Signing/Authorizing Payment Transactions

I've seen the discussion regarding HTTP-keys versus JOSE/WebCrypto.

IMO, the exact format of a server-initiated signature is not "mission-critical", the
only true requirement is that it is verifiable.  There are already a lot of systems
out there using CMS and XML DSig.

The real problem with signatures is when they are initiated in the client-end by
a human user looking at a transaction request on the web.  For that purpose
there are currently NO standards.

To my knowledge there's currently a single proposal on the table:
http://webpki.org/papers/PKI/pki-webcrypto.pdf

Well, in theory WebCrypto can already do this but I think it won't happen
until Google releases their U2F scheme which doesn't rely on WebCrypto's
key-generation -storage and -protection features but comply with the rest.

None of these schemes depend on any particular signature format on business
transactions, because that would seriously hamper adoption.

Anders

Received on Monday, 4 November 2013 05:42:18 UTC