A recent discussion here on Latacora's "How (not) to sign a JSON object" [0], had me thinking of CBOR. Unlike JSON, MsgPack, protobufs, BSON, or any other commonly used data interchange format that I'm aware of; CBOR has a canonical representation (although, with seeming ambiguity in float representation) [1].
Anyone have any thoughts on using canonical CBOR for object signing? Currently, I'm building a system with a content-addressable data store, and I'm particularly interested in data formats with a canonical form for this use-case.
Generally, there isn't an efficient object model for CBOR (three really troublesome features are the use of arbitrary CBOR structures as map keys, 64 bit unsigned negative numbers, and semantic tagging resulting in data being represented in an alternative form e.g. a BigDecimal type rather than a binary array).
As a result, round-tripping through a CBOR implementation still may result in data structure changes. Depending on the type of change and any exploits in say the hashing algorithm, this could be a security issue.
On the flip side, you can just tag a byte array as CBOR data, and sign it. Unlike JSON, you don't need to perform an encoding/escaping to make one document safe to embed into another document.
Anyone have any thoughts on using canonical CBOR for object signing? Currently, I'm building a system with a content-addressable data store, and I'm particularly interested in data formats with a canonical form for this use-case.
[0] https://news.ycombinator.com/item?id=20516489
[1] https://tools.ietf.org/html/rfc7049#section-3.9