[w3c/webpayments-methods-tokenization] Proposal for dealing with Signed and Unsigned data (#23) from Anders Rundgren on 2017-12-13 (public-webpayments-specs@w3.org from December 2017)

From: Anders Rundgren <notifications@github.com>
Date: Wed, 13 Dec 2017 05:29:49 +0000 (UTC)
To: w3c/webpayments-methods-tokenization <webpayments-methods-tokenization@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments-methods-tokenization/issues/23@github.com>

This is actually an attempt getting feedback on a generic proposal I'm working on.  I believe that it could be used in your application as well...

The current scheme called [JCS](https://cyberphone.github.io/doc/security/jcs.html) offers clear text JSON signatures like this:
```json
{
    "merchantId": "m678",
    "amount": "23.45",
    "signature": {
        "algorithm": "ES256",
        "publicKey": {
            "kty": "EC",
            "crv": "P-256",
            "x": "PxlJQu9Q6dOvM4LKoZUh2XIe9-pdcLkvKfBfQk11Sb0",
            "y": "6IDquxrbdq5ABe4-HQ78_dhM6eEBUbvDtdqK31YfRP8"
        },
        "value": "i_7gV4ohCuhyXnWelbWgbqidJwvVUipnkL8Fc6JdqeLsUuo4Go9Ho-E3aS7EjQNoOYjOBo2SMpaTRjms3iPSUw"
    }
}
```
where `"merchantId"` and `"amount"` are signed.

The proposal for adding support for unsigned data (_without forcing the signed data to move one level down to a separate object_), is introducing an `"excluded"` property holding an array of properties that should be _excluded_ in the signature process:
```json
{
    "merchantId": "m678",
    "amount": "23.45",
    "someOtherData": "whatever",
    "signature": {
        "excluded": ["someOtherData"],
        "algorithm": "ES256",
        "publicKey": {
            "kty": "EC",
            "crv": "P-256",
            "x": "PxlJQu9Q6dOvM4LKoZUh2XIe9-pdcLkvKfBfQk11Sb0",
            "y": "6IDquxrbdq5ABe4-HQ78_dhM6eEBUbvDtdqK31YfRP8"
        },
        "value": "3WoTsrMNAyf3ayfHoE-H_W334Ef0N9lASbK_2IOiQVqRPAe0Ff0ibVJGHq37386sG8bDkS5E0pOhD7NaIKSegw"
    }
}
```

That is, the `"excluded"` property itself as well as the properties it refers to (here `"someOtherData"`) would be excluded from the signature canonicalization/normalization process.  You can safely delete them from the JSON object after consumption and the signature should validate anyway.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-methods-tokenization/issues/23

Received on Wednesday, 13 December 2017 05:30:18 UTC