"Signed JSON". Was: [Agenda] Tokenization task force call on 12 December from Anders Rundgren on 2017-12-15 (public-payments-wg@w3.org from December 2017)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 15 Dec 2017 07:29:29 +0100
To: Matt Saxon <matt.saxon@gmail.com>
Cc: Ian Jacobs <ij@w3.org>, Payments WG <public-payments-wg@w3.org>, "Ahuja, Sachin" <Sachin.Ahuja@mastercard.com>
Message-ID: <95623c22-6ce5-4a80-2165-e7a7786e202b@gmail.com>

On 2017-12-14 21:15, Matt Saxon wrote:
> So you are happy with the concepts, 
> but you’d like a different encoding method for the signatures?

If concepts mean "Who is signing What and Why?" that's a different issue than how you express "Signed JSON". The latter is a generic problem which (IMO) still lacks an [acceptable] solution:
https://www.ietf.org/mail-archive/web/jose/current/msg05705.html

BTW, feel free supporting this open request (or create one of your own), on the JOSE list.  It is probably "now or never".

F.Y.I. There is at this very moment a new (yet unpublished), proposal in the workings combining an almost unmodified JWS with ES6+ JSON serialization (JSON.parse & JSON.stringify).  Since ES6+ is available in some of the most wide-spread software packages there are including Chrome, Firefox, Safari, and Node.js there is no need to start from zero.

Here is a little "teaser" from this Internet-Draft, where "iss", "exp", and "http://example.com/is_root" represent signed application data:

   {
     "iss":"joe",
     "exp":1300819380,
     "http://example.com/is_root":true,
     "signature": {
       "alg": "ES256",
       "jwk": {
         "kty": "EC",
         "crv": "P-256",
         "x": "_gow8fcS3Dx9z6j57U5q8tunnRBdrgLU9A7CZTYCnqU",
         "y": "bdfJGraBVL5aPj38TG4tHwxpU2VKwG1XBp0wQfCLOFQ"
       },
       "value": "aRx2MQyCGVOZGViAC_7bEDUp8_CGO1kU1l7Lvp1FHx4qBiPkGs9Z7TKGK774XLTGwaCfUtd1VrscabQhmArCxA"
     }
   }

> What the view in this if we could/should support multiple approaches?

I hope that you as well as the rest of the world do not have to support different technical approaches for solving the same conceptual problem(s).

thanx,
Anders

> 
> Sent from my iPhone
> 
>> On 12 Dec 2017, at 06:23, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>>> On 2017-12-11 22:07, Matt Saxon wrote:
>>> Anders,
>>> I understand your point and it will be addressed when we get further into the proposal.
>>> At the moment, we are trying to get agreement to the principles, not the detailed encoding format.
>>> As you suggest we will need to address the encoding of signed data, but I don’t believe this interferes with the principles.
>>
>> Right.  However, Base64Url-ecoding signed JSON data violently interferes with my "esthetics" :-)
>>
>> I'm not [at all] alone thinking that.
>>
>> JSON-LD Signatures by Manu Sporny and the credentials folks:
>> https://w3c-dvcg.github.io/ld-signatures/
>>
>> JCS (JSON Cleartext Signature) by yours truly, here presented in an on-line test/demo setup:
>> https://mobilepki.org/jcs/home
>>
>> These schemes are reusing parts of the JOSE stack but are actually quite different.
>>
>> Shameless plug: JCS builds on JWK + JWA + ES6 + "New Stuff".  JCS only needs JSON.parse() and JSON.stringify() for processing.  In addition, JCS permits signatures to be expressed as JavaScript objects.
>>
>> Regards,
>> Anders
>>
>>
>>> Regards,
>>> Matt
>>> Sent from my iPhone
>>>> On 11 Dec 2017, at 18:51, Ian Jacobs <ij@w3.org> wrote:
>>>>
>>>> com
>>

Received on Friday, 15 December 2017 06:41:02 UTC