- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 02 Dec 2014 20:53:11 -0500
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, "David I. Lehn" <dil@lehn.org>
- CC: Richard Barnes <rlb@ipv.sx>, W3C Credentials Community Group <public-credentials@w3.org>
On 12/02/2014 03:53 PM, Anders Rundgren wrote:
> On https://mobilepki.org/jcs you can test my take on the JSON clear
> text signature concept, JCS.
I got the JCS algorithm to fail in 5 minutes :), read on to find out how:
Try this out:
JSON.stringify({"foo":"bar", "3": "three", "2":"two", "1": "one"});
You get this in Chromium 34, Firefox Nightly, and IE 11:
{"1":"one","2":"two","3":"three","foo":"bar"}
and this in Python2, Python3 (if you do it the right way and use
OrderedDict):
>>> json.dumps(json.JSONDecoder(object_pairs_hook=collections.OrderedDict).decode("""{"foo":"bar",
"3": "three", "2":"two", "1": "one"}"""))
{"foo": "bar", "3": "three", "2": "two", "1": "one"}
> Only a bad programmer would design a parser so it would output data
> in a different order than it was supplied in
Your claim that input order is preserved in browser implementations is
false. :)
Thus, any JSON Cleartext Signature that contains a number as a key will
fail to be created/verified between at least those programming
environments. I didn't check other programming environments like PHP5,
which I expect would be a horror show and only further underscore the issue.
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/
Received on Wednesday, 3 December 2014 01:53:38 UTC