Hi Johnzoners!
In case you want to digitally sign JSON messages/documents, the standardized
way of doing that is dressing the JSON data in Base64Url. IMO this defeats the
value of clear text formats.
Current standard (JWS):
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM
The (AFAIK...) only workable solution around that problem is normalization of
JSON data so that it gets a unique/stable representation. Proposed alternative
(Cleartext JWS):
{
"now": "2018-04-16T11:23:06Z",
"name": "Joe",
"id": 2200063,
"signature": {
"alg": "ES256",
"kid": "example.com:p256",
"val":
"GagHnDBKhU7ynzLLH1Qs3tYmzbwxyokDtu7f0Iz1mB0GL-9ER_J5fJA9qz3IG6IR_jLHh3fsUEKAzB4GzLex2A"
}
}
The "signature" property contains the signature, the other properties are just
arbitrary application data.
The #1 problem is the serialization of JSON Numbers [1]. It would be FANTASTIC
if this feature (which is 100% compatible with JSON), became a part of the
Java/JSON standards.
Recent standardization activity supported by Microsoft relying on this feature:
https://tools.ietf.org/id/draft-erdtman-jose-cleartext-jws-00.html
Cheers,
Anders
1] The idea is using ECMAScript's definition which I currently have running for
Java, C# .NET and Python 3
