W3C home > Mailing lists > Public > public-payments-wg@w3.org > June 2018

IETF JSON Signature Options

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 7 Jun 2018 08:06:14 +0200
To: Web Payments Working Group <public-payments-wg@w3.org>
Message-ID: <2643959d-1497-53c0-d1d9-a0c66ca6ab15@gmail.com>
Dear List,

Several efforts have been initiated in order to create a more JSON-friendly signature scheme where the data to be signed would remain in JSON format rather than being Base64Url-encoded.

However, it turns out that there is no real interest within the IETF to pursue such ideas, effectively leaving the payment WG with a single standardized solution:

JWS (https://tools.ietf.org/html/rfc7515) object supplied in a dedicated property containing the API data to be signed encoded in Base64Url (since the API cannot be Base64Url-encoded the data has to be repeated).

Signature validation will thus requires an additional step; verification that the actual API data and the data embedded in the JWS object is identical.  Exactly how that (non-standard) comparison is to be carried out will be a bit of a challenge since there is no guaranteed property order in JSON or exact serialization of data like strings and numbers.

Cheers,
Anders
Received on Thursday, 7 June 2018 06:06:43 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 7 June 2018 06:06:44 UTC