johnzon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anders Rundgren <>
Subject Digitally Signed JSON
Date Mon, 14 May 2018 10:45:35 GMT
Hi Johnzoners!

In case you want to digitally sign JSON messages/documents, the standardized way of doing
that is dressing the JSON data in Base64Url.  IMO this defeats the value of clear text formats.

Current standard (JWS): eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM

The (AFAIK...) only workable solution around that problem is normalization of JSON data so
that it gets a unique/stable representation.  Proposed alternative (Cleartext JWS):
   "now": "2018-04-16T11:23:06Z",
   "name": "Joe",
   "id": 2200063,
   "signature": {
     "alg": "ES256",
     "kid": "",
     "val": "GagHnDBKhU7ynzLLH1Qs3tYmzbwxyokDtu7f0Iz1mB0GL-9ER_J5fJA9qz3IG6IR_jLHh3fsUEKAzB4GzLex2A"

The "signature" property contains the signature, the other properties are just arbitrary application

The #1 problem is the serialization of JSON Numbers [1].  It would be FANTASTIC if this feature
(which is 100% compatible with JSON), became a part of the Java/JSON standards.

Recent standardization activity supported by Microsoft relying on this feature:


1] The idea is using ECMAScript's definition which I currently have running for Java, C# .NET
and Python 3

View raw message