How (not) to sign a JSON object
This covers a lot of ground. I liked this quote, even though there’s much more to the post.
Canonicalization is a quagnet, which is a term of art in vulnerability research meaning quagmire and vulnerability magnet. You can tell it’s bad just by how hard it is to type ‘canonicalization’.