You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently it is a PITA to verify the signature in notary responses. Since both
signature and signed data are in the same JSON object you first have to parse
the whole response, then reencode the fingerprintList as JSON (which has to be
done manually, as most encoders don't preserve field ordering) with unspecified
whitespace rules (whatever pythons json.dumps does). This is fragile and makes
writing clients/notaries unnecessary hard.
There are a few options to make this easier:
JSON in JSON
{
data: "fingerprintList: {....}"
signature: "kasdj..."
}
put the Signature in a HTTP-header and sign the whole response body
Drop the signature. The current client doesn't seem to verify it anyways.
And since its signed with the same key that is used in the handshake, it
doesn't buy much (except in the case where you want to archive the notary
responses).
Thoughts?
The text was updated successfully, but these errors were encountered:
Currently it is a PITA to verify the signature in notary responses. Since both
signature and signed data are in the same JSON object you first have to parse
the whole response, then reencode the fingerprintList as JSON (which has to be
done manually, as most encoders don't preserve field ordering) with unspecified
whitespace rules (whatever pythons json.dumps does). This is fragile and makes
writing clients/notaries unnecessary hard.
There are a few options to make this easier:
{
data: "fingerprintList: {....}"
signature: "kasdj..."
}
And since its signed with the same key that is used in the handshake, it
doesn't buy much (except in the case where you want to archive the notary
responses).
Thoughts?
The text was updated successfully, but these errors were encountered: