Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> JWT needs it for example (and I'd assume many signature models)

You almost never need canonical representations for signing things. I would even say that if you need a canonical representation to sign your things, then that is a design smell of your cryptographic protocol.



You don't _need_ canonical representations for signing, but then you can't let go of the representation used for computing the signature. What is the argument against a requirement to only sign canonical data?


Could you please care to explain more? What is the "design smell", and what is the alternative solution to canonicalization?


I didn't mention canonicalization. My point is that serialized JSON is ordered - which I think is exactly the same property you're referring to.


That's an implementation detail. Serialized JSON can also be printed, but your systems shouldn't depend that JSON is always ink on paper.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: