Re: DeCanonicalization: (was JSONWebSignature2020 vs JcsEd25519Signature2022)

On Mon, Jan 30, 2023 at 12:20 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

<snipping>

Meanwhile, other canonicalization schemes, like the one used in HTTP
> Signatures, tend to sail through large groups like the HTTP WG where
> these "All Canonicalization is bad" folks haven't been able to block
> the work.
>

The original "cavage" scheme, which you co-authored, was first published
nearly 10 years ago. That was hardly the first scheme created; and I
imagine that work built on learnings before it.

After several revisions, it was adopted by the HTTPbis group nearly 3 years
ago, and has been revised 15 times since. The HTTPbis working group is (in
my personal opinion) the only group I could imagine knowledgeable enough to
result in a robust and safe specification in that space.

The challenges in retrofitting a canonicalization and signature system over
HTTP are significant, and (again, in my opinion) saying http signatures are
"sailing through" does a disservice to others involved in that work.

-DW

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

Received on Sunday, 5 February 2023 06:17:28 UTC