Da Capo: JSON "clear text" signatures

Anders Rundgren anders.rundgren.net at gmail.com
Mon Jan 29 14:15:17 UTC 2018

On 2018-01-29 14:52, Hannes Wallnöfer wrote:
> Hi Anders,
> I think I lack the context required to understand what you’re asking for. Can you explain how transmitting numbers/doubles in JSON should work and how the static method you’re asking for would enable this?

Sure.  Signatures depend on that data appears identical on both sides (sender + receiver).
If one side outputs the integer 10 as 10.0 (which is OK JSON-wise), the signature will break in an EcmaScript environment where it must be 10 and nothing else.
JSON tools would call the proposed static method rather than building their own number serializer.

Initially I thought number serialization was a simple problem but that was entirely wrong :-)
Fortunately the ECMA folks have the expertize needed and their solution is already supported in billions of devices.
Nashorn almost cuts it but only for JavaScript, not Java.

> Also, is there a document somewhere describing the IETF standardization work you’re talking about?

You will have to wait to next week (when it becomes public), but in the meantime you can take a look at the core "input specifications":


> Thanks,
> Hannes
>> Am 28.01.2018 um 10:48 schrieb Anders Rundgren <anders.rundgren.net at gmail.com>:
>> The JSON "clear text" signature initiative seems to (finally) be headed for IETF standardization.  The plan is having a BOF session at the next IETF in London.
>> This scheme builds on EcmaScript JSON processing rules for data normalization which only rely on JSON.parse() and JSON.stringify().
>> A thorny issue for implementers is though serializing the JSON "Number" type.
>> An with Node.js, Chrome, Firefox, Safari (unfortunately not entirely compatible...) solution is currently available in "Nashorn":
>> http://hg.openjdk.java.net/jdk8/jdk8/nashorn/file/096dc407d310/src/jdk/nashorn/internal/objects/NativeNumber.java
>> It would be great if such support could for example be included as a static method in java.lang.Double, making Java and EcmaScript/JavaScript 100% interoperable with respect to this feature, the rest is actually close to trivial.
>> thanx,
>> Anders
>> https://github.com/OAI/OpenAPI-Specification/issues/1464#issue-291622705

More information about the security-dev mailing list