IETF JSON Signature Options

Dear List,

Several efforts have been initiated in order to create a more JSON-friendly signature scheme where the data to be signed would remain in JSON format rather than being Base64Url-encoded.

However, it turns out that there is no real interest within the IETF to pursue such ideas, effectively leaving the payment WG with a single standardized solution:

JWS ( object supplied in a dedicated property containing the API data to be signed encoded in Base64Url (since the API cannot be Base64Url-encoded the data has to be repeated).

Signature validation will thus requires an additional step; verification that the actual API data and the data embedded in the JWS object is identical.  Exactly how that (non-standard) comparison is to be carried out will be a bit of a challenge since there is no guaranteed property order in JSON or exact serialization of data like strings and numbers.


Received on Thursday, 7 June 2018 06:06:43 UTC