Since Open Banking's use of clear text signatures (enabled through HTTP
bindings and the downsides of that [1]), TEEP/OTrP's need for clear
text object type IDs (and the implications of that with respect to
signature validation [2]), as well as my own use of a hash only in a
novel counter signature scheme [3], haven't spurred a single comment
relating to the actual applications and how they {c|sh}ould make best
use of the existing or enhanced JOSE stack, there seems to be little
point continuing these discussions within the IETF.I'm still waiting for messages pointing out why JCS isn't working (beyond anecdotes from the XML/WS* era). Since detached JWS signatures is already a de-facto standard in Open Banking, claims that data to be signed SHOULD be encoded in alien formats and then be embedded in specific signature containers can safely be ignored unless somebody has a very compelling security story to share with us. Anyway, VmWare have a US patent on JSON clear text signatures [6] so maybe it is toast from that perspective as well? Although I'm not a patent lawyer this smells prior art by a mile! To me it only adds credibility to the idea since the concepts are virtually identical:-) From the CBOR list I have gathered that the CBOR counterpart to JCS [4,5] apparently is in a pretty bad shape. Carsten, you have a new job :-) thanx, Anders 1] http://lists.openid.net/pipermail/openid-specs-fapi/2018-November/001164.html 2] https://www.ietf.org/mail-archive/web/jose/current/msg05810.html 3] https://www.ietf.org/mail-archive/web/jose/current/msg05811.html 4] https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01 5] https://mobilepki.org/jws-jcs 6] https://patentimages.storage.googleapis.com/68/be/70/582930ff11703d/US20150341176A1.pdf _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
