Re: JSON Description Language from David Dahl on 2011-12-08 (public-identity@w3.org from December 2011)

From: David Dahl <ddahl@mozilla.com>
Date: Wed, 7 Dec 2011 18:39:25 -0800 (PST)
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: public-identity@w3.org, Ron Garret <ron@flownet.com>
Message-ID: <125157870.32237.1323311965052.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>

As of right now, the spec for DOMCrypt does not specify the underlying message and key data formats. That is TBD. All inputs and outputs are TypedArrays. I am just now picking up the existing Firefox patches to slowly adopt the current spec, and the data-format issue will no doubt come up quickly. For instance, the public key may just end up being a DER-encoded blob until we adopt something else. During some discussions with Adam and Brian Smith, we came to the conclusion that it may make more sense to not create or handle string data at all, rather leaving that for later WG discussion and feedback on implementation and actual use. 

That being said, the JOSE formats do appeal to me as a JSON enthusiast.

Cheers,

David

----- Original Message -----
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "Ron Garret" <ron@flownet.com>
Cc: public-identity@w3.org
Sent: Monday, December 5, 2011 9:48:20 PM
Subject: Re: JSON Description Language

On 2011-12-06 04:31, Ron Garret wrote:
> 
> On Dec 5, 2011, at 6:51 PM, Anders Rundgren wrote:
> 
>> The following is related to DOMCrypt and similar...
>>
>> http://tools.ietf.org/html/rfc4627
> 
> It is?  What does JSON have to do with DOMCrypt?
> 
>> Having a strong background in XML schema authoring I'm slightly
>> puzzled by the enthusiasm of using "secure" objects that (seem) to
>> have no notion of explicit (built-in) name-spaces or a description
>> language.
> 
> I'm puzzled in what sense you think that JSON is "secure".  The only 
> security claim made for JSON that I know of is that it can be safely
> parsed by the Javascript eval() function.
> 
> Can you please clarify why you think this is relevant to this group?

DOMCrypt parses and generates JSON-formatted objects, right?

I suggested that such objects should have a unique name (space).  It costs
virtually nothing and would open the door to better language bindings
and simplified validation.

This need is by no means limited to "security objects" but writing security
protocols without such mechanisms doesn't IMHO completely feel like 2011.

Anders

> 
> rg
> 
>

Received on Thursday, 8 December 2011 02:40:06 UTC