W3C home > Mailing lists > Public > public-webpayments@w3.org > September 2013

On-line Demo/Test of JSON Clear Text Signatures

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 07 Sep 2013 12:33:41 +0200
Message-ID: <522B0105.7030301@gmail.com>
To: public-webpayments@w3.org
https://mobilepki.org/jcs/home

Enjoy!

Canonicalization

Precondition: Valid JSON data as described on http://www.json.org has been received.

Restriction: The only permitted escape sequences are \\ and \" because JSON supplied as a part of a web-page must anyway be escaped according to web-rules, while JSON supplied through HTTP etc. only needs to be parsable.

Another reason for this somewhat radical decision is that the JSON world appears to be severely divided on escapes sequences in general:
http://stackoverflow.com/questions/6011012/making-json-not-escape-forward-slashes.

The canonicalization steps are as follows:
- Whitespace is removed which in practical terms means removal of all characters outside of quoted strings having a value <= ASCII space
- Properties are sorted in lexical UNICODE order using their unescaped form.  Zero-length properties are not allowed
- The JSON object associated with the Signature is recreated using the actual textual data.  Rationale: Numbers are ambiguously defined in JSON which means that encoding and decoding most likely will differ among JSON implementations.  There is another, more subtle issue as well.  If a sender for example assigns a large number such as 0.99999999999999999999 to a JSON property there is a possibility that a receiver due to limitations in arithmetic precision rather interprets it as 1.0.  To cope with these potential problems, a compliant parser must preserve the original textual representation internally in order to perform proper canonicalization

Anders
Received on Saturday, 7 September 2013 10:34:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:24 UTC