Re: JSON-RPC vs. YASMIN. Was: A Critical Analysis of REST APIs for "Transaction Systems" from Anders Rundgren on 2017-02-08 (public-interledger@w3.org from February 2017)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 8 Feb 2017 06:17:38 +0100
Cc: public-interledger@w3.org
Message-ID: <61c8d849-9071-a207-a933-15ea46e8970f@gmail.com>

On 2017-02-08 03:06, Tony Arcieri wrote:
> On Mon, Jan 30, 2017 at 7:49 AM, David Nicol <davidnicol@gmail.com <mailto:davidnicol@gmail.com>> wrote:
>
>     having just read that linked document, it seems like the missing piece is a requirement for normalizing the JSON some how before making the digest which will get signed. Strong normalization before digestion is needed to have meaningful signatures on JSON data. This can mean concatenating some subset of the elements of the message in some particular order -- essentially rewriting it as Bencoded, just to sign it -- or normalizing the JSON in such a way that the consumer of the JSON can renormalize the data structure they're going to get in such a way that they can check its digest, and then its signature.
>
>
> There's an alternative to canonicalization: content-aware hashing that's independent of the encoding.

I didn't fully catch how objecthash works but apparently it uses conventional canonicalization elements as well:
https://github.com/benlaurie/objecthash/blob/master/go/objecthash/objecthash.go#L90

In YASMIN/JCS this is automatic since it relies on the ES6 specification which actually
DOES NOT work as described here: https://www.npmjs.com/package/canonical-json

   "Properties of non-array objects are not guaranteed to be stringified in any particular order.
    Do not rely on ordering of properties within the same object within the stringification"

Anyway, it is a free world so we will probably see a rather big list of JSON signature schemes
since IETF's JOSE/JWS is fairly incompatible with the idea of using human readable formats.
The JOSE folks claim that there is no such thing as "Canonical JSON".

Some people will probably go for https://developers.google.com/protocol-buffers/ which eliminates
JSON's primitive JavaScript heritage.  The ASN.1 of the future?  Maybe.

Anders
Sticking to ES6

> Some examples are:
>
>   * Ben Laurie's objecthash: https://github.com/benlaurie/objecthash
>   * Peter Todd's proofmarshal: https://github.com/petertodd/python-proofmarshal/blob/master/__init__.py
>

Received on Wednesday, 8 February 2017 05:18:28 UTC