- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sat, 28 Jan 2023 08:38:57 +0100
- To: Orie Steele <orie@transmute.industries>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Although I'm one of the designers of JCS (RFC8785), I got slightly tired of the disapproval by the IETF security elite who insist that neither XML Dsig, nor schemes based on JSC work (*). "Canonicalization is an altogether bad idea". Due to that I gave up on my baby (JCS), and went "all-in" on CBOR which doesn't suffer from this problem as well as dealing with binary data in a better way than its predecessors. Through "Diagnostic Notation", the downsides of the binary format became virtually non-existing. https://github.com/cyberphone/cbor-everywhere Cheers, Anders *) XML DSig is used in any number of systems including for securing S€PA transactions. But it is true that XML canonicalization is not for the faint-hearted :) JCS is a magnitude simpler but canonicalization of JSON numbers is still out of scope for mere mortals (to which I consider me belonging to). On 2023-01-28 4:10, Orie Steele wrote:
Received on Saturday, 28 January 2023 07:39:11 UTC