I just want to end this thread by stating a requirement which is outside of current JOSE specifications [1] and that is the anticipated use of "Babushka" signatures (signed messages enclosing other signed messages).
As an example, a recent version of a system for challenging the 20-year standstill on secure credit-card payments on the Web [2], needs not less than 3 levels of signed JSON messages, each including protected headers in excess of a kilobyte (X.509 certificates). I can't imagine that the <100 lines of code required to make the .NET "JavaScriptSerializer" fully compliant with "Predictable Serialization" would actually be a show-stopper. Detached signatures is an entirely different animal which new draft addresses quite well. Cheers, Anders 1] Strictly technically JWS can do what I outline but the result would simply look too bad for human consumption while computers obviously don't care. 2] Here disregarding VISA's 3D Secure which has been largely rejected since it is neither secure or convenient as well as schemes based on super-providers like PayPal. _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
