by: Retr0id

Putting domain separators in the IDL is interesting but you can also avoid the problem by putting the domain separators in-band (e.g. in some kind of &quot;type&quot; field that is always present).<p>Tangentially, depending on what your input and data model look like, canonicalisation takes O(nlogn) time (i.e. the cost of sorting your fields).<p>Here I describe an alternative approach that produces deterministic hashes <i>without</i> a distinct canonicalization step, using multiset hashing: <a href="https:&#x2F;&#x2F;www.da.vidbuchanan.co.uk&#x2F;blog&#x2F;signing-json.html" rel="nofollow">https:&#x2F;&#x2F;www.da.vidbuchanan.co.uk&#x2F;blog&#x2F;signing-json.html</a>

4/1/2026, 8:04:09 PM

by: lukev

So, isn&#x27;t this a rather longwinded way to say that a signature only extends to the scope of the message it contains?<p>It doesn&#x27;t matter if I sign the word &quot;yes&quot;, if you don&#x27;t know what question is being asked. The signature needs to included the necessary context for the signature to be meaningful.<p>Lots of ways of doing that, and you definitely need to be thoughtful about redundant data and storage overhead, but the concept isn&#x27;t tricky.

4/1/2026, 9:16:26 PM

by: cogman10

Why not digest the type as part of the hash? This avoids the problem in the article and keeps the transmission size small.

4/1/2026, 9:33:40 PM

by: tantalor

Since the example was given in proto, I&#x27;ll suggest a solution in proto: add a message option.<p><pre><code> extend google.protobuf.MessageOptions { optional uint64 domain_separator = 1234; } message TreeRoot { option (domain_separator) = 4567; ... }</code></pre>

4/1/2026, 8:14:37 PM

by: Muromec

So another lesson had been relearned from asn.1. I&#x27;m proud of working in this industry again! Next we will figure out to always put versions into the data too

4/1/2026, 9:01:04 PM

by: formerly_proven

This article claims that these are somewhat open questions, but they&#x27;re not and have not been for a long time.<p>#1 You sign a blob and you don&#x27;t touch it before verifying the signature (aka &quot;The Cryptographic Doom Principle&quot;) #2 Signatures are bound to a context which is _not_ transmitted but used for deriving the key or mixed into the MAC or what have you. This is called the Horton principle. It ensures that signer&#x2F;verifier must <i>cryptographically</i> agree on which context the message is intended for. You essentially cannot implement this incorrectly because if you do, all signatures will fail to verify.<p>The article actually proposes to violate principle #2 (by embedding some magic numbers into the protocol headers and presuming that someone will check them), which is an incorrect design and <i>will result in bad things</i> if history is any indication.<p>Principles #1 and #2 are well-established cryptographic design principles for just a handful of decades each.

4/1/2026, 8:16:51 PM

by:

4/1/2026, 9:08:41 PM

by: jeffrallen

This is a nice explanation of an obvious idea. Both domain separation, and putting the domain signifier into the IDL are fine, but not novel.<p>Crypto is hard. Do it right. Get help from your tools. &#x27;Nuff said.<p>Jeeze, I&#x27;m getting too old for this crap.

4/1/2026, 9:11:32 PM

by: logicallee

along the same lines, did you know that you can get an authenticated email that the listed sender never sent to you? If the third party can get a server to send it to themselves (for example Google forms will send them an email with the contents that they want) they can then forward it to you while spoofing the from: field as Google.com in this example, and it will appear in your inbox from the &quot;sender&quot; (Google.com) and appear as fully authenticated - even though Google never actually sent you that.<p>This is another example where you would think that &quot;who it&#x27;s for&quot; is something the sender would sign but nope!

4/1/2026, 9:01:15 PM