IETF Logo Mail Archive

Re: [Json] JSON Concluded? Well, maybe not

Phillip Hallam-Baker <ietf@hallambaker.com> Mon, 01 January 2018 17:17 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB86912025C for <json@ietfa.amsl.com>; Mon, 1 Jan 2018 09:17:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.139
X-Spam-Level:
X-Spam-Status: No, score=-1.139 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 56EiPYmgmeMS for <json@ietfa.amsl.com>; Mon, 1 Jan 2018 09:17:19 -0800 (PST)
Received: from mail-ot0-x22f.google.com (mail-ot0-x22f.google.com [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19D0F124D6C for <json@ietf.org>; Mon, 1 Jan 2018 09:17:19 -0800 (PST)
Received: by mail-ot0-x22f.google.com with SMTP id b56so27830723otd.10 for <json@ietf.org>; Mon, 01 Jan 2018 09:17:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=qfhHTVag/Lqmr9fY3picLadvm8k1TqeAxdoDX3N50uA=; b=G9xy9Kfiiig4aLSozT3aAGMkj17s1iyHn1LC6u4pysTEQJhML9RN4xU14Egf1h9cgJ dbOfrWbWaqBAQn1yr8P1tnhiiUo60T9u95QLjKlk2a7m0P0DAjm8vHWLf2OvXSnINMUZ 2Fv3rwqvjBrP1aCTyvCAHAi6kKQWvbs8KZhFUpfvieVGANiGTJtdsVMF0LPq6j7iXMk8 Rg8J8cDjUzDtflscYNEzB5h1clFkc5obC80PH7sZKj+jRp50s6/wMR9VM9vfCUGoooUe yy0MfP1Ewzgnu8YsuKFDpp3O0Map16xvcl0JsG7bX+PNGwFY2oDPLrDtRX9tWo3XHE4z r2LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=qfhHTVag/Lqmr9fY3picLadvm8k1TqeAxdoDX3N50uA=; b=A0i5qCqEKYgXuLD9eCYffr2Xcd4PAiOpvMTjTlVeCdEaj/X4tNSdQJziLMVZbrgtrW /LvmVSY0bf3U57vGoY71yYc3JAn24rk+n3Hdh397ZoE6LkbKXu/PnBVHlLb0LlRV4k5t wPialSVy8tkJ11cDrwL+oWgkFhQ1jPU5wUlEeakkbjBGLPruNn0UEVDfVUUQ9xcrUUsN TdxxNXDDiRjTdiBvfvIo5Odg0oMtPjCmdcf1z6qnypcrSUcxh3ucs/Q+L9o3FqNimATw kkKNntbn36/3vlEsypaACtdqO2gbvK1o96HLCDNmA0xTZqcgOrze1uDbBn+1ef5h8D72 HfIQ==
X-Gm-Message-State: AKGB3mLjDSUa7tZb+0XD2RBnBjAXZiQp4aHuT++91jcmSpf1UkinZuHR 7nStlTifVfdXSWjYRnXMB9VQ9EFGCEbMQ0u0/4M=
X-Google-Smtp-Source: ACJfBos53v30OXTcqDow3lLIWgIxUP9K5ST+j75MX8NssC6gA8z4zLx5F5qNfNzBQhLU6GPh0NGz0tFvkitDQE4mbS0=
X-Received: by 10.157.26.50 with SMTP id a47mr18726899ote.149.1514827038311; Mon, 01 Jan 2018 09:17:18 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.49.87 with HTTP; Mon, 1 Jan 2018 09:17:17 -0800 (PST)
In-Reply-To: <a96d74f1-7f8a-e091-4fe8-4031d70de777@gmail.com>
References: <13860352-ef8e-1d4b-2eff-27e275c25e3a@gmail.com> <CALH+fvqBGu0i=LcciYgOLSwbQJXfqgcXTdd=rxvfHfqiRyBj7g@mail.gmail.com> <CAHBU6itC+XAKhc_m_ywG5O2bpky9DnmzfiNVqP3WrxLaE7uenA@mail.gmail.com> <92077f95-5dd6-3f5b-4765-d14067f698ac@dret.net> <CADEL5zshRaHtVNAtNggwHaPKP9xWeePcBZcQc1EM8SEfUu41Uw@mail.gmail.com> <CALH+fvqkBkQCiXfx1cxXaX092sbW6fgUmUizXP1f=ScMZ3bBqQ@mail.gmail.com> <cb1ce20d-67f0-f4f4-8077-57c3d3f232b7@gmail.com> <CAMm+Lwiuod4Xf4=a8m25aNt626xCrO0Xet=96vn=R0eEwyjV1g@mail.gmail.com> <a96d74f1-7f8a-e091-4fe8-4031d70de777@gmail.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
Date: Mon, 01 Jan 2018 12:17:17 -0500
X-Google-Sender-Auth: KT7mrtjI8RJM4cWuxcLeK8pj9No
Message-ID: <CAMm+Lwg49Dqwb7MknVPuqvTBHVBZpEcP2Z4WAvSZYQumnwtLfw@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Richard Gibson <richard.gibson@gmail.com>, JSON WG <json@ietf.org>
Content-Type: multipart/alternative; boundary="001a11463ba083cb940561ba279f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/json/yA-RbTjgIoP0jRO8J213utQvPek>
Subject: Re: [Json] JSON Concluded? Well, maybe not
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jan 2018 17:17:21 -0000

​I can't see the need for stringify there. By which I mean, my code runs
and I do not use javascript or stringify anywhere.

​Where I think folk tend to go really wrong is doing the stuff people
decided they wanted with XML Signature which was to have the following:

Unsigned object:

<object>
   <blahdyblah/>
</object>

Signed object:

<object>
   <blahdyblah/>
   <signature>
      {path transform}
      {etc}
   </signature>
</object>

And it worked exactly as well as could be expected.


On Mon, Jan 1, 2018 at 1:43 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2018-01-01 07:27, Phillip Hallam-Baker wrote:
>
>> The use case that I believe gives rise to the belief canonicalization is
>> necessary is the need to sign a data object in the same JSON document.
>>
>
> Yes, but this is indeed only a belief.  The following in-object signature
> would validate in any JSON system compliant with ECMA:
>
> {
>   "now": "2017-04-16T11:23:06Z",
>   "escapeMe": "\u20ac$\u000F\u000aA'\u0042\u0022\u005c\\\"\/",
>   "numbers": [1e+30,4.5,6],
>   "signature": {
>     "alg": "ES256",
>     "jwk": {
>       "kty": "EC",
>       "crv": "P-256",
>       "x": "_gow8fcS3Dx9z6j57U5q8tunnRBdrgLU9A7CZTYCnqU",
>       "y": "bdfJGraBVL5aPj38TG4tHwxpU2VKwG1XBp0wQfCLOFQ"
>     },
>     "val": "OfTUed3gOO58ZPcP5ZXpL6OA9iyHskfo0zKI60H6XriGNNNb5sugGz80nqf
> yJ25jXPRYGAWcjH-1KGy5_eQuJQ"
>   }
> }
>
>
>   // Perform normalization
>   var clone = Object.assign({}, signedObject.signature);     // Clone
> "signature" child object
>   var signature = decodeBase64URL(clone.val);                // Get
> signature value
>   delete signedObject.signature.val;                         // Remove
> signature value property from signed object
>   var data = convertToUTF8(JSON.stringify(signedObject));    // Get
> normalized JSON string (signed data)
>   signedObject.signature = clone;                            // Restore
> signed object
>   // Do the crypto now
>
> That's clearly not rocket science.
>
> Anders
>
>
> I have this need frequently:
>>
>> { {A = [... JSON Data...]} { Signature (A) } }
>>
>> The way I solve this using JSON is to BASE-64 encode:
>>
>> { { A = base64(... JSON Data...)} { Signature (A) } }
>>
>> Which is brutal but entirely effective and only expands the data by 33%
>>
>> For an efficient encoding, I use JSON-B which is a strict superset of
>> JSON with additional code points that allow binary data to be spliced in.
>>
>> JSON only uses bytes in the range 1-127 for tagging. Bytes in the range
>> 128-255 can only occur inside strings. Which means all the other values can
>> be repurposed
>>
>> In JSON-B, the binary sequence 01 02 03 can be encoded as either "AQID" or
>>
>> 88 03 01 02 03
>>
>> The first byte says that this is a binary value with an 8 bit length and
>> the final block of the sequence (i.e. there is only one block in this
>> sequence).
>>
>> The second byte is the length.
>>
>> The rest is the data.
>>
>>
>> I would much rather extend JSON to support efficient encoding of any
>> binary value than develop a canonicalization hack that could only ever work
>> for JSON.
>>
>> http://www.prismproof.org/Documents/draft-hallambaker-jsonbcd.html
>>
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email