Re: [Json] JSON Concluded? Well, maybe not
Richard Gibson <richard.gibson@gmail.com> Wed, 03 January 2018 17:25 UTC
Return-Path: <richard.gibson@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46B3C124BFA for <json@ietfa.amsl.com>; Wed, 3 Jan 2018 09:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oT2Jc0FXifwx for <json@ietfa.amsl.com>; Wed, 3 Jan 2018 09:25:05 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5964F1241F5 for <json@ietf.org>; Wed, 3 Jan 2018 09:25:05 -0800 (PST)
Received: by mail-wm0-x22e.google.com with SMTP id n138so3910726wmg.2 for <json@ietf.org>; Wed, 03 Jan 2018 09:25:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=r1JZKaISdC0/klppAaslxtt62nTZ514Cyg2plxuPpPA=; b=tt8vOAqViDlSzNvbKRvxYX6QMsIAKkmb7p4djR2pUN/g2LWVlNaJAksJveHrArlc/m MyS/SmjS4f2WcBhYFSr1E3nxf49E0PirNEngviv137KXdCEeO5m6gVJFwHPQjojv5gP3 D5N/0jlLgbfB6+RZGEFaxtOZWt5SWlIZ+EbIGq/QxBhJtVpDxJJwY4ygq+MwsLzHrKNh WeJBjAvEq3IjIwSif4CWqdyN4WSG4zeWM4/Lf4pTcjUUduXkt8ws8uUFcJy76b03cgvr ixiFnWCsMZHomuM9W9xIzh1vo9LZuZXCWXW0zik/B8fi+a0mhSvgtnKU/UVGzGCilB13 skmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=r1JZKaISdC0/klppAaslxtt62nTZ514Cyg2plxuPpPA=; b=jd/xE908VPmucYOB2OhWpfws+6g49rz+SRIvLTdP1jta0vQ/qjwlnuXJKPgWFZivyn rJ8k+C7j14Zd9nMgnhcJwxzvGX8BICNx7LzsStyX16MM4WAEUmXviK2/a77MnldDIErK Ikj3wB0vlDDQJpuIctulDacwAIZLzY4+2sUpljNplB6MdO5P7bDSwSJaTyfEJ+tTUuXb cDqg9YtljtO1vovqIX+lXtpgY1ykPBcHtJni41UrD0LouVRuVwegV9mygZSX7Dopnhl8 hinM95Wn3VT5l4UxGNg5/Qd5ERLIfDQAwVQA34eEMS/jeHssNEOIfBvTXf4QT/bVhutL znxQ==
X-Gm-Message-State: AKGB3mKm5luAIZ/KjCr3wCE1z81eo/XzhZZAf6s8EUC9oDOGYJHd3OVn v5tNjKNyLycm5RwRxbIOMH2lX4Bsj5H8/5UaLkE=
X-Google-Smtp-Source: ACJfBovOvUzhQ7vJQRbxMS+8T/FMFEQzzlqWAaKkyt8OcpZaRMyFajqQEztbt33tBoldVXPz1s+qa2GpY87OKQ+p5LU=
X-Received: by 10.28.178.85 with SMTP id b82mr1887644wmf.47.1515000303727; Wed, 03 Jan 2018 09:25:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.160.189 with HTTP; Wed, 3 Jan 2018 09:25:02 -0800 (PST)
In-Reply-To: <15337fea-5cec-0306-939b-df40b3a367d6@gmail.com>
References: <13860352-ef8e-1d4b-2eff-27e275c25e3a@gmail.com> <CALH+fvqBGu0i=LcciYgOLSwbQJXfqgcXTdd=rxvfHfqiRyBj7g@mail.gmail.com> <CAHBU6itC+XAKhc_m_ywG5O2bpky9DnmzfiNVqP3WrxLaE7uenA@mail.gmail.com> <92077f95-5dd6-3f5b-4765-d14067f698ac@dret.net> <CADEL5zshRaHtVNAtNggwHaPKP9xWeePcBZcQc1EM8SEfUu41Uw@mail.gmail.com> <CALH+fvqkBkQCiXfx1cxXaX092sbW6fgUmUizXP1f=ScMZ3bBqQ@mail.gmail.com> <cb1ce20d-67f0-f4f4-8077-57c3d3f232b7@gmail.com> <CALH+fvqpaT0b8AfPigk93Fy5hhWFthiFJSfaMmkttpMgqiMvQw@mail.gmail.com> <15337fea-5cec-0306-939b-df40b3a367d6@gmail.com>
From: Richard Gibson <richard.gibson@gmail.com>
Date: Wed, 03 Jan 2018 12:25:02 -0500
Message-ID: <CALH+fvrmLf0qwhWYn2YQx7f=jzo9O00tcJmMiGgG32wjXf9gHA@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: JSON WG <json@ietf.org>
Content-Type: multipart/alternative; boundary="001a11444aecf038100561e27e11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/json/oP3Dny4TcfUXPa1hht7l59UKI10>
Subject: Re: [Json] JSON Concluded? Well, maybe not
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 17:25:09 -0000
I'm really not sure where the disconnect between us is coming from... JSON specifies unordered keys for objects, arbitrary-precision numbers, and strings that can contain code points excluded from UTF-8. As such, ECMAScript JSON.stringify is *not* suitable for JSON canonicalization, though it may suffice for certain Javascript-centric or otherwise restricted subsets thereof as addressed by JOSE. I believe that a general solution like http://gibson042.github.io/canonicaljson-spec/ is needed to avoid this seemingly endless series of special cases [1] [2] [3] [etc] (including those that have nothing to do with cryptographic signatures or encryption), and therefore wish to work towards an RFC describing it. There's no problem if you're uninterested, or even if you believe that a general solution is unwarranted, but there _is_ a problem if you believe that JSON.stringify already provides one. [1]: https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00 [2]: https://tools.ietf.org/html/rfc7638#section-3.3 [3]: https://keybase.io/docs/api/1.0/canonical_packings#json [etc]: http://wiki.laptop.org/go/Canonical_JSON On Wed, Jan 3, 2018 at 2:06 AM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > On 2018-01-02 17:33, Richard Gibson wrote: > > <snip> > > JSON.stringify assumes information that is explicitly not conveyed by JSON >> (in which an object is "an unordered collection of zero or more name/value >> pairs") [1], and both its number serialization [2] >> and string serialization [3] specify aspects that harm compatibility >> (the former having arbitrary value-dependent branches, the latter being >> capable of producing invalid UTF-8 octet sequences that represent unpaired >> surrogate code points—unacceptable for exchange outside of a closed >> ecosystem [4]). JSON is a general language-agnostic interchange format, >> and ECMAScript JSON.stringify is *not* a JSON canonicalization solution. >> >> [1]: https://tools.ietf.org/html/rfc8259#section-1 >> [2]: http://ecma-international.org/ecma-262/7.0/#sec-tostring-app >> lied-to-the-number-type >> [3]: http://ecma-international.org/ecma-262/7.0/#sec-quotejsonstring >> [4]: https://tools.ietf.org/html/rfc8259#section-8.1 >> > > JSON is a format defined the IETF and ECMA in some kind of cooperation. > > ECMA's ECMAScript defines a set of ("fairly" easy to implement) JSON > processing rules which are fully compatible [1] with the JSON format. > > The idea using ES6+ number normalization was originally proposed by an > esteemed member of the now concluded JOSE WG: > https://www.ietf.org/mail-archive/web/jose/current/msg05323.html > > Following that path, I (accidentally) discovered the "missing link", > ES6+'s preservation [2] of the original property ordering which in my mind > is quite logical [3] for "ordinary" JSON usage as well. > > A Java based reference implementation has been successfully tested against > Chrome, Node.js, Firefox and Safari. > > Feel free taking a test ride on: https://mobilepki.org/jose-jcs/home > Note that it outlaws signing a JSON "Number" expressed as "1.0" since the > correct (according to ES6+) representation is "1". > > Anders > > 1] possibly with the exception of "unpaired surrogate code points" which I > admittedly know zilch about > 2] with properties named as integers as a for practical purposes > insignificant exception > 3] Making data come out in the order it was specified addresses human > aspects like debugging and documentation of JSON data >
- [Json] JSON Concluded? Well, maybe not Anders Rundgren
- Re: [Json] JSON Concluded? Well, maybe not Richard Gibson
- Re: [Json] JSON Concluded? Well, maybe not Tim Bray
- Re: [Json] JSON Concluded? Well, maybe not Phillip Hallam-Baker
- Re: [Json] JSON Concluded? Well, maybe not Erik Wilde
- Re: [Json] JSON Concluded? Well, maybe not Anders Rundgren
- Re: [Json] JSON Concluded? Well, maybe not Richard Gibson
- Re: [Json] JSON Concluded? Well, maybe not Phillip Hallam-Baker
- Re: [Json] JSON Concluded? Well, maybe not Anders Rundgren
- Re: [Json] JSON Concluded? Well, maybe not Phillip Hallam-Baker
- Re: [Json] JSON Concluded? Well, maybe not Anders Rundgren
- Re: [Json] JSON Schema (Was: JSON Concluded? Well… Pete Cordell
- Re: [Json] JSON Concluded? Well, maybe not Phillip Hallam-Baker
- Re: [Json] JSON Concluded? Well, maybe not Anders Rundgren
- Re: [Json] JSON Concluded? Well, maybe not Richard Gibson
- Re: [Json] JSON Concluded? Well, maybe not Anders Rundgren
- Re: [Json] JSON Concluded? Well, maybe not Richard Gibson
- Re: [Json] JSON Concluded? Well, maybe not Anders Rundgren