(github.blog)

312 points campuscodi | 1 comments | 15 Mar 25 19:06 UTC | HN request time: 0.932s | source

1. RainyDayTmrw ◴[16 Mar 25 01:29 UTC] No.43376335[source]▶

Related: Latacora's (2019) article, How (not) to sign a JSON object[1].

In short, nesting trees and signing them is difficult and prone to pitfalls. It's easier if the envelope holds the message as a raw string, and the signing is performed on the raw string.

[1]: https://www.latacora.com/blog/2019/07/24/how-not-to/

↑

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials