Hi Samuel, Thanks for the reply, I would definitely be interested in an updated draft. Both the signing spec and the canonicalization spec seem a lot simpler than JSON-LD. It wouldn't be hard to add cleartext-jws signatures to existing JSON APIs
Thanks Dave On Tue, 4 Sep 2018 at 23:33, Samuel Erdtman <sam...@erdtman.se> wrote: > Hi > > As one of the authors of draft-erdtman-jose-cleartext-jws I definitely > think this is the way to go. The initial use case was to sign transaction > requests and responses, and as was mentioned in previous emails it is very > much desirable to not obfuscate the payload with base64 encoding. > > The current draft just expired but if we have found interest I would be > more than willing to post an update. I was supposed to do so earlier but > since it has been hard to find a home for the work (an interested WG) it > has not be top of my proirity list. > > With the potential update we (I and the co authors) intended to do some > cleanup and one significant change. We think we should move from ES6 > serialization to canonicalization based on > draft-rundgren-json-canonicalization-scheme > <https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01>. > After a lot of research and emails we have come to the conclusion that it > would be easier to get buy in for this method than to get languages to > support ES6 compatible serialization. > draft-rundgren-json-canonicalization-scheme has the additional benefit that > non-intrusive modifications such as attribute reordering would not make > ruin this signature which was the case with ES6 serialization (and we could > avoid some minor ES6 quirks). > > Implementations for the draft-rundgren-json-canonicalization-scheme > canonicalization schema is available in JavaScript > <https://www.npmjs.com/package/canonicalize>, .NET > <https://github.com/cyberphone/json-canonicalization/tree/master/dotnet>, Java > > <https://search.maven.org/artifact/io.github.erdtman/java-json-canonicalization/1.1/jar>, > and Python > <https://github.com/cyberphone/json-canonicalization/tree/master/python3>. > Anders is currently putting a lot of effort into the canonicalization to > make sure it is stable, and it has been reviewed by several people > knowledgeable in JSON. > > When it comes to draft-erdtman-jose-cleartext-jws implementations, I have > done one in JavaScript (I modified an existing JOSE implementation in a few > hours) and Anders has done a Java implementation (at least). The examples > in the specification was created and validated with different > implementations. > > I know canonicalization is a scary thing if you have worked with > canonicalization of XML, but I can tell you canonicalization of JSON is not > even close to that complex. > > Best regards > //Samuel Erdtman > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
