HN Reader

RFC 9804: Simple Public Key Infrastructure (SPKI) S-Expressions

2 eadmund 4 7/3/2025, 10:41:45 AM datatracker.ietf.org ↗

Comments (4)

eadmund · 15h ago
After 29 years, Rivest’s S-expression draft is an RFC.

They are a straightforward, easy-to-parse S-expression format whose canonical representation is useful for cryptography. They are suitable as a general replacement for JSON, XML, HTML, ASN.1 and more.

eadmund · 14h ago
This XML (from https://www.w3schools.com/xml/note.xml):

    <note>
      <to>Tove</to>
      <from>Jani</from>
      <heading>Reminder</heading>
      <body>Don't forget me this weekend!</body>
    </note>
could be this S-expression:

    (note
     (to Tove)
     (from Jani)
     (heading Reminder)
     (body "Don't forget me this weekend"))
But if every note must have a body, this might make even more sense:

    (note
     (to Tove)
     (from Jani)
     (heading Reminder)
     "Don't forget me this weekend")
eadmund · 14h ago
This JSON (taken from https://www.w3schools.com/js/js_json_intro.asp):

    {"name":"John", "age":30, "car":null}
could be this S-expression:

    ((name John)
     (age 30)
     (car ()))
The canonical representation (suitable for cryptographic hashing) would be ((4:name4:John)(3:age2:30)(3:car())).
eadmund · 14h ago
The DER-encoded ASN.1 byte sequence Base64-encoded to MBMCAQUWDkFueWJvZHkgdGhlcmU/ could be represented as:

    ((tracking-number 5)
     (question "Anybody there?"))
While we are all familiar with opaque X.509 certificates such as (from https://www.fm4dd.com/openssl/source/PEM/certs/512b-rsa-exam...):

    -----BEGIN CERTIFICATE-----
    MIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG
    A1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE
    MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl
    YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw
    ODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE
    CAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs
    ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl
    8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID
    AQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx
    8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy
    2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0
    Hn+GmxZA
    -----END CERTIFICATE-----
an SPKI certificate might be:

    (sequence
        (public-key
         (rsa-pkcs1-md5
          (e #11#)
          (n
           |ALNdAXftavTBG2zHV7BEV59gntNlxtJYqfWIi2kTcFIgIPSjKlHleyi9s
           5dDcQbVNMzjRjF+z8TrICEn9Msy0vXB00WYRtw/7aH2WAZx+x8erOWR+yn
           1CTRLS/68IWB6Wc1x8hiPycMbiICAbSYjHC/ghq2mwCZO7VQXJENzYr45|)))
        (do hash md5)
        (cert
         (issuer (hash md5 |+gbUgUltGysNgewRwu/3hQ==|))
         (subject
          (keyholder (hash md5 |+gbUgUltGysNgewRwu/3hQ==|)))
         (tag
          (* set
           (name "Carl M. Ellison")
           (street "207 Grindall St.")
           (city "Baltimore MD")
           (zip "21230-4103")))
         (not-after "1998-04-15_00:00:00"))
        (signature
         (hash md5 |54LeOBILOUpskE5xRTSmmA==|)
         (hash md5 |+gbUgUltGysNgewRwu/3hQ==|)
         |HU6ptoaEd7v4rTKBiRrpJBqDKWX9fBfLY/MeHyJRryS8iA34+nixf+8Yh/
         buBin9xgcu1lIZ3Gu9UPLnu5bSbiJGDXwKlOuhTRG+lolZWHaAd5YnqmV9h
         Khws7UM4KoenAhfouKshc8Wgb3RmMepi6t80Arcc6vIuAF4PCP+zxc=|)))
Note that this is not a translation of the X.509 certificate above, though — I pulled it from <https://datatracker.ietf.org/doc/html/draft-ietf-spki-cert-e...>. Note that this is a very 90s example: MD5 and a bespoke data format instead of SHA-2 and ISO 8601.

I think it’s clear that an SPKI certificate is much, much more readable.