Re: [Agenda] Tokenization task force call on 12 December

On 2017-12-15 15:28, Adrian Hope-Bailie wrote:
> I would suggest we have a profile of JWS that:
> 1. Rejects unsignedData. (i.e. There is only the encoded binary version so developers can't mistakenly use the clear text without verifying it matches the binary data that was signed.)

I interpreted the W3C writeup as suggesting two separate data sets, one signed and one unsigned.

Using JWS, signed data would indeed only be supplied in the JWS base64/binary blob.

It wouldn't even be possible performing a matching process with externally supplied clear text data without also solving the problem that was the reason for mandating base64 in the first place :-)

> 2. Has a limited set of allowed algorithms

Right on!


Received on Friday, 15 December 2017 17:20:56 UTC