Comments (9)
@kdenhartog ^^
from aries-rfcs.
@SmithSamuelM Here is Kyle's doc that recommends a similar mechanism (the one that @TelegramSam suggested should be used as a stopgap). https://github.com/kdenhartog/indy-hipe/blob/d421fc77bae87c780aad346d15c0c49939adc281/text/digital-signatures/README.md
from aries-rfcs.
these are essentially the same. Its signing a base64 serialization. My concern was that might be attempting to canonicalize JSON and sign that . Which is fraught with potential problems.
from aries-rfcs.
I've heard that canonicalisation of JSON is a real problem, but I've never understood the depth of the problems it introduces. Do you have details into what are the tradeoffs with canonicalising JSON? FWIW, I just used base64 serialisation because it was used in JOSE and I didn't want to deviate.
from aries-rfcs.
JSON and Javascript objects (data structures) are based on an underlying data structure called a hash table or dictionary. Historically hash tables entries store data as (key: value ) pairs. Each key has a value. The ordering of the keys in the dictionary is not ordered in any predictable way. (Not alphabetic nor in order of entry). The order is considered practically to be indeterminate. This underlying lack of ordering means that the serialization of a dictionary via JSON may have the order of the (key: value) pairs change when it converts from a serialization to a hash table and then back again resulting in a different serialization. A different serialization will have a different signature so any signatures may be invalidated by the conversion. Tooling for JSON does not preserve ordering when converting to from JavaScript objects. Similarly JSON only cares that the entries in the dictionary are preserved as in the set of (key: value) pairs not the ordering. Nor does JSONcare what white space is included in the serialization as long as it converts to the same set (dictionary) of key: value pairs. All of these characteristics mean that converting from a JSON serialization to a JavaScript Object (or the equivalent in some other computer language) and then back again into a JSON serialization (round tripping) is not guaranteed to produce the same JSON serialization. So digital signatures or digital hashes of the serialization also will not be guaranteed to remain valid after the round trip. So any scheme that unserializes and reserializes may break any digital security measures. Canonicalization is an attempt to enforce a strict round trippable JSON serialization that preserves the exact set of bytes so that signatures and hashes will also be valid. This means the off the self JSON tooling endemic in Web 2.0 cannot be used but special purpose tooling must be used that converts Javascript objects to ordered dictionaries and then to JSON with known white space. It’s doable but means off the shelf tooling won’t work. It’s swimming upstream. The point of using JSON in the first place is to leverage existing tooling, so adding the requirement for a canonical JSON is not leveraging existing tooling. One might as well use a custom serialization format as to use canonical JSON.
from aries-rfcs.
Agreeing with Sam, this is why we've chosen to say that what's signed is a string that contains JSON, rather than a JSON structure itself. This takes canonicalization off the list of concerns.
from aries-rfcs.
@SmithSamuelM Thank you for the excellent detail. This helps quite a bit in my understanding and I definitely agree that this causes quite a bit of hassle.
I'm sure I'll be referencing people to this comment multiple times in the future.
As far as this issue goes, What would you like to see as the action in order to close this out?
from aries-rfcs.
I think it can be closed
from aries-rfcs.
Thanks for the information on here and I'm glad we're aligned on the general direction. I'll be sure to loop you in to the conversations as I'm proposing updates to DIDComm.
from aries-rfcs.
Related Issues (20)
- RFC 0592 Proof Request includes nonce that is also required for a proof proposal HOT 2
- Outdated "problem_report" in Connection Protocol HOT 2
- Inconsistency in DIDComm mime-type HOT 1
- Issue Credential: initiate with issue message HOT 10
- Eliminate the use of %VER in the RFCs in favor of the explicit version in the method IDs
- Credential attribute for images/photos HOT 4
- [string](string) does not exist
- Add "watermark" to the Meta Overlay in the OCA for Aries RFCs HOT 1
- Message Content Type HOT 2
- Signal holder app when a transaction is done
- Credential Metadata about how to get a credential
- #0453 V2 issue-credential: review HOT 2
- Clarification on encoding format of attachment data in `Delivery` message of RFC-0685-pickup-v2 HOT 1
- Out of band - proposing change ( `services` VS `from` ) HOT 1
- Clarity on nullability of `credential_preview` in issue-credential-v2 offers (Aries RFC 0453) HOT 8
- add clarification to RFC 0510 on how to use with JWT VPs
- Is a JSON string valid to be used in attachment data `json`?
- Special case of threading in didexchange #0023 ? HOT 9
- Using `oobUrl` in `didcomm://` deeplink for linking with shortened url HOT 6
- List of additions to the published Aries RFCs mkdocs/gh-pages Website
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aries-rfcs.