On 17 December 2012 03:18, Jeff Garzik <jgarzik@exmulti.com> wrote:
On Sun, Dec 16, 2012 at 4:15 PM, Melvin Carvalho
<melvincarvalho@gmail.com> wrote:
> On 3 December 2012 20:35, Mike Koss <mike@coinlab.com> wrote:
>> It would also be really nice to migrate to textual representations of data
>> structures as opposed to binary ones.  The most successful internet
>> standards are based on text, making them that much more accessible for
>> developers to deal with them.   JSON would be my preferred candidate.
>> Why don't we sign the text representation of a (utf8) JSON, rather than
>> some complex encoding standard of JSON?  That way the signatures are simple
>> - and you need only retain the original textual representation of a message
>> to validate the signature (as well as the decoded version, if you don't want
>> to alway re-parse the message when writing programs that use it).

> Binary formats can be challenging to deal with and convert to other formats.
> The experiences in the PKI world of ASN.1 have not been great, in terms of
> interop.  It tends to create islands and silos.  This is probably one of the
> reasons why X.509 and GPG are fragmented and why we dont really have a
> widely deployed web of trust on the net.  Another reason is simply lack of
> developer resources to make tools.  In that respect I think JSON offers
> significant advantages, though I am interested in the security issues
> raised.

I thought this had already been covered up-thread?

When creating something that must be hashed and/or compared, the data
structure must be created and reproduced precisely, byte-for-byte.
JSON offers significant -disadvantages- in this regard.  With JSON,
you would therefore require an additional middle layer, between JSON
and application, ensuring that all fields are output in the same
order, all whitespace is not only perfectly preserved -- but reliably
generates identical whitespace output for identical inputs, given two
separate JSON implementations.

Apologies if I am a bit late to the thread.  I bumped into someone that suggested I take a look at it.  Will try and catch up!

You raise a good point. 

Is there no good canonicalization algorithm / library for JSON?

I think that provided that each JSON object has an identifier, canonicalization of JSON is not that hard.

Then when you hash or sign the canonical form they can be compared reliably.

Jeff Garzik
exMULTI, Inc.