Re: [Json] Canonicalization

Nico Williams <nico@cryptonector.com> Wed, 20 February 2013 01:11 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 185E121F8853 for <json@ietfa.amsl.com>; Tue, 19 Feb 2013 17:11:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.683
X-Spam-Level:
X-Spam-Status: No, score=-3.683 tagged_above=-999 required=5 tests=[AWL=-1.706, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e0gjw8xJCImp for <json@ietfa.amsl.com>; Tue, 19 Feb 2013 17:11:52 -0800 (PST)
Received: from homiemail-a89.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 8D2A821F8840 for <json@ietf.org>; Tue, 19 Feb 2013 17:11:52 -0800 (PST)
Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 5794531805C for <json@ietf.org>; Tue, 19 Feb 2013 17:11:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=AJo05mD7syGFl+v45J0N KlnOLmY=; b=jrVAMd86U2LhljQ/a1ZSondBr5EL036YbvZ/gluEMQHp/kpwfSe8 syPuT7w/Lwd2NJaVg8BCYDx1KJjNhL9toxS+TuIpsjCz9SGlBm6pkknPvTTK4C+G rfu04WXpZ9uAsQeO1jbLd7xS8eNCLfo+fGYbd71XwZoqmOEhSvih4Fg=
Received: from mail-ia0-f175.google.com (mail-ia0-f175.google.com [209.85.210.175]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPSA id 3798E318059 for <json@ietf.org>; Tue, 19 Feb 2013 17:11:52 -0800 (PST)
Received: by mail-ia0-f175.google.com with SMTP id r4so6618289iaj.6 for <json@ietf.org>; Tue, 19 Feb 2013 17:11:51 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.42.58.67 with SMTP id g3mr8453159ich.56.1361322711624; Tue, 19 Feb 2013 17:11:51 -0800 (PST)
Received: by 10.64.102.201 with HTTP; Tue, 19 Feb 2013 17:11:51 -0800 (PST)
In-Reply-To: <1F2DF9AD-EE7A-4CC6-BBA6-AF07D02347F9@vpnc.org>
References: <BF7E36B9C495A6468E8EC573603ED9411513E818@xmb-aln-x11.cisco.com> <A723FC6ECC552A4D8C8249D9E07425A70F897263@xmb-rcd-x10.cisco.com> <255B9BB34FB7D647A506DC292726F6E11507579808@WSMSG3153V.srv.dir.telstra.com> <1F2DF9AD-EE7A-4CC6-BBA6-AF07D02347F9@vpnc.org>
Date: Tue, 19 Feb 2013 19:11:51 -0600
Message-ID: <CAK3OfOhkSdi_4kuM3SG2N=bcfAwE-3E9+_SWW8ULSfedO8HAkQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Cc: "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Canonicalization
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion related to JavaScript Object Notation \(JSON\)." <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 01:11:53 -0000

On Tue, Feb 19, 2013 at 7:00 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> One only needs to canonicalize at the time when one is comparing two objects. We should say *nothing* that suggests that JSON sent on the wire should be canonicalized at all.

When to canonicalize:

 - when you're signing something that a peer has to reconstruct independently
 - when you want to compare with memcmp()

Note that that's not the only way to compare JSON data!  One could
parse into native objects in whatever programming language one is
using and then proceed to compare bit by bit.

Note too that equality comparison does require saying something about
Unicode normalization.  The simplest thing to say about that would be
that there are two types of comparison: naive, which uses
memcmp()/strcmp(), and normalization-insensitive (which internally
might normalize then compare or work as a normalization-insensitive
comparison; the latter performs better).

Note that the first use of c14n given above also requires saying
something about normalization...

When to not canonicalize: any other time.

Nico
--