Re: JSON headers

Yes. I was thinking of combining this with the JOSE specs so signing becomes possible. 


> On Jul 9, 2016, at 2:51 PM, Kevin Marks <> wrote:
>> On Fri, Jul 8, 2016 at 11:44 AM, Phil Hunt <> wrote:
>> Not sure if this has been discussed. One of the biggest problems with HTTP
>> request signing has been repeat headers. It presents problem of detecting
>> which headers are intended and which header was signed first.
>> It would be nice if the JSON encoding handled arrays so that the demand for
>> duplicate headers is removed.  Signing could then be more successful and
>> could even stipulate that the presence of a repeat header in a signed
>> request is a failure condition.
> JSON doesn't help with this, as key order in objects (as opposed to
> lists) is not required or defined.
> Different programming languages behave differently here when
> iterating. PHP preserves definition order, python orders by hash of
> the key, and Go randomises the  order (to prevent accidental
> dependencies).
> Parsing JSON into native form and writing it out again makes key order
> indeterminate.
> As http headers have order dependent behaviour, this is a problem with
> replacing the key: value with JSON.

Received on Saturday, 9 July 2016 22:30:43 UTC