Re: JOSE author didn't use JWS. Was: Digital Signatures for Credentials from Melvin Carvalho on 2014-12-03 (public-credentials@w3.org from December 2014)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 3 Dec 2014 11:06:24 +0100
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, "David I. Lehn" <dil@lehn.org>, Richard Barnes <rlb@ipv.sx>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAKaEYhKGT9pymHPbmd39tHTOkDhEWWMpZ311btP_OTn4N=bG2w@mail.gmail.com>

On 3 December 2014 at 06:00, Anders Rundgren <anders.rundgren.net@gmail.com>
wrote:

> On 2014-12-03 02:53, Manu Sporny wrote:
>
>> On 12/02/2014 03:53 PM, Anders Rundgren wrote:
>>
>>> On https://mobilepki.org/jcs you can test my take on the JSON clear
>>> text signature concept, JCS.
>>>
>>
>> I got the JCS algorithm to fail in 5 minutes :), read on to find out how:
>>
>
> Manu,
>
> Thank you for testing and indeed you are right, properties expressed
> as numbers are apparently handled in another fashion :-(
>
> Does this spell the end of JSON clear text signatures without hassles?
>
> Maybe, I don't think so though because JSON parsers are small and
> adaptable,
> and if this problem is (must check the browser source) limited to numeric
> properties it wouldn't make the sky fall down although it certainly is
> not good.
>

Handling numbers (and especially decimals) in JSON is important to
facilitate financial transactions.  For example, JRD, which is part of the
IETF "webfinger" system, does handle native numbers either.  This could be
an interesting data point to test when evaluating pros and cons of
different approaches.


>
> Cheers,
> Anders
>
>
>
>> Try this out:
>>
>> JSON.stringify({"foo":"bar", "3": "three", "2":"two", "1": "one"});
>>
>> You get this in Chromium 34, Firefox Nightly, and IE 11:
>>
>> {"1":"one","2":"two","3":"three","foo":"bar"}
>>
>> and this in Python2, Python3 (if you do it the right way and use
>> OrderedDict):
>>
>>  json.dumps(json.JSONDecoder(object_pairs_hook=collections.
>>>>> OrderedDict).decode("""{"foo":"bar",
>>>>>
>>>> "3": "three", "2":"two", "1": "one"}"""))
>>
>> {"foo": "bar", "3": "three", "2": "two", "1": "one"}
>>
>>  Only a bad programmer would design a parser so it would output data
>>> in a different order than it was supplied in
>>>
>>
>> Your claim that input order is preserved in browser implementations is
>> false. :)
>>
>> Thus, any JSON Cleartext Signature that contains a number as a key will
>> fail to be created/verified between at least those programming
>> environments. I didn't check other programming environments like PHP5,
>> which I expect would be a horror show and only further underscore the
>> issue.
>>
>> -- manu
>>
>>
>
>

Received on Wednesday, 3 December 2014 10:06:52 UTC