W3C home > Mailing lists > Public > public-credentials@w3.org > September 2015

Restarting the JSON signature discussions

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 23 Sep 2015 08:34:21 +0200
To: Web Payments CG <public-webpayments@w3.org>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <560247ED.3080309@gmail.com>
Since the concept of shrouding JSON in Base64 (somewhat unsurprisingly), has gotten
resistance, the JOSE WG is trying to compensate for that with a workaround:

http://datatracker.ietf.org/doc/draft-ietf-jose-jws-signing-input-options/

IMO this is the wrong idea; it is better acknowledging the fact that JOSE like
any other tool has a certain heritage which in the JOSE case is OpenID.

"Business Messaging" is another application and if that had been the starting
point the outcome may have been quite different.

JOSE is really about signed and encrypted "data" using JSON-flavored containers.
"Business Messaging" rather need "Signed and Encrypted JSON".

Adding 10-150 lines of code to a JSON serializer in order to make it "crypto-capable"
is well worth the effort since it enables you to use "Signed JSON" as well as do
other pretty cool crypto-stuff like the "requestHash" construct in

     http://webpki.org/papers/payments/webpay-4-corner-flow.html#p8

which simply put is undoable using current JOSE standards.

Anders
Received on Wednesday, 23 September 2015 06:34:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:25 UTC