[Openid-specs-fapi] Signatures in FAPI and W3C's PaymentRequest

Anders Rundgren anders.rundgren.net at gmail.com
Fri Dec 21 04:41:53 UTC 2018

Hi FAPIers,

There are multiple issues here but let me focus on a subject which I have spent considerable time and effort on,  namely "Signed JSON".

Since PaymentRequest is a JavaScript API running in a browser, FAPI's current HTTP-bound signature scheme is not applicable.

That is, the W3C have to come up with another model for https://www.w3.org/securepay/charter.html which is a pity since it means that JSON signature solutions (possibly even within a single application), will be different.

Effectively W3C's at this stage only known choices are:
- JWS [1]
- JWS-JCS [2, 3]
- Starting from scratch

Personally, I would be very surprised if the W3C settles on JWS because it pretty much destroys the API concept.


1] https://tools.ietf.org/html/rfc7515
2] Underpinning Internet-Draft: https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-02
3] On-line testing: https://mobilepki.org/jws-jcs/home

More information about the Openid-specs-fapi mailing list