W3C home > Mailing lists > Public > public-credentials@w3.org > November 2014

JOSE Über Alles. Was: Digital Signatures for Credentials

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 21 Nov 2014 07:13:31 +0100
Message-ID: <546ED80B.7060603@gmail.com>
To: Harry Halpin <hhalpin@w3.org>, Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org, Stéphane Boyera <boyera@w3.org>
Debate or not, XML DSig requires very complex and error-prone canonicalization
which probably was the reason why the JOSE folks removed canonicalization
altogether, by requiring that the data-to-be-signed is Base64URL-encoded.

I.e. the pendulum switched between two extremes.

Although some people seems to dislike "best practices" as foundations for
standards, I can attest that there is neither a need for canonicalization,
nor for Base64URL-encoding, a very simple character normalization scheme
suffices.  This is not just a statement, it has been thoroughly tested as well.

Yes, it does assume that that a JSON parser respect property order which
indeed is [technically] outside of the JSON specification but honored by
at least the browser parsers for an obvious reason:  Who wants their data
to come out in another order than it was supplied in???

For information-rich business-messaging currently powered by clear-text
XML and EDI schemes, force-feeding with Base64URL may prove to be a
slightly harder sell than the JOSE WG and W3C anticipated.

That is, claiming victory for JOSE for all markets and standards is premature.

Received on Friday, 21 November 2014 06:14:01 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:21 UTC