W3C home > Mailing lists > Public > public-webpayments-ig@w3.org > July 2017

Re: JSON Signatures in OpenBanking (UK)

From: Kim Hamilton <kimdhamilton@gmail.com>
Date: Sat, 08 Jul 2017 20:04:02 +0000
Message-ID: <CAFmmOzf923GYhmehFLuGVvAu=w9-0Aq-bd=bMN2v6R6ntJ1VgA@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Web Payments IG <public-webpayments-ig@w3.org>
We're about to release a paper on this topic originating out of last
Rebooting Web of Trust. Manu developed an approach reconciling LD
signatures with JWS. The approach uses the unencoded payload option (also
detached), enabled by RFC7797 (https://tools.ietf.org/html/rfc7797).

The LD signature suite is called RSA Signature Suite 2017 (

The paper describing the approach and implementation is in draft form
below, but will soon be released in final form

-- Kim

On Sat, Jul 8, 2017 at 4:25 AM Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> Maybe of interest to the Security Task Force:
> https://www.openbanking.org.uk/read-write-apis/payment-initiation-api/v1-0-0/#basics-headers
> Apparently they use a signature based on a detached JWS supplied as a
> header parameter and where the data to be signed is simply the HTTP body
> "as is".
> So at this stage we have not less than three entirely different ways of
> dealing with signed JSON:
> - OpenBanking(UK) as described above
> - The Linked Data Signature scheme (initially) created by Digitalbazaar
> and adopted by the Verified Credentials CG:
> https://github.com/w3c-dvcg/ld-signatures
> - My JSON Cleartext Signature scheme:
> https://cyberphone.github.io/doc/security/jcs.html
> Anders
Received on Saturday, 8 July 2017 20:04:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:08:59 UTC