Re: Note on JSON signing

On 2016-03-14 12:27, Adrian Hope-Bailie wrote:
> To verify the signature on some data you need to be able to
 > reproduce the data that was originally signed exactly as it was at that time.
>
> JSON is problematic because it's not always passed around as a string.
 > Intermediary systems may interpret that string as a Javascript object
 > and then serialize it again as a string when it is sent onward. That process
 > has the potential to change the serialized form of the data (without changing
 > it's meaning) because it is not always serialized in exactly the same way (ordering of fields etc).
>
> So a valid signature may fail verification against JSON data that has been passed around a bit.

Correct.

I'm of course aware of that but I also firmly believe that the concept which I call
"Predictive Serialization" is here to stay after its introduction (not the name) in
ES6 (the JavaScript that runs in most browsers).

That is, anybody using such a scheme, be it JCS or something else, should carefully
evaluate the JSON tools available for the intended platform(s).

I made it slightly easier for myself by writing everything from scratch.  This may
sound like a bad idea but since Java doesn't come with a JSON parser it was a no-brainer.
This was also (more or less) necessary for the rather intense development of JCS.

I'm personally trying to speed-up the "acceptance" process for the concept:

https://github.com/golang/go/issues/14135#issuecomment-177265555
https://bugs.php.net/bug.php?id=71473
https://github.com/simplejson/simplejson/issues/133#issuecomment-177272525
https://github.com/dotnet/corefx/issues/5647

IETF's JWS is great for what it was designed for, but maybe not everything else:
https://cyberphone.github.io/openkeystore/resources/docs/jsonsignatures.html

Cheers,
Anders Rundgren
https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode

Received on Monday, 14 March 2016 13:02:22 UTC