specification
specification copied to clipboard
Canonical JSON may not be valid JSON
All documents use a subset of the JSON object format, with floating-point numbers omitted. When calculating the digest of an object, we use the "canonical JSON" subdialect as described at http://wiki.laptop.org/go/Canonical_JSON
Canonical JSON may be invalid JSON: canonical json says that control characters must not be escaped:
Because only two byte values are escaped, be aware that JSON-encoded data may contain embedded control characters and nulls.
Whereas JSON mandates that control characters are escaped.
I think this deserves a note in the specification, as normal json encoders and decoders cannot be used.
There are several related issues and discussions on Canonical JSON, i.e. secure-systems-lab/securesystemslib#159 and theupdateframework/tuf#457
I recently learned of another attempt at a canonicalization scheme in the draft IETF spec rundgren-json-canonicalization-scheme. It doesn't have the same issue where strings may contain invalid JSON characters. It's probably a drop-in replacement for most TUF implementations, which I think don't actually allow for invalid JSON characters.
FYI: This topic has been added to the agenda for the next TUF community meeting. (date TBD, invitations will go to [email protected]).
Yes. Please also join us on the CNCF Slack
On Mon, Mar 30, 2020 at 4:03 AM lukpueh [email protected] wrote:
FYI: This topic has been added to the agenda for the next TUF community meeting. (date TBD, invitations will go to [email protected]).
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/theupdateframework/specification/issues/92#issuecomment-605845588, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4ZEEN4GGV644XD7FRUW6DRKBG4TANCNFSM4K4EITIA .