As you probably know there is a published clear text JSON signature proposal (https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-00), which though haven't received much attention.
Although being a co-author, I have recently gotten second thoughts about this proposal due to a couple of issues which keep popping up: 1. There already is a firmly established JSON signature standard (JWS) making it difficult getting traction on the "developer market" for yet another standard, irrespective of its possible merits. 2. The Cleartext JWS I-D builds on a JSON property order preserving scheme defined in ECMAScript. However, the vendors of JSON tools for other platforms have shown no interest whatsoever in this mode of operation. If you look closer that's understandable since it could ultimately even affect compilers and class reflection mechanisms. Fortunately, all is not doom and gloom. I have been investigating another approach for dealing with JSON property ordering (and more), recently published at: https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-00. This filter-like process can be used together with existing JSON tools. Regarding the "marketing" problem, it is obvious that for addressing the core enhancement (keeping JSON data "as is" rather than shrouding it in Base64Url encoding), simply using the JWS standard in detached mode (https://tools.ietf.org/html/rfc7515#appendix-F), would cause considerably less fuzz and objections than a brand new package and associated library support. Such a combination has progressed well beyond the slideware state: https://mobilepki.org/jws-jcs/home The idea is not only getting something useful out of the door quicker, but paving the way for features outside of the JWS standard. When the time is right. I would appreciate any feedback on how you think we should proceed. Cheers, Anders _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
