JWS signs a byte stream, not JSON. If you want to use a JWS to sign JSON data it is your responsibility to ensure that both sides produce an equivalent byte stream. On Wed, Oct 10, 2018 at 3:04 PM Bret Jordan <[email protected]> wrote: > > Dear WG, > > I was reading through RFC 7515 to see if it would work for a project I am > working on. Basically the need to sign and resign a JSON object. However, > in RFC 7515 there does not seem to be any definition for serializing a > canonical form of JSON. This means that two organizations that serialize it > differently would produce two different signatures. > > Super simple example > > { “type” : “house”, “size” : “1000 sq feet” } > > > > Or > > { > “type” : “house”, > “size” : “1000 sq feet” > } > > > > Or > > {“type”:“house”,“size”:“1000 sq feet”} > > > > Or (tabs not spaces) > > { > “type” : “house”, > “size” : “1000 sq feet” > } > > > All four of these JSON structures would produce a different signature as > defined by RFC 7515. What am I missing? > > > Thanks, > Bret > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can > not be unscrambled is an egg." > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
