- From: Anders Rundgren <notifications@github.com>
- Date: Sat, 19 May 2018 20:23:14 -0700
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/payment-request/issues/714@github.com>
Assume you have PaymentRequest object like the following:
```js
{
supportedMethods: "https://example.com/bobpay",
data: {
merchantIdentifier: "XXXX",
bobPaySpecificField: true
}
}
```
If such data needs to be signed, there is currently no standardized method for signing JSON data except through Base64Url-encoding the entire object which is in conflict with the API concept.
It would be cool adding an element containing a detached JWS signature like this:
```js
{
supportedMethods: "https://example.com/bobpay",
data: {
merchantIdentifier: "XXXX",
bobPaySpecificField: true,
signature: "eyJ0eXAiOiJKV1QiLA0KIC.S9pc19yb290Ijp0cnVlfQ.VP-mB92K1p1r_wWWFOEjXk"
}
}
```
Unfortunately that doesn't really work because _the order of JSON properties is undefined_.
However, a recently published (draft) specification can be used as a bridge between detached JWS and clear text JSON/JavaScript data:
1. Apply https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-00 to a _JSON-serialized_ version of the object to be signed
2. Apply https://tools.ietf.org/html/rfc7515#appendix-F to the result of the above operation
3. Add the resulting compact JWS to the original object through a new property like the sample's `signature`
https://github.com/cyberphone/json-canonicalization#json-canonicalization
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/714
Received on Sunday, 20 May 2018 03:23:38 UTC