- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sun, 2 Dec 2012 15:15:23 +0100
- To: Web Payments <public-webpayments@w3.org>
Received on Sunday, 2 December 2012 14:15:55 UTC
Please note: Why not JSON? Invoice, Payment and Receipt messages could all be JSON-encoded. The Javascript Object Signing and Encryption (JOSE) working group at the IETF has a draft specification for signing JSON data that we could adopt and use. But the spec is non-trivial. Signing JSON data is troublesome, so JSON that needs to be signed must be base64-encoded into a string. And the standards committee identified one security-related issue that will require special JSON parsers for handling JSON-Web-Signed (JWS) data (duplicate keys must be rejected by the parser, which is more strict than the JSON spec requires). It is very likely some implementors would just use whatever JSON library was most convenient, either because they weren't aware of the potential problem or because they were lazy and couldn't see how an attacker might take advantage of the problem. On 2 December 2012 15:11, Melvin Carvalho <melvincarvalho@gmail.com> wrote: > https://gist.github.com/4120476 > > >
Received on Sunday, 2 December 2012 14:15:55 UTC