johnzon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anders Rundgren <anders.rundgren....@gmail.com>
Subject Digitally Signed JSON
Date Mon, 14 May 2018 10:45:35 GMT
Hi Johnzoners!

In case you want to digitally sign JSON messages/documents, the standardized way of doing
that is dressing the JSON data in Base64Url.  IMO this defeats the value of clear text formats.

Current standard (JWS): eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM

The (AFAIK...) only workable solution around that problem is normalization of JSON data so
that it gets a unique/stable representation.  Proposed alternative (Cleartext JWS):
{
   "now": "2018-04-16T11:23:06Z",
   "name": "Joe",
   "id": 2200063,
   "signature": {
     "alg": "ES256",
     "kid": "example.com:p256",
     "val": "GagHnDBKhU7ynzLLH1Qs3tYmzbwxyokDtu7f0Iz1mB0GL-9ER_J5fJA9qz3IG6IR_jLHh3fsUEKAzB4GzLex2A"
   }
}

The "signature" property contains the signature, the other properties are just arbitrary application
data.

The #1 problem is the serialization of JSON Numbers [1].  It would be FANTASTIC if this feature
(which is 100% compatible with JSON), became a part of the Java/JSON standards.

Recent standardization activity supported by Microsoft relying on this feature:
https://tools.ietf.org/id/draft-erdtman-jose-cleartext-jws-00.html

Cheers,
Anders

1] The idea is using ECMAScript's definition which I currently have running for Java, C# .NET
and Python 3




Mime
View raw message