W3C home > Mailing lists > Public > public-credentials@w3.org > June 2020

RFC 8785 - JSON Canonicalization Scheme

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 30 Jun 2020 07:11:02 +0200
To: Web Payments Working Group <public-payments-wg@w3.org>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <a348bc32-023e-05d0-ed1b-a88f8379086e@gmail.com>

In case you would like to test what you can do with JSON canonicalization, there are two public Web applications at your disposal:
Using JWS: https://mobilepki.org/jws-jcs
Using an "unwrapped" JWS called Java Signature Format (JSF): https://mobilepki.org/jsf-lab

A real-world implementation from OWASP using JSF: https://cyclonedx.org/use-cases/#authenticity

In Saturn JSF is not only a security solution, it is also used for counter-signatures to simplify state-holding in payment systems.  That is, a two-phase payment works as follows:
Merchant - Bank

1. Signed request for a RESERVATION ->  Create and store a unique identifier in a reservation-record
2. <- Return signed authorization embedding the request as well as the unique identifier.
3. Signed request for a TRANSACTION embedding the previous message -> Bank verifies that it was the signer in #2, find the record associated with the unique identifier and that's about it.


By securely embedding related messages in each other (aka "Russian doll"), there is no need for external references to previous messages.


Received on Tuesday, 30 June 2020 05:11:21 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 30 June 2020 05:11:23 UTC