I would think that the financial community would want a reliable signature
method, without the interop problems that relying on canonicalization creates,
as so thoroughly demonstrated in practice by XML Canonicalization. For
starters, there isn't actually a JSON canonicalization standard in the first
place. And relying on intermediaries not modifying the JSON in any way is also
fraught with danger and an invitation to attacks.
Would using JWS with detached payloads really be that onerous for this
community, provided they actually have a way to preserve the payload exactly?
-- Mike
-----Original Message-----
From: jose [mailto:[email protected]] On Behalf Of Anders Rundgren
Sent: Monday, August 10, 2015 10:07 PM
To: Jim Schaad; [email protected]
Subject: Re: [jose] Payment Perspective on
draft-jones-jose-jws-signing-input-options 00
On 2015-08-10 23:00, Jim Schaad wrote:
> I am just not interested in this I guess.
Yes, the JOSE WG have more or less unanimously decided to ignore the needs of
the financial community who wants to sign JSON objects [1] rather than signing
arbitrary data using JSON-based signature containers.
Anders
1] Although entirely different with respect to JSON normalization, the
following independently developed schemes proposals seem to support this
statement:
https://web-payments.org/specs/source/vocabs/security.html#GraphSignature2012
https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#Sample_Signature
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
