Re: JOSE author didn't use JWS. Was: Digital Signatures for Credentials

On 2014-12-03 02:53, Manu Sporny wrote:
> On 12/02/2014 03:53 PM, Anders Rundgren wrote:
>> On you can test my take on the JSON clear
>> text signature concept, JCS.
> I got the JCS algorithm to fail in 5 minutes :), read on to find out how:


Thank you for testing and indeed you are right, properties expressed
as numbers are apparently handled in another fashion :-(

Does this spell the end of JSON clear text signatures without hassles?

Maybe, I don't think so though because JSON parsers are small and adaptable,
and if this problem is (must check the browser source) limited to numeric
properties it wouldn't make the sky fall down although it certainly is
not good.


> Try this out:
> JSON.stringify({"foo":"bar", "3": "three", "2":"two", "1": "one"});
> You get this in Chromium 34, Firefox Nightly, and IE 11:
> {"1":"one","2":"two","3":"three","foo":"bar"}
> and this in Python2, Python3 (if you do it the right way and use
> OrderedDict):
>>>> json.dumps(json.JSONDecoder(object_pairs_hook=collections.OrderedDict).decode("""{"foo":"bar",
> "3": "three", "2":"two", "1": "one"}"""))
> {"foo": "bar", "3": "three", "2": "two", "1": "one"}
>> Only a bad programmer would design a parser so it would output data
>> in a different order than it was supplied in
> Your claim that input order is preserved in browser implementations is
> false. :)
> Thus, any JSON Cleartext Signature that contains a number as a key will
> fail to be created/verified between at least those programming
> environments. I didn't check other programming environments like PHP5,
> which I expect would be a horror show and only further underscore the issue.
> -- manu

Received on Wednesday, 3 December 2014 05:01:33 UTC