuy7734lk3hYvA7HrW8ddJBaLUUlYYn5jj4hmIMV4URIjVa2V KBupSro/5TNnEFzTBSd7l8PEfQ==
X-Google-Smtp-Source: ACJfBov6i5efjIdxFvk/r7Tv5h2rG9fMzJpeWqi8F9trjcJOPK56W7msklD09wWWzC5YjSKxQW+QAw==
X-Received: by 10.80.141.141 with SMTP id r13mr58415037edh.122.1514829305212; Mon, 01 Jan 2018 09:55:05 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id y3sm39323827edb.37.2018.01.01.09.55.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 01 Jan 2018 09:55:04 -0800 (PST)
To: Phillip Hallam-Baker <ietf@hallambaker.com>
Cc: Richard Gibson <richard.gibson@gmail.com>, JSON WG <json@ietf.org>
References: <13860352-ef8e-1d4b-2eff-27e275c25e3a@gmail.com> <CALH+fvqBGu0i=LcciYgOLSwbQJXfqgcXTdd=rxvfHfqiRyBj7g@mail.gmail.com> <CAHBU6itC+XAKhc_m_ywG5O2bpky9DnmzfiNVqP3WrxLaE7uenA@mail.gmail.com> <92077f95-5dd6-3f5b-4765-d14067f698ac@dret.net> <CADEL5zshRaHtVNAtNggwHaPKP9xWeePcBZcQc1EM8SEfUu41Uw@mail.gmail.com> <CALH+fvqkBkQCiXfx1cxXaX092sbW6fgUmUizXP1f=ScMZ3bBqQ@mail.gmail.com> <cb1ce20d-67f0-f4f4-8077-57c3d3f232b7@gmail.com> <CAMm+Lwiuod4Xf4=a8m25aNt626xCrO0Xet=96vn=R0eEwyjV1g@mail.gmail.com> <a96d74f1-7f8a-e091-4fe8-4031d70de777@gmail.com> <CAMm+Lwg49Dqwb7MknVPuqvTBHVBZpEcP2Z4WAvSZYQumnwtLfw@mail.gmail.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <4950bfd0-9f89-4fe8-4e85-eb397a40afb1@gmail.com>
Date: Mon, 01 Jan 2018 18:55:01 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <CAMm+Lwg49Dqwb7MknVPuqvTBHVBZpEcP2Z4WAvSZYQumnwtLfw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/json/-rq76BWiwG4KjXiTlmyECTi3Lrw>
Subject: Re: [Json] JSON Concluded? Well, maybe not
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jan 2018 17:55:09 -0000

On 2018-01-01 18:17, Phillip Hallam-Baker wrote:
> ​I can't see the need for stringify there. By which I mean, my code runs and 
> I do not use javascript or stringify anywhere.

The only "hard" requirement is that the JSON tool adheres to ECMA's ES6+ JSON processing rules.  With the exception of "Number" normalization [1] this is a trivial matter [2].

By putting your JSON data in Base64 or using special JSON dialects you can of course do things differently.

> ​Where I think folk tend to go really wrong is doing the stuff people > decided they wanted with XML Signature which was to have the following:
> 
> Unsigned object:
> 
> <object>
>     <blahdyblah/>
> </object>
> 
> Signed object:
> 
> <object>
>     <blahdyblah/>
>     <signature>
>        {path transform}
>        {etc}
>     </signature>
> </object>
> 
> And it worked exactly as well as could be expected.

The sample and its associated scheme does (by design) NOT perform any sophisticated textual processing. Maybe it only covers 80% of the "market".  Is that a showstopper?

Anders

1] https://www.ecma-international.org/ecma-262/8.0/index.html#sec-tostring-applied-to-the-number-type
2] https://docs.oracle.com/javase/8/docs/api/java/util/LinkedHashMap.html

> On Mon, Jan 1, 2018 at 1:43 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
> 
>     On 2018-01-01 07:27, Phillip Hallam-Baker wrote:
> 
>         The use case that I believe gives rise to the belief canonicalization is
>         necessary is the need to sign a data object in the same JSON document.
> 
> 
>     Yes, but this is indeed only a belief.  The following in-object signature would validate in any JSON system compliant with ECMA:
> 
>     {
>        "now": "2017-04-16T11:23:06Z",
>        "escapeMe": "\u20ac$\u000F\u000aA'\u0042\u0022\u005c\\\"\/",
>        "numbers": [1e+30,4.5,6],
>        "signature": {
>          "alg": "ES256",
>          "jwk": {
>            "kty": "EC",
>            "crv": "P-256",
>            "x": "_gow8fcS3Dx9z6j57U5q8tunnRBdrgLU9A7CZTYCnqU",
>            "y": "bdfJGraBVL5aPj38TG4tHwxpU2VKwG1XBp0wQfCLOFQ"
>          },
>          "val": "OfTUed3gOO58ZPcP5ZXpL6OA9iyHskfo0zKI60H6XriGNNNb5sugGz80nqfyJ25jXPRYGAWcjH-1KGy5_eQuJQ"
>        }
>     }
> 
> 
>        // Perform normalization
>        var clone = Object.assign({}, signedObject.signature);     // Clone "signature" child object
>        var signature = decodeBase64URL(clone.val);                // Get signature value
>        delete signedObject.signature.val;                         // Remove signature value property from signed object
>        var data = convertToUTF8(JSON.stringify(signedObject));    // Get normalized JSON string (signed data)
>        signedObject.signature = clone;                            // Restore signed object
>        // Do the crypto now
> 
>     That's clearly not rocket science.
> 
>     Anders
> 
> 
>         I have this need frequently:
> 
>         { {A = [... JSON Data...]} { Signature (A) } }
> 
>         The way I solve this using JSON is to BASE-64 encode:
> 
>         { { A = base64(... JSON Data...)} { Signature (A) } }
> 
>         Which is brutal but entirely effective and only expands the data by 33%
> 
>         For an efficient encoding, I use JSON-B which is a strict superset of JSON with additional code points that allow binary data to be spliced in.
> 
>         JSON only uses bytes in the range 1-127 for tagging. Bytes in the range 128-255 can only occur inside strings. Which means all the other values can be repurposed
> 
>         In JSON-B, the binary sequence 01 02 03 can be encoded as either "AQID" or
> 
>         88 03 01 02 03
> 
>         The first byte says that this is a binary value with an 8 bit length and the final block of the sequence (i.e. there is only one block in this sequence).
> 
>         The second byte is the length.
> 
>         The rest is the data.
> 
> 
>         I would much rather extend JSON to support efficient encoding of any binary value than develop a canonicalization hack that could only ever work for JSON.
> 
>         http://www.prismproof.org/Documents/draft-hallambaker-jsonbcd.html <http://www.prismproof.org/Documents/draft-hallambaker-jsonbcd.html>
> 
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email