- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 15 Dec 2017 18:20:26 +0100
- To: Adrian Hope-Bailie <adrian@hopebailie.com>
- Cc: Matt Saxon <matt.saxon@gmail.com>, Ian Jacobs <ij@w3.org>, Payments WG <public-payments-wg@w3.org>, "Ahuja, Sachin" <Sachin.Ahuja@mastercard.com>
On 2017-12-15 15:28, Adrian Hope-Bailie wrote: <snip> > I would suggest we have a profile of JWS that: > > 1. Rejects unsignedData. (i.e. There is only the encoded binary version so developers can't mistakenly use the clear text without verifying it matches the binary data that was signed.) I interpreted the W3C writeup as suggesting two separate data sets, one signed and one unsigned. Using JWS, signed data would indeed only be supplied in the JWS base64/binary blob. It wouldn't even be possible performing a matching process with externally supplied clear text data without also solving the problem that was the reason for mandating base64 in the first place :-) > 2. Has a limited set of allowed algorithms Right on! thanx, Anders
Received on Friday, 15 December 2017 17:20:56 UTC