There is "iat" (issued at) claim in JWT http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-01 I would use it to show when it was signed.
Nat On Fri, Aug 24, 2012 at 5:58 AM, Daniel Holth <[email protected]> wrote: > I'm attempting to design a JWS-JS-inspired format into a code signing > mechanism for Python wheel files. It works. The payload just includes > a hash of a manifest that in turn includes the hash of all the other > files in the archive, and the signatures always include the full > verifying key for the Ed25519 system in the header, like so. I like > it, but want a place to include information about the signature itself > (when was this signature added?) apart from the single payload. I see > there is some discussion of split headers that may provide it. > > That's all. I really like the spec so far. > > Daniel Holth > > {'alg': 'Ed25519', > 'key': {'alg': 'Ed25519', > 'vk': u'dSUK9K1lSClpgCrtjTpywL3o-TfyCHQsD4xC6ey1GH4'}, > 'typ': 'JWT'} > > {'hash': 'sha256=N7if_qZx7EVe4hN72ajBrWZ5Gwqs74nkK1vWLGTQTFY'} > > {"headers": > ["eyJhbGciOiAiRWQyNTUxOSIsICJrZXkiOiB7ImFsZyI6ICJFZDI1NTE5IiwgInZrIjogImRTVUs5SzFsU0NscGdDcnRqVHB5d0wzby1UZnlDSFFzRDR4QzZleTFHSDQifSwgInR5cCI6ICJKV1QifQ"], > "payload": > "eyJoYXNoIjogInNoYTI1Nj1ON2lmX3FaeDdFVmU0aE43MmFqQnJXWjVHd3FzNzRua0sxdldMR1RRVEZZIn0", > "signatures": > ["KFt27VW2tM5Q637Mu4kyfqBRrxzJ9MRZ6O7ax8lSnKuVLMGG6bcNKkLqombv12bUV-8I-n-SlQfaGlSqnn_xAw"]} > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
