On 2019-02-08 23:01, David Karlsen wrote:
Signing headers is optional and . you can select which ones, see: https://tools.ietf.org/html/draft-cavage-http-signatures-09#section-2.1.3 See section 3.1 where a digest is created from the body, to essentially form a signature of the body and any other headers - this allows to sign json - or any other mediatype.
Right, current systems supporting "signed JSON" do that by embedding the JSON data in Base64Url or feature it in clear in a HTTP body with a detached signature in an HTTP header. The stuff I'm and a few other people are working on makes signatures a part of a JSON object itself allowing you to - serialize the object into a database - transfer/proxy the object using any kind of mechanism - embed the object in another JSON object (counter signing) - use the object in an HTML page while keeping the signature and the JSON object intact. The signature scheme is not tied to HTTP. May I ask what you think of https://github.com/cyberphone/json-canonicalization/blob/master/REST.signatures.md as a REST solution? Anders
Den fre. 8. feb. 2019 kl. 15:59 skrev Anders Rundgren <[email protected] <mailto:[email protected]>>: On 2019-02-08 15:27, David Karlsen wrote: > Cxf 3.3 included support for > https://tools.ietf.org/html/draft-cavage-http-signatures-09 Thanx! I got that from Colm's answer as well. Personally I find HTTP Signatures as a rather strange mix between signed messaging and authentication. Amazon use a similar scheme but without authentication requests: https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html In a REST context I do not really see the need for signing header data with the exception of HTTP Method and URI. If you need (signed) x-headers you might as well declare such data at the JSON level. Anyway, none of the Cxf methods support "Signed JSON", only JSON embedded in packages of varying obscurity. But that is not due to any shortcomings in Cxf, but to a lack of standards. That's at least what I'm claiming and trying to fix :-) The core signature scheme (without specific REST bindings) can be tried out online if you want: https://mobilepki.org/jws-jcs/home Cheers, Anders > > Den fre. 8. feb. 2019, 08:27 skrev Anders Rundgren < > [email protected] <mailto:[email protected]>>: > >> Since there is no IETF standard for signing REST requests and no >> such activity in progress either, I took the liberty outlining >> a minimalist proposal: >> >> >> https://github.com/cyberphone/json-canonicalization/blob/master/REST.signatures.md >> >> Comments are as always welcome! >> >> Anders >> > -- -- David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen
