Currently it is a PITA to verify the signature in notary responses. Since both
signature and signed data are in the same JSON object you first have to parse
the whole response, then reencode the fingerprintList as JSON (which has to be
done manually, as most encoders don't preserve field ordering) with unspecified
whitespace rules (whatever pythons json.dumps does). This is fragile and makes
writing clients/notaries unnecessary hard.
There are a few options to make this easier:
JSON in JSON
{
data: "fingerprintList: {....}"
signature: "kasdj..."
}
put the Signature in a HTTP-header and sign the whole response body
Drop the signature. The current client doesn't seem to verify it anyways.
And since its signed with the same key that is used in the handshake, it
doesn't buy much (except in the case where you want to archive the notary
responses).
Currently it is a PITA to verify the signature in notary responses. Since both signature and signed data are in the same JSON object you first have to parse the whole response, then reencode the fingerprintList as JSON (which has to be done manually, as most encoders don't preserve field ordering) with unspecified whitespace rules (whatever pythons json.dumps does). This is fragile and makes writing clients/notaries unnecessary hard.
There are a few options to make this easier:
Thoughts?