Thanks for the replies.
You're absolutely right Phil and George - apologies I omitted the digest
step from the first email.
Both the STET and Berlin Group specs require the use of SHA-256 or SHA-512
digest header as per RFC3230 (https://tools.ietf.org/html/rfc3230)
They then use the draft cavage spec to sign a defined set of headers which
includes the date and digest headers.

> If you want attestation, better to use SET or plain JWT.

The pushback on this has been that to use JWTs for all API request bodies
and responses would make the APIs harder to develop against and debug.
However I do think it is a better option than having signatures in headers.
I like the idea of using content negotiation to allow clients to request
either application/json or application/jwt from an API endpoint.

I'd be interested if there is any interest in the working group for this
draft though:
https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-00. As Ben
mentioned, does the issue of JSON canonicalization make this a non-starter?

Thanks

Dave
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to