W3C home > Mailing lists > Public > public-web-security@w3.org > October 2015

Signed JavaScript/JSON Objects using ES6

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 27 Oct 2015 15:10:15 +0100
To: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <562F85C7.40203@gmail.com>
For some reasons the folks at Ecma specifying EcmaScript (aka JavaScript) gave in to the (probably somewhat uneducated) developer community who wanted properties to enumerate in "creation order" rather than in an unspecified/random fashion.

Although most likely entirely unintended, this opens the door to ultra-simple, in-object signature schemes that (unlike JOSE) does not force you "dressing" messages in Base64 just because you need a signature.

http://webpki.org/ietf/draft-rundgren-predictable-serialization-for-json-tools-00.html#rfc.section.3.3

I have used this scheme (modulo floating point) in practice for more than a year with all the major browsers without any hiccups but now it feels much better since the "black magic/guessing" is gone :-)

Anders
Received on Tuesday, 27 October 2015 14:10:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 27 October 2015 14:10:49 UTC