W3C home > Mailing lists > Public > public-credentials@w3.org > November 2014

JOSE Über Alles. Was: Digital Signatures for Credentials

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 21 Nov 2014 07:13:31 +0100
Message-ID: <546ED80B.7060603@gmail.com>
To: Harry Halpin <hhalpin@w3.org>, Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org, Stéphane Boyera <boyera@w3.org>
Debate or not, XML DSig requires very complex and error-prone canonicalization
which probably was the reason why the JOSE folks removed canonicalization
altogether, by requiring that the data-to-be-signed is Base64URL-encoded.

I.e. the pendulum switched between two extremes.

Although some people seems to dislike "best practices" as foundations for
standards, I can attest that there is neither a need for canonicalization,
nor for Base64URL-encoding, a very simple character normalization scheme
suffices.  This is not just a statement, it has been thoroughly tested as well.

Yes, it does assume that that a JSON parser respect property order which
indeed is [technically] outside of the JSON specification but honored by
at least the browser parsers for an obvious reason:  Who wants their data
to come out in another order than it was supplied in???

For information-rich business-messaging currently powered by clear-text
XML and EDI schemes, force-feeding with Base64URL may prove to be a
slightly harder sell than the JOSE WG and W3C anticipated.

That is, claiming victory for JOSE for all markets and standards is premature.

Cheers,
Anders
Received on Friday, 21 November 2014 06:14:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:46:54 UTC