- From: Kim Hamilton <kimdhamilton@gmail.com>
- Date: Sat, 08 Jul 2017 20:04:02 +0000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, Web Payments IG <public-webpayments-ig@w3.org>
- Message-ID: <CAFmmOzf923GYhmehFLuGVvAu=w9-0Aq-bd=bMN2v6R6ntJ1VgA@mail.gmail.com>
We're about to release a paper on this topic originating out of last Rebooting Web of Trust. Manu developed an approach reconciling LD signatures with JWS. The approach uses the unencoded payload option (also detached), enabled by RFC7797 (https://tools.ietf.org/html/rfc7797). The LD signature suite is called RSA Signature Suite 2017 ( https://w3c-dvcg.github.io/lds-rsa2017/). The paper describing the approach and implementation is in draft form below, but will soon be released in final form https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2017/blob/master/event-documents/group-abstracts/SignatureAlignmentAbstract.md -- Kim On Sat, Jul 8, 2017 at 4:25 AM Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > Maybe of interest to the Security Task Force: > > https://www.openbanking.org.uk/read-write-apis/payment-initiation-api/v1-0-0/#basics-headers > > Apparently they use a signature based on a detached JWS supplied as a > header parameter and where the data to be signed is simply the HTTP body > "as is". > > So at this stage we have not less than three entirely different ways of > dealing with signed JSON: > > - OpenBanking(UK) as described above > > - The Linked Data Signature scheme (initially) created by Digitalbazaar > and adopted by the Verified Credentials CG: > https://github.com/w3c-dvcg/ld-signatures > > - My JSON Cleartext Signature scheme: > https://cyberphone.github.io/doc/security/jcs.html > > Anders > >
Received on Saturday, 8 July 2017 20:04:46 UTC