- From: Chris Boscolo <chris@boscolo.net>
- Date: Mon, 29 Oct 2018 10:07:44 -0700
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Received on Monday, 29 October 2018 17:08:20 UTC
Manu, Regarding your comment about the Canonicalization requirement: This requirement is a problem because forces a new requirement onto the JSON parser that many like myself don't think is a good idea. For example, one thing we would love to see is for IoT devices to play a role this new DID/VC world we are building. Many of these embedded systems already have a minimal JSON parser, as well as Base64 libraries and hardware encryption support. That means they could build a JWT version of DID/VC over the weekend (figuratively). Requiring them to update to a new JSON-parsing library to support this is a barrier to adoption. BTW, as one who has developed protocol-level encryption software, the comment "ability to add non-signature-destroying whitespace" makes me cringe. It seems like it is just needlessly opening the door to a new attack vector. -chrisb On Mon, Oct 29, 2018 at 7:36 AM Manu Sporny <msporny@digitalbazaar.com> wrote: > > - Canonicalization requirement > > Why is the requirement a problem? You could just shove the entire VC in > a JWT, but then you lose all the benefits of canonicalization (such as > syntax-agnostic signatures, ability to protect the entire message, > ability to add non-signature-destroying whitespace, compatibility with > schema.org, etc.). >
Received on Monday, 29 October 2018 17:08:20 UTC