On 18/03/16 00:21, Giriraj Bhojak wrote: >I have been struggling with a basic question related to using signing and >encryption for REST services.
>If the REST call (using JSON) happens over http or https via a browser, how >can I ensure that JSON payload is signed and encrypted, just like a SOAP >request that is signed and encrypted? >Is there a JavaScript component that I can use to implement JOSE for >browser based REST requests? >Or am I interpreting this in a wrong way? I think the answer given by Sergey was very good. I have added a few things below. Disclaimer: I'm a developer in this space so my views may be slightly "colored" :-) The initial problem which there's no easy workaround for is that Browsers adhere to SOP (Same Origin Policy) making less straightforward creating a signature for any other server than the one generating the key. Assuming that this is not a show-stopper, WebCrypto is suitable for creating the "technical" part of a signature (the signature value itself). The same goes for encryption. Formatting of signed and encrypted JSON data is an entirely different story where I have personally spent considerable time on an alternative to IETF's JOSE suite. A comparison can be found here: https://cyberphone.github.io/openkeystore/resources/docs/jsonsignatures.html However, the question was really about REST requests which as far as I can tell mix rather poorly with JOSE and JCS unless we are talking about individual attributes rather than the entire message. Encryption of complete REST requests would need specific support to be useful since attributes wouldn't be available until a request has been fully decrypted. It seems to me that the advantages of REST would be a bit limited in such a scenario but I could be wrong. FWIW, I'm not using WebCrypto much these days because SOP is too constraining for the kind of applications I'm working with. The following is a browser application which signs and encrypts data using platform-level keys. Messages are expressed in JSON using SOAP-like (but without any envelope) requests and responses: https://test.webpki.org/webpay-merchant Cheers, Anders R
