- From: Adam Roach <abr@mozilla.com>
- Date: Thu, 7 Jun 2018 16:46:04 -0500
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, Web Payments Working Group <public-payments-wg@w3.org>
I haven't been following the conversation about what might need to be signed or why, and my observation below shouldn't be read as an endorsement of a need to sign anything; however, in case the WG does go down the path of signing a JSON object, it should do so with complete information. On 6/7/18 1:06 AM, Anders Rundgren wrote: > Dear List, > > Several efforts have been initiated in order to create a more > JSON-friendly signature scheme where the data to be signed would > remain in JSON format rather than being Base64Url-encoded. > > However, it turns out that there is no real interest within the IETF > to pursue such ideas, effectively leaving the payment WG with a single > standardized solution: My understanding is that the IETF declined to define a generalized canonicalization for JSON, due to the extreme complexity of both designing and implementing such a scheme that works in all general cases. The lack of a generalized canonicalization does not prevent the definition of application-specific canonicalization of JSON data that takes advantage of the known structure of the JSON objects in question to create a simpler (and usually trivial) normalization procedure. See RFC 8225, section 7 for an example of how this has been done elsewhere. /a
Received on Thursday, 7 June 2018 21:46:29 UTC