Re: IETF JSON Signature Options

As far as I know we have not even definitively committed to JOSE. For
instance, we could choose to use COSE instead (where things are more
precisely specified). There are fewer COSE implementations, but that's
not necessarily an insuperable obstacle.

On 6/7/18 12:06 AM, Anders Rundgren wrote:
> Dear List,
> 
> Several efforts have been initiated in order to create a more
> JSON-friendly signature scheme where the data to be signed would remain
> in JSON format rather than being Base64Url-encoded.
> 
> However, it turns out that there is no real interest within the IETF to
> pursue such ideas, effectively leaving the payment WG with a single
> standardized solution:
> 
> JWS (https://tools.ietf.org/html/rfc7515) object supplied in a dedicated
> property containing the API data to be signed encoded in Base64Url
> (since the API cannot be Base64Url-encoded the data has to be repeated).
> 
> Signature validation will thus requires an additional step; verification
> that the actual API data and the data embedded in the JWS object is
> identical.  Exactly how that (non-standard) comparison is to be carried
> out will be a bit of a challenge since there is no guaranteed property
> order in JSON or exact serialization of data like strings and numbers.
> 
> Cheers,
> Anders
> 

Received on Thursday, 7 June 2018 20:10:20 UTC