IETF Logo Mail Archive

Re: [Json] Canonicalization

Francis Galiegue <fgaliegue@gmail.com> Wed, 20 February 2013 02:04 UTC

Return-Path: <fgaliegue@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCD3E21F8689 for <json@ietfa.amsl.com>; Tue, 19 Feb 2013 18:04:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IjgIbk38TkvG for <json@ietfa.amsl.com>; Tue, 19 Feb 2013 18:04:55 -0800 (PST)
Received: from mail-ea0-f173.google.com (mail-ea0-f173.google.com [209.85.215.173]) by ietfa.amsl.com (Postfix) with ESMTP id 9884621F8688 for <json@ietf.org>; Tue, 19 Feb 2013 18:04:55 -0800 (PST)
Received: by mail-ea0-f173.google.com with SMTP id i1so3070150eaa.4 for <json@ietf.org>; Tue, 19 Feb 2013 18:04:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=00APH2hKhuzhOQr2XSlYx14ja3aQUfgTZ7OAlWisCAI=; b=pq269Qf0pQx8fxA4/sRicTqDUu/zSWWY1B5Ibcx6DQuZgfiAzlrIUi9do2GHAIvvf1 L/rpfVxZjTOOiu8ct498b5BMeCDQ5vzt1Vb0t1mgebPR6LNWAfy70kd++QT6pSG06gDM 7Jv6M+M7S7y51DEQ39M2YuolsoKGHWm/STp2GxP8AOInKSaeP6BOAn3Tm40Sd2BBkG0V 5/OVEp5rq60XC/HiiJzdyhvKjpe2ILex+nKUg5B1FbUNK3taRuBTOyXYXesKHBdhxS7f Ws4dOpNvnhTYt5dUExGMQyWpSptB2ueRKvALB3St3maQVuUBmDZzGWhCT9fkDFgqxElH HzsQ==
MIME-Version: 1.0
X-Received: by 10.14.209.131 with SMTP id s3mr63075108eeo.26.1361325894653; Tue, 19 Feb 2013 18:04:54 -0800 (PST)
Received: by 10.14.1.7 with HTTP; Tue, 19 Feb 2013 18:04:54 -0800 (PST)
In-Reply-To: <CALcybBAkJg1JyMwPc-xsCv_GvROPE696-4ak8YqaO2vXcQ+QHA@mail.gmail.com>
References: <BF7E36B9C495A6468E8EC573603ED9411513E818@xmb-aln-x11.cisco.com> <A723FC6ECC552A4D8C8249D9E07425A70F897263@xmb-rcd-x10.cisco.com> <255B9BB34FB7D647A506DC292726F6E11507579808@WSMSG3153V.srv.dir.telstra.com> <1F2DF9AD-EE7A-4CC6-BBA6-AF07D02347F9@vpnc.org> <CAK3OfOhkSdi_4kuM3SG2N=bcfAwE-3E9+_SWW8ULSfedO8HAkQ@mail.gmail.com> <2510D743-1CCE-42D0-9067-836F03BDD606@vpnc.org> <CALcybBDfyDGh-Gt9v-94OBM7XFzzSwywZJW_fECuig6hrN0cCw@mail.gmail.com> <1361323974.9790.41.camel@pbryan-wsl.internal.salesforce.com> <CALcybBAkJg1JyMwPc-xsCv_GvROPE696-4ak8YqaO2vXcQ+QHA@mail.gmail.com>
Date: Wed, 20 Feb 2013 03:04:54 +0100
Message-ID: <CALcybBAyc1CcaH1_yyg8AQ9=SM6Tn7+1mbtQL+b9910ojuvbqQ@mail.gmail.com>
From: Francis Galiegue <fgaliegue@gmail.com>
To: "Paul C. Bryan" <pbryan@anode.ca>
Content-Type: text/plain; charset="UTF-8"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Canonicalization
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion related to JavaScript Object Notation \(JSON\)." <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 02:04:56 -0000

On Wed, Feb 20, 2013 at 2:39 AM, Francis Galiegue <fgaliegue@gmail.com> wrote:
[...]
>
> Ick. OK, well, the answer seems pretty simple: UTF-8. It is already
> recommended, I guess making is a MUST in RFC 4627bis will solve the
> issue without even the need for c14n...
>
> Nothing to lose, everything to gain.
>

Some more thoughts about this...

Signing does not require c14n at all. Signing is totally unaware of
the media type. It will sign whatever it is fed with, and does not
care about what this content actually is. So, signing, say:

----
{ "a": "b", "c": "d" }
----

will not yield the same result as signing:

----
{
    "a": "b",
    "c": "d"
}
----

and that is pretty much normal. The scope of action as far as signing
content is concerned is byte-to-byte representation. And yes, this
means that UTF-16 in these two examples will yield a different
signature than UTF-8. OK, but whatever encoding is used, it will be
_known by the receiving end_. As such, signing in itself completely
precludes the need for c14n, and as such, c14n is not needed at all
since signing is not mandatory.

What _is_ required is that interpretations on either point of a
point-to-point transaction involving JSON data interpret this data in
the same way. And as such, the more pressing matter is turning the
SHOULD NOT have duplicate member names in JSON Objects into a MUST
NOT.

But c14n is, basically, unwarranted.

At least, this is my view on the matter.
-- 
Francis Galiegue, fgaliegue@gmail.com
Try out your JSON Schemas: http://json-schema-validator.herokuapp.com

v2.23.0 | Report a Bug | By Email