Signing JavaScript/JSON business messages - Two different approaches from Anders Rundgren on 2016-01-14 (public-webpayments-ig@w3.org from January 2016)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 14 Jan 2016 07:50:38 +0100
To: Web Payments IG <public-webpayments-ig@w3.org>
Message-ID: <5697453E.4090607@gmail.com>

The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done.

JCS was developed to match information-rich, multi-signature schemes like
https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line
and similar.  JCS has recently been upgraded to match ECMAScript revision 6.


JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode

var signedObject = {
     // The data
     statement: "Hello signed world!",
     otherProperties: [2000, true],
     // The signature
     signature: {
         algorithm: "ES256",
         publicKey: {
             type: "EC",
             curve: "P-256",
             x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
             y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
         },
         value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ"
     }
};


JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt

var signedObject = {
     "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
     "protected": "eyJhbGciOiJFUzI1NiJ9",
     "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q"
};



Anders

Received on Thursday, 14 January 2016 06:51:19 UTC