- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 29 Aug 2013 23:47:40 -0400
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- CC: public-webpayments@w3.org
On 08/29/2013 12:51 AM, Anders Rundgren wrote: > Therefore I > created system that writes and reads JSON from Java. In addition, I > adopted a scaled-down version of XML DSig's enveloped-signatures. Did you look at the Secure Messaging spec (digital signatures for JSON-LD)? It looks pretty close to what you've done. Here's a fairly complete comparison between JOSE and Secure Messaging signatures: http://manu.sporny.org/2013/sm-vs-jose/ > The concept of enveloped signatures have been slammed by some people > due to a belief that canonicalization issues will be hard. What do you do with floating point numbers? What do you do w/ leading zeros in integers? What are the quoting requirements for map keys? How are the keys sorted? What do you do with control characters in whitespace CRLF vs CR? Tabs? vertical tabs? What do you do with trailing commas? What escape sequences are supported? If you don't have answers to at least all of these questions, your solution doesn't work. :) > Why bother with this you may wonder? Well I can't imagine converting > the previous cool stuff to something yucky like JOSE's JWS: That's one of the issues that we had with JOSE JWS. > Canonicalization (=removal of whitespace): Canonicalization isn't just the removal of whitespace, there are a number of other concerns (outlined above). Interesting in hearing what you have to say about Secure Messaging and JSON-LD digital signatures. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
Received on Friday, 30 August 2013 03:48:07 UTC