Hi On and off, the subject of possibly signing JSON without having to base64url encode it first has come up. Different solutions have been proposed, with different levels of strangeness. To address this possibility, Anders Rundgren, and Mike Jones, and I have taken some time to write two drafts that proposes a solution for Cleartext JWS and JWE (I know it sounds funny with cleartext and encryption). We have worked hard to keep the new documents aligned with the existing JOSE documents, so anyone familiar with existing work will feel right at home with these two new drafts. Below you can find the document abstracts and examples of how this would look.
*https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws <https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws>* *Cleartext JWS* Cleartext JSON Web Signature (JWS) is a means of signing JSON objects directly without representing the JSON to be signed in a non-JSON representation, such as base64url-encoded JSON. The signature and information about the signature is added to the JSON object when it is signed. The signature calculation for signing the JSON object uses the predictable JSON serialization defined in ECMAScript version 6. Cleartext JWS builds on the JWS, JWA, and JWK specifications, reusing data structures and semantics from these specifications, where applicable. { "iss": "joe", "exp": 1300819380, "escapeMe": "\u20ac$\u000F\u000aA'\u0042\u0022\u005c\\\"\/", "numbers": [1e+30,4.5,6], "__cleartext_signature": { "alg": "ES256", "kid": "example.com:p256", "signature": "pXP0GFHms0SntctNk1G1pHZfccVYdZkmAJktY_hpMsI AckzX7wZJIJNlsBzmJ1_7LmKATiW-YHHZjsYdT96JZw" } } *https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jwe <https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jwe>* *Cleartext JWE* Cleartext JSON Web Encryption (JWE) is a means of representing encrypted content as a JSON object without representing JSON values to be integrity protected in a non-JSON representation, such as base64url-encoded JSON. The integrity protection calculation for the authenticated encryption performed uses the predictable JSON serialization defined in ECMAScript version 6. Cleartext JWE builds on the JWE, JWA, and JWK specifications, reusing data structures and semantics from these specifications, where applicable. { "enc": "A256GCM", "alg": "dir", "kid": "a256bitkey", "iv": "764BCBnN8yMNu1tT", "tag": "6miH9pSBzQ-0nImMsvHmyQ", "ciphertext": "VZ3Zl0-vuFkZxCGJ_w5Q_SOVJTBVSw" }
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
