- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 27 Oct 2014 06:45:00 +0100
- To: public-xmlsec-comments@w3.org
Hi XML DSig connoisseurs! Although the JSON RFC says that preserving the order of properties shouldn't be counted on, the JSON implementations in browsers *seem* to do that anyway. This also means that at least on the browser-side there there's no problem supporting clear-text signatures ( https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html ) like featured in the following authentic example created with Chrome and WebCrypto: https://openkeystore.googlecode.com/svn/wcpp-payment-demo/trunk/docs/messages.html#UserAuthorizesTransaction Well, there *is* indeed one thing that doesn't work out-of-the-box and that are floating-point numbers: https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcsbrowsertest.html For JSON applications using floating point numbers, IETF's JWS, "upgraded" parsers (like the one I have built), or putting floating point numbers in strings are the [currently] only ways ahead. Note: The idea with JCS is in *no way* competing with IETF's JOSE standards but offering an alternative for those who (like me) are in the process migrating traditional business applications from XML to JSON. If you apply JWS on the counter-signed message above I have a feeling that not everybody would be completely thrilled. BTW, there's is one thing I lack in the browser parsers which I have used extensively on the server-side and that is the ability to test that all properties actually have been read (=no unexpected). This can (at least for low-to-medium complex systems) together with strict "reader" code, pretty well compensate for the lack of a JSON schema. Cheers, AndersR https://mobilepki.org/WebCryptoPlusPlus
Received on Monday, 27 October 2014 05:45:41 UTC