W3C home > Mailing lists > Public > public-payments-wg@w3.org > June 2018

Re: IETF JSON Signature Options

From: Adam Roach <abr@mozilla.com>
Date: Thu, 7 Jun 2018 16:46:04 -0500
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Web Payments Working Group <public-payments-wg@w3.org>
Message-ID: <9a05bfa7-1597-1d6d-664c-fa8ebb1c44a3@mozilla.com>
I haven't been following the conversation about what might need to be 
signed or why, and my observation below shouldn't be read as an 
endorsement of a need to sign anything; however, in case the WG does go 
down the path of signing a JSON object, it should do so with complete 
information.


On 6/7/18 1:06 AM, Anders Rundgren wrote:
> Dear List,
>
> Several efforts have been initiated in order to create a more 
> JSON-friendly signature scheme where the data to be signed would 
> remain in JSON format rather than being Base64Url-encoded.
>
> However, it turns out that there is no real interest within the IETF 
> to pursue such ideas, effectively leaving the payment WG with a single 
> standardized solution:

My understanding is that the IETF declined to define a generalized 
canonicalization for JSON, due to the extreme complexity of both 
designing and implementing such a scheme that works in all general cases.

The lack of a generalized canonicalization does not prevent the 
definition of application-specific canonicalization of JSON data that 
takes advantage of the known structure of the JSON objects in question 
to create a simpler (and usually trivial) normalization procedure.

See RFC 8225, section 7 for an example of how this has been done elsewhere.

/a
Received on Thursday, 7 June 2018 21:46:29 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 7 June 2018 21:46:30 UTC