Manifest should be sent as base64

[rozbb]

The current proposed format for a WAICT manifest is a JSON object with fields for hashes, policy, delimiters, etc. For transparency, the manifest must be signed. This means that a client has to ingest the JSON object, canonicalize it, serialize to bytes then check the signature on that bytestring. As we know from recent history, mixing canonicalization with signatures can be disastrous.

There is an easy way to avoid all this. Instead of specifying manifest as a JSON object, I it should be a bytestring, probably base64-encoded. The bytestring, when parsed, will be a JSON object, but transmitting it as raw bytes avoids the need for canonicalization altogether. This still means that we need to ensure parsers behave the same, but we needed that anyway.

@ezzak @rich-hansen

[dveditz]

Why can't the signature be checked against the raw bytes of the response? If it turns out to be invalid JSON after that it's a syntax error, but you know it's the content exactly as the server signed and sent it.

[rozbb]

Good point, that could work too imo. It would just come down to how browsers expose the manifest to the verification code. If the raw bytes are still available, then yes that should be done. The plus side of this is that this is far more debuggable than seeing a wall of base64 in your dev tools.

@dennisjackson do you have any intuition for whether this will be feasible?