On 2017-12-15 15:28, Adrian Hope-Bailie wrote: <snip> > I would suggest we have a profile of JWS that: > > 1. Rejects unsignedData. (i.e. There is only the encoded binary version so developers can't mistakenly use the clear text without verifying it matches the binary data that was signed.) I interpreted the W3C writeup as suggesting two separate data sets, one signed and one unsigned. Using JWS, signed data would indeed only be supplied in the JWS base64/binary blob. It wouldn't even be possible performing a matching process with externally supplied clear text data without also solving the problem that was the reason for mandating base64 in the first place :-) > 2. Has a limited set of allowed algorithms Right on! thanx, AndersReceived on Friday, 15 December 2017 17:20:56 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:43:28 UTC