W3C home > Mailing lists > Public > public-payments-wg@w3.org > December 2017

Re: [Agenda] Tokenization task force call on 12 December

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 15 Dec 2017 18:20:26 +0100
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Matt Saxon <matt.saxon@gmail.com>, Ian Jacobs <ij@w3.org>, Payments WG <public-payments-wg@w3.org>, "Ahuja, Sachin" <Sachin.Ahuja@mastercard.com>
Message-ID: <28dc97c5-98a9-c8c2-242f-abfbfcd29b34@gmail.com>
On 2017-12-15 15:28, Adrian Hope-Bailie wrote:
<snip>
> I would suggest we have a profile of JWS that:
> 
> 1. Rejects unsignedData. (i.e. There is only the encoded binary version so developers can't mistakenly use the clear text without verifying it matches the binary data that was signed.)

I interpreted the W3C writeup as suggesting two separate data sets, one signed and one unsigned.

Using JWS, signed data would indeed only be supplied in the JWS base64/binary blob.

It wouldn't even be possible performing a matching process with externally supplied clear text data without also solving the problem that was the reason for mandating base64 in the first place :-)

> 2. Has a limited set of allowed algorithms

Right on!

thanx,
Anders
Received on Friday, 15 December 2017 17:20:56 UTC

This archive was generated by hypermail 2.3.1 : Friday, 15 December 2017 17:20:57 UTC