- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Tue, 30 Jun 2020 07:11:02 +0200
- To: Web Payments Working Group <public-payments-wg@w3.org>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
https://www.rfc-editor.org/rfc/rfc8785 In case you would like to test what you can do with JSON canonicalization, there are two public Web applications at your disposal: Using JWS: https://mobilepki.org/jws-jcs Using an "unwrapped" JWS called Java Signature Format (JSF): https://mobilepki.org/jsf-lab A real-world implementation from OWASP using JSF: https://cyclonedx.org/use-cases/#authenticity In Saturn JSF is not only a security solution, it is also used for counter-signatures to simplify state-holding in payment systems. That is, a two-phase payment works as follows: Merchant - Bank 1. Signed request for a RESERVATION -> Create and store a unique identifier in a reservation-record 2. <- Return signed authorization embedding the request as well as the unique identifier. 3. Signed request for a TRANSACTION embedding the previous message -> Bank verifies that it was the signer in #2, find the record associated with the unique identifier and that's about it. https://cyberphone.github.io/doc/saturn/hybrid-payment.html#6 By securely embedding related messages in each other (aka "Russian doll"), there is no need for external references to previous messages. Enjoy! Anders
Received on Tuesday, 30 June 2020 05:11:19 UTC