[OpenID-Specs-eKYC-IDA] Issue #1261: Use of JSON 'null' in request syntax (openid/ekyc-ida)
josephheenan
issues-reply at bitbucket.org
Tue Oct 19 17:09:17 UTC 2021
New issue 1261: Use of JSON 'null' in request syntax
https://bitbucket.org/openid/ekyc-ida/issues/1261/use-of-json-null-in-request-syntax
Joseph Heenan:
I fully appreciate this has been discussed before:
[https://bitbucket.org/openid/ekyc-ida/issues/1177/avoid-using-null-to-mean-something](https://bitbucket.org/openid/ekyc-ida/issues/1177/avoid-using-null-to-mean-something)
[https://bitbucket.org/openid/ekyc-ida/issues/1110/identity-assurance-giving-null-and-or](https://bitbucket.org/openid/ekyc-ida/issues/1110/identity-assurance-giving-null-and-or)
but the use of ‘null’ values in JSON is problematic, and the new data I’d like to add is that this caused a whole bunch of unnecessary difficultly implementing the eKYC conformance tests.
I also appreciate that this is how things are defined in core.
I’d like to make the following points:
1. This is actually a problem in the real world; many libraries that handle JSON tend to \(at best\) default to ignoring entries that have null values \(as well as a number of JSON libraries also making is easy for programmers to accidentally generate entries with null values - which is probably why many libraries ignore the null values by default…\). The certification suite was actually in a better place than many people as previously we had already solved several issues with null values disappearing before they arrived at our code in order to be able to detect places were people were accidentally sending null values.
2. This particular part of OIDC Core is currently not widely used/supported in the real world; many RP and OP implementations do not support it.
3. This particular part of OIDC Core is NOT tested by any existing conformance tests.
4. The point of implementors draft specifications is to figure out what problems happen implementing them in the real world and try to change specifications to lessen those problems.
5. It’s explicitly in the certification team's remit to bring issues like this back to the working groups to be considered.
In short I think using this syntax for eKYC is going to cause a lot of people a lot of unnecessary pain in the short, medium and long term.
More information about the Openid-specs-ekyc-ida
mailing list