<-Full-Trust Requirements Go to ToC Data Types ->
This page specifies the conventions governing the representation, canonicalisation, signing, and error handling of data structures used in MPAI‑PTF. All Process Instances shall conform to these conventions when constructing, transmitting, or verifying TrustRequest and TrustResponse messages.
1. JSON Conventions
| Convention |
Definition |
| JSON Format |
All PTF data structures shall be represented using JSON as defined in RFC 8259. |
| UTF‑8 Encoding |
JSON documents shall be encoded in UTF‑8 without BOM. |
| Schema Compliance |
All JSON structures shall conform to the JSON Schemas defined by this Technical Specification. |
| Field Names |
Field names shall be case‑sensitive and use lowerCamelCase unless otherwise specified. |
| Required Fields |
Required fields shall be present and shall not be null. |
| Optional Fields |
Optional fields may be omitted; if present, they shall conform to their schema. |
| Ordering |
JSON field ordering is not significant except where canonicalisation rules apply. |
| Binary Data |
Binary string values shall be encoded using Hexadecimal ASCII encoding without padding. |
2. PTF‑JSON‑CANON‑V1
JSON Canonicalisation Rules for MPAI‑PTF
This section defines the canonicalisation rules used by MPAI‑PTF for all signed JSON structures. A Process Instance shall apply these rules before generating or verifying any signature.
The purpose of PTF‑JSON‑CANON‑V1 is to ensure that:
- the same JSON structure always produces the same byte sequence
- signatures remain valid across platforms and implementations
- trust establishment is deterministic and interoperable
These rules apply to all PTF structures that include a signature field.
General Requirements
| Rule |
Definition |
| Canonical Form Required |
All signed JSON structures shall be canonicalised according to PTF‑JSON‑CANON‑V1 before signature generation or verification. |
| UTF‑8 Encoding |
Canonicalised JSON shall be encoded as UTF‑8 without BOM. |
| Deterministic Output |
Canonicalisation shall produce a deterministic byte sequence for the same logical JSON structure. |
| No Comments |
Comments are not permitted in canonicalised JSON. |
| No Whitespace |
White spaces are not permitted in canonicalised JSON. |
Object Field Ordering
| Rule |
Definition |
| Lexicographic Ordering |
All JSON object fields shall be ordered lexicographically by Unicode code point of the field name. |
| Stable Ordering |
Ordering shall be applied recursively to all nested objects. |
| No Reordering Exceptions |
No field is exempt from ordering, including signature and keyId. |
String Normalisation
| Rule |
Definition |
| Escape Only When Required |
Strings shall escape only characters required by JSON syntax. |
| No Unicode Normalisation |
Unicode characters shall not be normalised (NFC/NFD/etc.). |
| No Superfluous Escapes |
Characters not requiring escaping shall appear as‑is. |
Number Normalisation
| Rule |
Definition |
| No Leading Zeros |
Numbers shall not contain leading zeros (except zero itself). |
| No Plus Sign |
Numbers shall not include a leading +. |
| No Trailing Decimal Point |
Numbers shall not end with a decimal point. |
| No Exponential Shorthand |
Exponential notation is permitted but shall not include unnecessary signs or leading zeros. |
Arrays
| Rule |
Definition |
| Preserve Order |
Array element order shall be preserved exactly as provided. |
| Canonicalise Elements |
Each element shall be canonicalised recursively. |
| No Whitespace |
Arrays shall not contain whitespace except within string values. |
Binary Data
| Rule |
Definition |
| Hexadecimal ASCII Encoding |
Binary values shall be encoded using Base64URL without padding. |
| String Form |
Binary values shall appear as JSON strings. |
| Canonical Encoding |
Implementations shall not use Base64 or Base64URL with padding. |
Signature Field Handling
| Rule |
Definition |
| Signature Field Excluded from Canonicalisation |
When generating a signature, the signature field shall be omitted from the canonicalised JSON. |
| Signature Field Included for Verification |
When verifying a signature, the signature field shall be removed before canonicalisation. |
| Signature Encoding |
The signature field shall contain a Hexadecimal ASCII‑encoded string. |
Canonical Byte Stream
| Rule |
Definition |
| UTF‑8 Serialisation |
The canonicalised JSON shall be serialised as a UTF‑8 byte stream. |
| No BOM |
A byte‑order mark shall not be included. |
| Input to Signature Algorithm |
The canonical byte stream is the exact input to the signature algorithm. |
3. Signature Conventions
| Convention |
Definition |
| Signature Scope |
Signatures shall be computed over the canonicalised JSON representation of the signed object. |
| Signature Algorithms |
Only algorithms listed in the Security Algorithm Taxonomy shall be used. |
| Signature Field |
Signed objects shall include a signature field containing the Hexadecimal ASCII ‑encoded signature value. |
| Key Identification |
Signed objects shall include a keyId or equivalent field enabling verification using the correct public key. |
| Detached vs Embedded |
PTF supports embedded signatures; detached signatures may be used if specified by a Profile. |
| Multiple Signatures |
If multiple signatures are present, each shall independently cover the full canonicalised object unless otherwise specified. |
4. Error Handling Conventions
| Convention |
Definition |
| Error Codes |
Errors shall be reported using standardised error codes defined in this Technical Specification. |
| Error Structure |
Error responses shall be JSON objects containing an error code, error message, and optional diagnostic information. |
| Deterministic Failure |
Verification failures shall produce deterministic error codes for the same failure condition. |
| No Partial Trust |
If any required identity, credential, evidence, or policy check fails, the Trust Decision shall be “reject”. |
| Logging |
Implementations may log errors internally but shall not disclose sensitive information in TrustResponses. |
| Protocol Compliance |
Malformed or non‑schema‑compliant messages shall be rejected with the appropriate error code. |
<-Full-Trust Requirements Go to ToC Data Types ->
