- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 7 Jun 2018 08:06:14 +0200
- To: Web Payments Working Group <public-payments-wg@w3.org>
Dear List, Several efforts have been initiated in order to create a more JSON-friendly signature scheme where the data to be signed would remain in JSON format rather than being Base64Url-encoded. However, it turns out that there is no real interest within the IETF to pursue such ideas, effectively leaving the payment WG with a single standardized solution: JWS (https://tools.ietf.org/html/rfc7515) object supplied in a dedicated property containing the API data to be signed encoded in Base64Url (since the API cannot be Base64Url-encoded the data has to be repeated). Signature validation will thus requires an additional step; verification that the actual API data and the data embedded in the JWS object is identical. Exactly how that (non-standard) comparison is to be carried out will be a bit of a challenge since there is no guaranteed property order in JSON or exact serialization of data like strings and numbers. Cheers, Anders
Received on Thursday, 7 June 2018 06:06:43 UTC