W3C home > Mailing lists > Public > public-credentials@w3.org > December 2014

Re: JOSE author didn't use JWS. Was: Digital Signatures for Credentials

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 02 Dec 2014 20:53:11 -0500
Message-ID: <547E6D07.20203@digitalbazaar.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, "David I. Lehn" <dil@lehn.org>
CC: Richard Barnes <rlb@ipv.sx>, W3C Credentials Community Group <public-credentials@w3.org>
On 12/02/2014 03:53 PM, Anders Rundgren wrote:
> On https://mobilepki.org/jcs you can test my take on the JSON clear 
> text signature concept, JCS.

I got the JCS algorithm to fail in 5 minutes :), read on to find out how:

Try this out:

JSON.stringify({"foo":"bar", "3": "three", "2":"two", "1": "one"});

You get this in Chromium 34, Firefox Nightly, and IE 11:

{"1":"one","2":"two","3":"three","foo":"bar"}

and this in Python2, Python3 (if you do it the right way and use
OrderedDict):

>>> json.dumps(json.JSONDecoder(object_pairs_hook=collections.OrderedDict).decode("""{"foo":"bar",
"3": "three", "2":"two", "1": "one"}"""))

{"foo": "bar", "3": "three", "2": "two", "1": "one"}

> Only a bad programmer would design a parser so it would output data 
> in a different order than it was supplied in

Your claim that input order is preserved in browser implementations is
false. :)

Thus, any JSON Cleartext Signature that contains a number as a key will
fail to be created/verified between at least those programming
environments. I didn't check other programming environments like PHP5,
which I expect would be a horror show and only further underscore the issue.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/
Received on Wednesday, 3 December 2014 01:53:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:21 UTC