I have a use case. I am using JSON-JWS derived signatures for code
signing. The payload is just a hash of a manifest that in turn
contains hashes of the rest of the files in the archive.
I would use a "sat" header field with the same symantics as "iat". A
signature from the publisher (with no timestamp) combined with a
signature from the package index (that only means "this package is at
least this old") would be used to make a trust decision.
Header:
{
"sat":1349890320,
"alg": "Ed25519",
"key": {
"alg": "Ed25519",
"vk": "tmAYCrSfj8gtJ10v3VkvW7jOndKmQIYE12hgnFu3cvk"
}
}
Payload:
{ "hash": "sha256=ADD-r2urObZHcxBW3Cr-vDCu5RJwT4CaRTHiFmbcIYY" }
(http://www.python.org/dev/peps/pep-0427/#signed-wheel-files)
Apologies if this is double-posted.
Daniel Holth
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
