Canonical JSON may not be valid JSON

[daurnimator]

All documents use a subset of the JSON object format, with floating-point numbers omitted. When calculating the digest of an object, we use the "canonical JSON" subdialect as described at http://wiki.laptop.org/go/Canonical_JSON

Canonical JSON may be invalid JSON: canonical json says that control characters must not be escaped:

Because only two byte values are escaped, be aware that JSON-encoded data may contain embedded control characters and nulls.

Whereas JSON mandates that control characters are escaped.

I think this deserves a note in the specification, as normal json encoders and decoders cannot be used.

[joshuagl]

There are several related issues and discussions on Canonical JSON, i.e. secure-systems-lab/securesystemslib#159 and theupdateframework/tuf#457

[erickt]

I recently learned of another attempt at a canonicalization scheme in the draft IETF spec rundgren-json-canonicalization-scheme. It doesn't have the same issue where strings may contain invalid JSON characters. It's probably a drop-in replacement for most TUF implementations, which I think don't actually allow for invalid JSON characters.

[lukpueh]

FYI: This topic has been added to the agenda for the next TUF community meeting. (date TBD, invitations will go to [email protected]).

[trishankatdatadog]

Yes. Please also join us on the CNCF Slack

On Mon, Mar 30, 2020 at 4:03 AM lukpueh [email protected] wrote:

FYI: This topic has been added to the agenda for the next TUF community meeting. (date TBD, invitations will go to [email protected]).

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/theupdateframework/specification/issues/92#issuecomment-605845588, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4ZEEN4GGV644XD7FRUW6DRKBG4TANCNFSM4K4EITIA .