I have reviewed the document signing wiki article, the google doc proposal, as well as the mailing list thread, and even glanced over JimKo's code ( http://goo.gl/xlHkRW) and wanted to checkin on the right way to do this.
It looks like this subject has popped up occasionally but died for lack of interest. One of the identified sticking points was the lack of a good spec on how to handle signed JSON. However, the IETF JSON Web Signature draft (http://goo.gl/i5aoWV) has gone through some 20 revisions, it has object serialization but I don't see any canonical default ordering. Perhaps I am missing something, however the status changed to "last call" status about a month ago. If you have any input, now would be the time to do so : ) As far as actually implementing it I haven't run into any code which uses it in validate_doc_update. There are, however, at least two libraries that should work as part of a CouchApp: * Mozilla's jwcrypto which is uses for BrowserID/Personas but it looks rather large https://github.com/mozilla/jwcrypto * jsrsasign from an indie developer but it comes with ready-to-use minified versions https://github.com/kjur/jsrsasign It appears that it would be pretty easy to require('path/to/jsrasign') in validate_doc_update, unless I'm missing something? Thank you, -Zach Lym
