FHIR Chat · canonicalization · Security and Privacy

Stream: Security and Privacy

Topic: canonicalization

view this post on Zulip Eric Prud'hommeaux (Mar 18 2021 at 06:40):

Why does JSON c14n compress whitespace? I think you'd need to do more to make it emit the same document as https://www.w3.org/TR/xml-c14n11/ .

view this post on Zulip Eric Prud'hommeaux (Mar 18 2021 at 06:41):

c.f. https://www.hl7.org/fhir/json.html#canonical

view this post on Zulip Eric Prud'hommeaux (Mar 18 2021 at 06:50):

It seems like ability to hash a FHIR document itself (rather than some serialization) would outweigh the value of using out-of-the-box c14n tools on the specific representations, especially since it could be autogenerated from the StructureDefinition (invoke a hashThysefl() that visited the hierarchy in the same order as the parsers. In Java, it could be run either off the RuntimeResourceDefintion or just be printf'd code like equalsDeep().

view this post on Zulip John Moehrke (Mar 18 2021 at 12:14):

what would you recommend? This is a very immature space, especially with json. Note that the c14n is purely for calculating the signature in a reliable way.

view this post on Zulip Eric Prud'hommeaux (Mar 18 2021 at 12:23):

i guess some proliferation of c14n methods isn't bad, so long as they have different use cases. all signature protocols that i know of include an identifier for the method so it's not like having more than one leads to ambiguity.

view this post on Zulip Eric Prud'hommeaux (Mar 18 2021 at 12:27):

i can imagine using XML c14n for XML toolchains, RFC8785 for JSON tool chains and RDF Dataset normalization for RDF

view this post on Zulip Eric Prud'hommeaux (Mar 18 2021 at 12:28):

the prob is that each of those leaves you in a silo. anyone wanting to test that signature will have to convert to the same format before following the rest of the verification protocol

view this post on Zulip Eric Prud'hommeaux (Mar 18 2021 at 12:29):

so i like the option i described above where there be a FHIR-based c14n method, which you can use regardless of what serializaition format (if any) your system uses

view this post on Zulip Josh Mandel (Mar 18 2021 at 13:56):

I added FHIR-31566 to at least align our JSON canonicalization recommendation with our goals for JSON canonicalization (I'd be interested to know if anyone has implemented them in their current form.)

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -