- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Tue, 29 Sep 2020 18:41:38 +0200
- To: Roberto Polli <robipolli@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
- Cc: Alexander.Hoose@fitko.de
On 2020-09-29 17:57, Roberto Polli wrote: > Hi @all, > > I'm trying to find a suitable way to replace ws-* for encrypting > payload bodies with some other specification more suitable to a REST > approach. > It seems that the enterprise industry is still fond of JWE - but I'd > avoid it if I can, considering that a good library like google/tink is > not going to implement it > https://github.com/google/tink/issues/342#issuecomment-658450381 > moreover the specs > > Leveraging the content-coding feature of HTTP, there's rfc8188 which > seems interesting: still I don't know how many implementers are in the > wild. Don't know if that mechanism can be extended to PKI encryption. > Another solution could be CMS / S-mime. > > What do you think/use/suggest? I believe the use cases for encrypting an entire payload are pretty few, and probably already implemented in applications like communication software and copy protected media streaming. FWIW, I'm working on alternatives to JWS and JWE that are based on the recently published RFC 8785. They are targeted at "information- centric systems" using JSON, like Open Banking. Thanx, Anders https://cyberphone.github.io/doc/security/jsf.html https://cyberphone.github.io/doc/security/jef.html https://mobilepki.org/jsf-lab/home > > Thanks and regards, > R. >
Received on Tuesday, 29 September 2020 16:41:53 UTC