IETF Logo Mail Archive

Re: [Json] JSON Concluded? Well, maybe not

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 04 January 2018 05:35 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3BAC1243F6 for <json@ietfa.amsl.com>; Wed, 3 Jan 2018 21:35:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CcnWtZPvIs9K for <json@ietfa.amsl.com>; Wed, 3 Jan 2018 21:35:40 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55FB412426E for <json@ietf.org>; Wed, 3 Jan 2018 21:35:40 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id b141so1342153wme.1 for <json@ietf.org>; Wed, 03 Jan 2018 21:35:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Bx8cBKBkGhmrBYAF4NTtPeg5KdErtOTR9d1G6I3wCqY=; b=hsRVE/MIhhk2AFg+7r45/w/2Z6RkocBPj9jX/d3twxt8NZViEX1kw53RqVZvb4ya9E DGF2njU1Nu56bm6Q78pZGTktThll48x2DYFZfdRlsl3AHecKuyFILanUBW4LKrhLwkCy 6cKF7BH8WjEhH164fG4GPDr7wa3vL4cdCfYjIkIsyjIvcTfSKIK8OM87X8II8COyVNEw mrtpP3mN6K8xLszkXRgiVGlIPLupzZLZQwGVkhmhMUskpR9S8+Hyk4XW22TOIlWIV6rH HlgwTXfgZeIT3mdM1RQ6gXxsLHDd0l529h9PCrcuxHb4WkNNbdUdj9BdFbsXZD8o6MhP 1kZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Bx8cBKBkGhmrBYAF4NTtPeg5KdErtOTR9d1G6I3wCqY=; b=GO/W7fMAdsIm6TJIECVJXVfKqo1zz4UdEJNSJeHzniNlcyqIMoPryUi2Z6wd3tG4v+ N/Amf4eq9P+orDWmigbkbjWEBezOSzk5MwibQi02LxbvCzM42YUE1CN27W/pfwoPmzq7 L0T5kkGnboHNoItwYTzRJvXZXJ5X2CVgur4r5dPmgIQXSLsKMAmd4WgmMrAf9q+PVR9f S4kLI2VI9jA8W6yxtXQH21eAgkIt2ey3xMrtW5dVTIFvBW3fpYS4xyEEsnbJEGV7ZxGJ t28SxSSSMMx2YHbAQRsZ/s6kSa8CSdmQL3UZPfcfR6RpAlpidL4enMHHCZeoNqjdPUAE yWxw==
X-Gm-Message-State: AKGB3mIyR1QAcXokBTK/hw/QkpGRCM5dHaSGkbs93fML748lxjL/MwLd Ce0fk118rcZ2uRcmPoLQqnVMDA==
X-Google-Smtp-Source: ACJfBot67c20xkxKvTBtDRMmhZeg+gmc8xtKCjHwaC1Khz9FotdA/ymJPTZT5TdjDftxXmDsn6kr5A==
X-Received: by 10.80.135.86 with SMTP id 22mr5595327edv.266.1515044137669; Wed, 03 Jan 2018 21:35:37 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id 33sm1454421edt.57.2018.01.03.21.35.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Jan 2018 21:35:36 -0800 (PST)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: Richard Gibson <richard.gibson@gmail.com>
Cc: JSON WG <json@ietf.org>
References: <13860352-ef8e-1d4b-2eff-27e275c25e3a@gmail.com> <CALH+fvqBGu0i=LcciYgOLSwbQJXfqgcXTdd=rxvfHfqiRyBj7g@mail.gmail.com> <CAHBU6itC+XAKhc_m_ywG5O2bpky9DnmzfiNVqP3WrxLaE7uenA@mail.gmail.com> <92077f95-5dd6-3f5b-4765-d14067f698ac@dret.net> <CADEL5zshRaHtVNAtNggwHaPKP9xWeePcBZcQc1EM8SEfUu41Uw@mail.gmail.com> <CALH+fvqkBkQCiXfx1cxXaX092sbW6fgUmUizXP1f=ScMZ3bBqQ@mail.gmail.com> <cb1ce20d-67f0-f4f4-8077-57c3d3f232b7@gmail.com> <CALH+fvqpaT0b8AfPigk93Fy5hhWFthiFJSfaMmkttpMgqiMvQw@mail.gmail.com> <15337fea-5cec-0306-939b-df40b3a367d6@gmail.com> <CALH+fvrmLf0qwhWYn2YQx7f=jzo9O00tcJmMiGgG32wjXf9gHA@mail.gmail.com>
Message-ID: <b10dd722-20ff-289c-e40f-1c0ef5b152f2@gmail.com>
Date: Thu, 04 Jan 2018 06:35:37 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <CALH+fvrmLf0qwhWYn2YQx7f=jzo9O00tcJmMiGgG32wjXf9gHA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/json/vzzNr1a0fWQFyA4Fti6T6fSfLGc>
Subject: Re: [Json] JSON Concluded? Well, maybe not
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2018 05:35:43 -0000

Dear Richard,

I'm in no way against an RFC for canonical JSON. On the contrary, I whish you luck with your JSON canonicalization endeavors!

There is no real disconnect, there is a difference in opinion of what is [most] important.

In my opinion a cross-platform system based on JSON messaging MUST consider the limitations in both ECMAScript JSON processing and in JSON itself.  The latter are quite severe and every now and then cause people starting new projects to "fix JSON" like: https://www.tjson.org/

Creating a signature scheme relying on ECMAScript JSON processing rules may indeed be regarded as a short-cut, but availability typically trumps perfection.

Anders

On 2018-01-03 18:25, Richard Gibson wrote:
> I'm really not sure where the disconnect between us is coming from... JSON specifies unordered keys for objects, arbitrary-precision numbers, and strings that can contain code points excluded from UTF-8. As such, ECMAScript JSON.stringify is *not* suitable for JSON canonicalization, though it may suffice for certain Javascript-centric or otherwise restricted subsets thereof as addressed by JOSE. I believe that a general solution like http://gibson042.github.io/canonicaljson-spec/ is needed to avoid this seemingly endless series of special cases [1] [2] [3] [etc] (including those that have nothing to do with cryptographic signatures or encryption), and therefore wish to work towards an RFC describing it. There's no problem if you're uninterested, or even if you believe that a general solution is unwarranted, but there _is_ a problem if you believe that JSON.stringify already provides one.
> 
> [1]: https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00
> [2]: https://tools.ietf.org/html/rfc7638#section-3.3
> [3]: https://keybase.io/docs/api/1.0/canonical_packings#json
> [etc]: http://wiki.laptop.org/go/Canonical_JSON
> 
> On Wed, Jan 3, 2018 at 2:06 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
> 
>     On 2018-01-02 17:33, Richard Gibson wrote:
> 
>     <snip>
> 
>         JSON.stringify assumes information that is explicitly not conveyed by JSON (in which an object is "an unordered collection of zero or more name/value pairs") [1], and both its number serialization [2]
>         and string serialization [3] specify aspects that harm compatibility
>         (the former having arbitrary value-dependent branches, the latter being
>         capable of producing invalid UTF-8 octet sequences that represent unpaired
>         surrogate code points—unacceptable for exchange outside of a closed
>         ecosystem [4]). JSON is a general language-agnostic interchange format,
>         and ECMAScript JSON.stringify is *not* a JSON canonicalization solution.
> 
>         [1]: https://tools.ietf.org/html/rfc8259#section-1 <https://tools.ietf.org/html/rfc8259#section-1>
>         [2]: http://ecma-international.org/ecma-262/7.0/#sec-tostring-applied-to-the-number-type <http://ecma-international.org/ecma-262/7.0/#sec-tostring-applied-to-the-number-type>
>         [3]: http://ecma-international.org/ecma-262/7.0/#sec-quotejsonstring <http://ecma-international.org/ecma-262/7.0/#sec-quotejsonstring>
>         [4]: https://tools.ietf.org/html/rfc8259#section-8.1 <https://tools.ietf.org/html/rfc8259#section-8.1>
> 
> 
>     JSON is a format defined the IETF and ECMA in some kind of cooperation.
> 
>     ECMA's ECMAScript defines a set of ("fairly" easy to implement) JSON processing rules which are fully compatible [1] with the JSON format.
> 
>     The idea using ES6+ number normalization was originally proposed by an esteemed member of the now concluded JOSE WG:
>     https://www.ietf.org/mail-archive/web/jose/current/msg05323.html <https://www.ietf.org/mail-archive/web/jose/current/msg05323.html>
> 
>     Following that path, I (accidentally) discovered the "missing link", ES6+'s preservation [2] of the original property ordering which in my mind is quite logical [3] for "ordinary" JSON usage as well.
> 
>     A Java based reference implementation has been successfully tested against Chrome, Node.js, Firefox and Safari.
> 
>     Feel free taking a test ride on: https://mobilepki.org/jose-jcs/home <https://mobilepki.org/jose-jcs/home>
>     Note that it outlaws signing a JSON "Number" expressed as "1.0" since the correct (according to ES6+) representation is "1".
> 
>     Anders
> 
>     1] possibly with the exception of "unpaired surrogate code points" which I admittedly know zilch about
>     2] with properties named as integers as a for practical purposes insignificant exception
>     3] Making data come out in the order it was specified addresses human aspects like debugging and documentation of JSON data
> 
>

v2.23.0 | Report a Bug | By Email