RFC 8785 - JSON Canonicalization Scheme

https://www.rfc-editor.org/rfc/rfc8785

In case you would like to test what you can do with JSON canonicalization, there are two public Web applications at your disposal:
Using JWS: https://mobilepki.org/jws-jcs
Using an "unwrapped" JWS called Java Signature Format (JSF): https://mobilepki.org/jsf-lab

A real-world implementation from OWASP using JSF: https://cyclonedx.org/use-cases/#authenticity

In Saturn JSF is not only a security solution, it is also used for counter-signatures to simplify state-holding in payment systems.  That is, a two-phase payment works as follows:
Merchant - Bank

1. Signed request for a RESERVATION ->  Create and store a unique identifier in a reservation-record
2. <- Return signed authorization embedding the request as well as the unique identifier.
3. Signed request for a TRANSACTION embedding the previous message -> Bank verifies that it was the signer in #2, find the record associated with the unique identifier and that's about it.

https://cyberphone.github.io/doc/saturn/hybrid-payment.html#6

By securely embedding related messages in each other (aka "Russian doll"), there is no need for external references to previous messages.

Enjoy!

Anders

Received on Tuesday, 30 June 2020 05:11:19 UTC