W3C home > Mailing lists > Public > public-identity@w3.org > December 2011

Re: JSON Description Language

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 06 Dec 2011 19:49:55 +0100
Message-ID: <4EDE63D3.2020706@w3.org>
To: Ron Garret <ron@flownet.com>
CC: Anders Rundgren <anders.rundgren@telia.com>, "public-identity@w3.org" <public-identity@w3.org>
On 12/06/2011 04:31 AM, Ron Garret wrote:
> On Dec 5, 2011, at 6:51 PM, Anders Rundgren wrote:
>
>> The following is related to DOMCrypt and similar...
>>
>> http://tools.ietf.org/html/rfc4627
> It is?  What does JSON have to do with DOMCrypt?
Currently, while DomCrypt is a JS API, it does not use the formats 
specified by JOSE WG that is producing specs like JWT [1], but just 
straight unformatted arrays that can be converted to formats like those 
specified by JOSE or even in ASN.1.
>> Having a strong background in XML schema authoring I'm slightly
>> puzzled by the enthusiasm of using "secure" objects that (seem) to
>> have no notion of explicit (built-in) name-spaces or a description
>> language.
> I'm puzzled in what sense you think that JSON is "secure".  The only security claim made for JSON that I know of is that it can be safely parsed by the Javascript eval() function.

Please read this paper [2]. Due to some level of complexity and 
ambiguity of parsing Common names and inconsistencies amongst 
implementations (most likely due to ambiguity in specs or difficulty of 
parsing ASN.1), leads to a number of very dangerous attacks some of 
which actually happened in browsers. Therefore, simple syntax that can 
be easily and uniformly implemented reduces attacks.

> Can you please clarify why you think this is relevant to this group?

Note the dependency on JOSE WG in charter again. If we do need 
higher-level data-formats, we will use JSON rather than ASN.1.

   cheers,
     harry

[1] http://tools.ietf.org/wg/jose/
[2] http://www.ioactive.com/pdfs/PKILayerCake.pdf
> rg
>
>
Received on Tuesday, 6 December 2011 18:49:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 6 December 2011 18:49:50 GMT