W3C home > Mailing lists > Public > public-webpayments@w3.org > August 2013

Re: Giving up on XML DSig => JSON

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 29 Aug 2013 23:47:40 -0400
Message-ID: <522015DC.9090609@digitalbazaar.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
CC: public-webpayments@w3.org
On 08/29/2013 12:51 AM, Anders Rundgren wrote:
> Therefore I
> created system that writes and reads JSON from Java. In addition, I
> adopted a scaled-down version of XML DSig's enveloped-signatures.

Did you look at the Secure Messaging spec (digital signatures for
JSON-LD)? It looks pretty close to what you've done. Here's a fairly
complete comparison between JOSE and Secure Messaging signatures:


> The concept of enveloped signatures have been slammed by some people
> due to a belief that canonicalization issues will be hard.

What do you do with floating point numbers?

What do you do w/ leading zeros in integers?

What are the quoting requirements for map keys?

How are the keys sorted?

What do you do with control characters in whitespace CRLF vs CR? Tabs?
vertical tabs?

What do you do with trailing commas?

What escape sequences are supported?

If you don't have answers to at least all of these questions, your
solution doesn't work. :)

> Why bother with this you may wonder?  Well I can't imagine converting
> the previous cool stuff to something yucky like JOSE's JWS:

That's one of the issues that we had with JOSE JWS.

> Canonicalization (=removal of whitespace):

Canonicalization isn't just the removal of whitespace, there are a
number of other concerns (outlined above). Interesting in hearing what
you have to say about Secure Messaging and JSON-LD digital signatures.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
Received on Friday, 30 August 2013 03:48:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:24 UTC