- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 21 Nov 2014 07:13:31 +0100
- To: Harry Halpin <hhalpin@w3.org>, Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org, Stéphane Boyera <boyera@w3.org>
Debate or not, XML DSig requires very complex and error-prone canonicalization which probably was the reason why the JOSE folks removed canonicalization altogether, by requiring that the data-to-be-signed is Base64URL-encoded. I.e. the pendulum switched between two extremes. Although some people seems to dislike "best practices" as foundations for standards, I can attest that there is neither a need for canonicalization, nor for Base64URL-encoding, a very simple character normalization scheme suffices. This is not just a statement, it has been thoroughly tested as well. Yes, it does assume that that a JSON parser respect property order which indeed is [technically] outside of the JSON specification but honored by at least the browser parsers for an obvious reason: Who wants their data to come out in another order than it was supplied in??? For information-rich business-messaging currently powered by clear-text XML and EDI schemes, force-feeding with Base64URL may prove to be a slightly harder sell than the JOSE WG and W3C anticipated. That is, claiming victory for JOSE for all markets and standards is premature. Cheers, Anders
Received on Friday, 21 November 2014 06:14:01 UTC