- From: Harry Halpin <hhalpin@w3.org>
- Date: Tue, 06 Dec 2011 19:49:55 +0100
- To: Ron Garret <ron@flownet.com>
- CC: Anders Rundgren <anders.rundgren@telia.com>, "public-identity@w3.org" <public-identity@w3.org>
On 12/06/2011 04:31 AM, Ron Garret wrote:
> On Dec 5, 2011, at 6:51 PM, Anders Rundgren wrote:
>
>> The following is related to DOMCrypt and similar...
>>
>> http://tools.ietf.org/html/rfc4627
> It is? What does JSON have to do with DOMCrypt?
Currently, while DomCrypt is a JS API, it does not use the formats
specified by JOSE WG that is producing specs like JWT [1], but just
straight unformatted arrays that can be converted to formats like those
specified by JOSE or even in ASN.1.
>> Having a strong background in XML schema authoring I'm slightly
>> puzzled by the enthusiasm of using "secure" objects that (seem) to
>> have no notion of explicit (built-in) name-spaces or a description
>> language.
> I'm puzzled in what sense you think that JSON is "secure". The only security claim made for JSON that I know of is that it can be safely parsed by the Javascript eval() function.
Please read this paper [2]. Due to some level of complexity and
ambiguity of parsing Common names and inconsistencies amongst
implementations (most likely due to ambiguity in specs or difficulty of
parsing ASN.1), leads to a number of very dangerous attacks some of
which actually happened in browsers. Therefore, simple syntax that can
be easily and uniformly implemented reduces attacks.
> Can you please clarify why you think this is relevant to this group?
Note the dependency on JOSE WG in charter again. If we do need
higher-level data-formats, we will use JSON rather than ASN.1.
cheers,
harry
[1] http://tools.ietf.org/wg/jose/
[2] http://www.ioactive.com/pdfs/PKILayerCake.pdf
> rg
>
>
Received on Tuesday, 6 December 2011 18:49:50 UTC