Re: Clear text JSON signatures, Numbers etc.

On 2014-12-03 11:06, Melvin Carvalho wrote:

>
> Handling numbers (and especially decimals) in JSON is important
 > to facilitate financial transactions.  For example, JRD, which is
 > part of the IETF "webfinger" system, does handle native numbers either.
 > This could be an interesting data point to test when evaluating pros and cons of different approaches.

The number problem Manu found, was for numeric property names, not numeric arguments.

However, using native JSON/JavaScript numbers for financial transactions is
anyway not a good idea anyway since the underlying implementation is double.

For certificate serial numbers which may exceed double in size I have
created a virtual BigInteger type enclosed in "".

In my Java implementation I have made a similar solution for BigDecimal
which is designed for holding arbitrary sized amounts of money:
https://code.google.com/p/openkeystore/source/browse/library/trunk/src/org/webpki/json/JSONObjectReader.java#117

Anders

>
>
>     Cheers,
>     Anders
>
>
>
>         Try this out:
>
>         JSON.stringify({"foo":"bar", "3": "three", "2":"two", "1": "one"});
>
>         You get this in Chromium 34, Firefox Nightly, and IE 11:
>
>         {"1":"one","2":"two","3":"__three","foo":"bar"}
>
>         and this in Python2, Python3 (if you do it the right way and use
>         OrderedDict):
>
>                     json.dumps(json.JSONDecoder(__object_pairs_hook=collections.__OrderedDict).decode("""{"foo":__"bar",
>
>         "3": "three", "2":"two", "1": "one"}"""))
>
>         {"foo": "bar", "3": "three", "2": "two", "1": "one"}
>
>             Only a bad programmer would design a parser so it would output data
>             in a different order than it was supplied in
>
>
>         Your claim that input order is preserved in browser implementations is
>         false. :)
>
>         Thus, any JSON Cleartext Signature that contains a number as a key will
>         fail to be created/verified between at least those programming
>         environments. I didn't check other programming environments like PHP5,
>         which I expect would be a horror show and only further underscore the issue.
>
>         -- manu
>
>
>
>

Received on Wednesday, 3 December 2014 10:32:12 UTC