Clear-text signing requires c14n or some other representation-fixing. If you have proposals for at least one of those, this may be viable. Relying on implementation quirks is not OK.
--Richard On Sat, Dec 20, 2014 at 12:52 AM, Anders Rundgren < [email protected]> wrote: > > Hi List, > In theory JOSE is done since we have key containers, as well as signature > and encryption constructs. > > In reality it is not because the topic I raised a long time ago namely the > ability to sign clear-text > JSON data in a similar fashion like in XML DSig simply isn't going away: > No, it is not only yours > truly who is into JSON clear-text signing although it seems that everybody > is dealing with this > issue in quite different ways. This may actually only be good since then > there are some > real-world (tested) schemes to select from. AFAICT they all have (even > including my own take > on the subject...), clearly identifiable pros and cons. > > The rationale is simple: Documentation, Validation, Development and > Debugging of > complex JSON messages becomes easier if the content is provided in clear. > > There could be justification for IETF taking on such a work-item. > > Anders > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
