Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 4ab173a

Browse files
authored
Merge pull request #16 from rohanharikr/r3-remove-canonicalization
R3: hash bytes as served, remove canonicalization mandate
2 parents 6daa7bd + 304944b commit 4ab173a

1 file changed

Lines changed: 4 additions & 2 deletions

File tree

draft-hardt-aauth-r3.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -317,7 +317,9 @@ The document MUST be served over HTTPS. The resource MUST require a valid HTTP M
317317

318318
## Content Addressing
319319

320-
The R3 hash (`r3_s256`) is computed as the SHA-256 hash of the canonical JSON serialization ([@!RFC8785]) of the R3 document, base64url-encoded without padding.
320+
The R3 hash (`r3_s256`) is computed as the SHA-256 hash of the bytes of the R3 document as served by the resource, base64url-encoded without padding.
321+
322+
The resource's serialization is the document. There is no canonicalization step — verifiers hash the bytes received over the wire, not a normalized form. Resources MUST serialize the R3 document once and serve those exact bytes verbatim on every request for the same `r3_uri`. Re-serialization between hash computation and serving (e.g. middleware that parses and re-stringifies JSON, CDN minification, response framework helpers that reorder keys) will produce different bytes and break hash verification. Resources that build R3 documents on the fly SHOULD persist the serialized bytes (e.g. in a key-value store keyed by `r3_uri` or `r3_s256`) rather than re-build the document per request.
321323

322324
The `r3_s256` hash is the document's identity, not the URI. The AS caches documents by hash. If a resource updates the document at the same URI, existing auth tokens still reference the previous hash (which the AS has cached). New resource tokens reference the new hash. This enables:
323325

@@ -383,7 +385,7 @@ When the AS receives a resource token containing `r3_uri` and `r3_s256`, it MUST
383385

384386
1. Validate the resource token signature per AAuth Protocol ([@!I-D.hardt-aauth-protocol]).
385387
2. Fetch the R3 document at `r3_uri`. The AS MAY use a cached copy if the cache entry was stored with the same `r3_s256` value.
386-
3. Compute the SHA-256 hash of the fetched document using canonical JSON serialization ([@!RFC8785]) and compare it to `r3_s256`. If the hashes do not match, the AS MUST reject the resource token.
388+
3. Compute the SHA-256 hash of the bytes received and compare it to `r3_s256`. If the hashes do not match, the AS MUST reject the resource token.
387389
4. Record `r3_uri` and `r3_s256` in its audit log alongside the token issuance event, the agent identifier, and the timestamp.
388390
5. Use the `operations` section for policy evaluation.
389391
6. Include `r3_uri`, `r3_s256`, `r3_granted`, and (if applicable) `r3_conditional` in the issued auth token.

0 commit comments

Comments
 (0)