I like Samuel Erdtman's idea of starting with an open-source implementation. If I see one of those, with a convincing set of test cases, I'd be inclined to make the case for spinning up a working group.
The argument isn't "Would it be useful?" it's "Can it be done?" So, start by proving it can. On Mon., Oct. 29, 2018, 1:33 a.m. Anders Rundgren < [email protected] wrote: > On 2018-10-28 21:32, Samuel Erdtman wrote: > > In my opinion we can create a good canonicalization format for JSON to > be used to sign cleartext JSON. > > > > As can be seen on this list many are skeptical so my approach would be > to publish easy to use open source implementations. > > Yes, and part of that is supplying test data like: > https://github.com/cyberphone/json-canonicalization/tree/master/testdata > The Microsoft folks developing "Chakra" (their JS engine) already use the > 100 million reference values. > > > > If we do that and there is real interest then we might be able to > convince people here about the need. In line with this ambition I have done > the JS and Java publications. This might also show there is no actual > interest and then that is also an outcome. > > Well, another part of the standards puzzle is getting early work into real > products and services. > > FWIW, I'm personally involved in a couple of efforts using clear text JSON > signatures: > - Saturn, an open payment authorization scheme based on an enhanced "four > corner" trust model which aims giving banks an upper hand against Apple > Pay, Google Pay, PayPal, etc. > - Mobile ID, an open, PKI-based, multi-issuer mobile authentication and > signature solution for e-governments. > > Regards, > Anders > > > Best regards > > //Samuel > > > > > > On Mon, Oct 22, 2018 at 8:44 AM Carsten Bormann <[email protected] <mailto: > [email protected]>> wrote: > > > > On Oct 22, 2018, at 04:47, David Waite <[email protected] > <mailto:[email protected]>> wrote: > > > > > > intermittent interoperability failures until a new language > runtime release which revises the numerical print and parse functions > > > > Note that this is not a theoretical concern, as CVE-2010-4476 and > CVE-2010-4645 amply demonstrate, nicely underscored by the re-occurrence of > the latter in > https://www.exploringbinary.com/php-converts-2-2250738585072012e-308-incorrectly/ > > > > Grüße, Carsten > > > > _______________________________________________ > > jose mailing list > > [email protected] <mailto:[email protected]> > > https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
