[Openid-specs-fapi] Applying JWS/JCS to Open Banking standards
Anders Rundgren
anders.rundgren.net at gmail.com
Sat Nov 17 13:52:50 UTC 2018
*Current OB signature solution in a request scenario:*
POST /payments HTTP/1.1
x-jws-signature: TGlmZSdzIGEg5hdGlvbiA=..T2ggZ25bGVyIGdvaW5nIGRvd24gPw==
Content-Type: application/json
{
"Data": {
...OB specific data..
},
"Risk": {
...OB specific data..
}
}
*Enhanced JWS + JCS solution:*
POST /payments HTTP/1.1
Content-Type: application/json
{
"Data": {
...OB specific data..
},
"Risk": {
...OB specific data..
},
"x-jws-signature": "TGlmZSdzIGEg5hdGlvbiA=..T2ggZ25bGVyIGdvaW5nIGRvd24gPw"
}
What's the advantage with that you may [rightfully] wonder? Well, signed data becomes a/self-contained object/ which can
- pass arbitrary proxies
- be stored in a database
- be embedded in another JSON object to for example support /countersigning/
etc. without losing its edge.
Anders
https://mobilepki.org/jws-jcs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20181117/db0563ad/attachment.html>
More information about the Openid-specs-fapi
mailing list