W3C home > Mailing lists > Public > public-web-security@w3.org > October 2015

A Crypto-compliant JSON Implementation

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 7 Oct 2015 09:51:59 +0200
To: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <5614CF1F.5050707@gmail.com>
A Crypto-compliant JSON Implementation

Although maybe not a topic for the W3C, I would anyway like (for those who don't follow the IETF-JOSE list) to describe a JSON implementation which enables "Signed JSON".

Didn't the JOSE WG just finished that? No, the JOSE WG have created a set of JSON-flavored and URL-friendly cryptographic containers where the actual data has no relation to JSON ; it is rather Base64URL-encoded to be neutral to the content.

Anyway, for me working payment systems and similar where signed JSON messages are wrapped by other signed JSON messages like "Russian dolls", Base64 simply wasn't an option:

How much did I have to "violate" the JSON specification to accomplish this? Not a single bit.

The reference implementation simply parse properties using LinkedHashMap (to maintain a predictive order) plus a minute fix for numbers by keeping a copy the original textual representation in the background for serialization.  That is, there is no canonicalization code to be find, serialization is all you need.

This also has the benefit that properties are serialized in the same order as they are created which is a feature often requested by the JSON community at large which isn't too surprising since XML elements, EDI, ASN.1, and plain-text always had this quality.

Received on Wednesday, 7 October 2015 07:52:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC