[Openid-specs-fapi] Polish PSD2 API - JWS Detached

Anders Rundgren anders.rundgren.net at gmail.com
Thu Jan 18 14:28:54 UTC 2018


For me (with my special interests in JSON signatures...), I found that they in similarity to Open Banking use JWS in detached mode which confirms my view that Base64Url-encoded "business messages" probably won't go that far.

Is detached JWS then the new "de-facto standard" for securing JSON business messages?  I hope not because it binds messages to HTTP, cannot be used in Web pages, cannot be embedded in other JSON messages, and needs quirky serialization schemes.

The following "JWS meets EcmaScript" signature scheme [*] seems like a possible alternative:

         "amount": "2.55",
         "currency": "USD",
         "signature": {
             "alg": "ES256",
             "jwk": {
                 "kty": "EC",
                 "crv": "P-256",
                 "x": "PxlJQu9Q6dOvM4LKoZUh2XIe9-pdcLkvKfBfQk11Sb0",
                 "y": "6IDquxrbdq5ABe4-HQ78_dhM6eEBUbvDtdqK31YfRP8"
             "val": "V3NauNJXINmJ5pnS7hDU9CmNS9y3_dXxmv5gcG0jDF_tUyuhWI3b2I_B5pESfiUxi3ueiE2nqOy4OasNDpG0lA"


*] Using ECMA-standardized JSON processing rules:

     // Parse the signed JSON message
     var obj = JSON.parse(jsonString);

     // Get the signature value
    var signatureValue = obj.signature.val;

     // "Canonicalization":
     delete obj.signature.val;
     normalizedData = JSON.stringify(obj);

     // Now perform JOSE/JWS compatible crypto...

More information about the Openid-specs-fapi mailing list