[Openid-specs-fapi] RFC 8785 - JSON Canonicalization Scheme

Anders Rundgren anders.rundgren.net at gmail.com
Tue Jun 30 05:28:44 UTC 2020


In case you would like to test what you can do with JSON canonicalization, there are two public Web applications at your disposal:
Using JWS: https://mobilepki.org/jws-jcs
Using an "unwrapped" JWS called Java Signature Format (JSF): https://mobilepki.org/jsf-lab

A real-world implementation from OWASP using JSF: https://cyclonedx.org/use-cases/#authenticity

In Saturn JSF is not only a security solution, it is also used for counter-signatures to simplify state-holding in payment systems.  That is, a two-phase payment works as follows:
Merchant - Bank

1. Signed request for a RESERVATION ->  Create and store a unique identifier in a reservation-record
2. <- Return signed authorization embedding the request as well as the unique identifier.
3. Signed request for a TRANSACTION embedding the previous message -> Bank verifies that it was the signer in #2, find the record associated with the unique identifier and that's about it.


By securely embedding related messages in each other (aka "Russian doll"), there is no need for external references to previous messages.



More information about the Openid-specs-fapi mailing list