Have you done work around how the JSON payload is sent over the wire from an encoding perspective? There's a debate about this on the OAuth 2 list right now as we're looking at using JSON envelopes for signatures.<div>
<br></div><div>Thanks,</div><div>--David</div><div><br><br><div class="gmail_quote">On Mon, Jul 5, 2010 at 9:01 PM, nara hideki <span dir="ltr"><<a href="mailto:hdknr@ic-tact.co.jp">hdknr@ic-tact.co.jp</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi, David,<br>
<br>
Let me know what you mentioned more precisely.<br>
We're using JSON Encryption Envelop to exchange privacy data.<br>
(Spec is here :<br>
<a href="http://bitbucket.org/Nat/jsonenc/src/tip/draft-sakimura-jsonenc-00.txt" target="_blank">http://bitbucket.org/Nat/jsonenc/src/tip/draft-sakimura-jsonenc-00.txt</a><br>
)<br>
It encrypt shared key in public key encryption and the payload<br>
of canonicalized JSON string is encrypted with that shared key.<br>
<br>
I think if those shared key is known, the payloads can be decrypted.<br>
You might have talked about other security issues which I'm missing.<br>
<br>
Best regards.<br>
---<br>
hdknr<br>
<br>
<br>
2010/6/28 David García <<a href="mailto:david.garcia@tractis.com">david.garcia@tractis.com</a>>:<br>
<div><div></div><div class="h5">> Hi Nat,<br>
><br>
> in those cases where public keys cannot be used, because parties are not<br>
> known yet, maybe using PBE (password based encryption) with random generated<br>
> pass could fit this need.<br>
> Those passwords could be stored bound to the contract and delivered to the<br>
> party after a challenge has been passed (f.ex auth process).<br>
><br>
> Best regards<br>
><br>
> Dave<br>
><br>
> 2010/6/25 Nat Sakimura <<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>><br>
>><br>
>> I had a talk with Hide yesterday.<br>
>> We were talking on how to preserve the privacy of the end user among<br>
>> bunch of services.<br>
>><br>
>> The agreement we had was that we should encrypt the portion of the<br>
>> agreement specific to each server with different symmetric keys, then<br>
>> encrypt the symmetric keys with respective server's public key and<br>
>> OP's public key.<br>
>><br>
>> We are still discussing over the cases where parties are not<br>
>> determined at the time of the proposal and disclosing the parties to<br>
>> other parties are privacy risk.<br>
>> It is a bit challenging.<br>
>><br>
>> --<br>
>> Nat Sakimura (=nat)<br>
>> <a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
>> <a href="http://twitter.com/_nat_en" target="_blank">http://twitter.com/_nat_en</a><br>
>> _______________________________________________<br>
>> Specs-cx mailing list<br>
>> <a href="mailto:Specs-cx@lists.openid.net">Specs-cx@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-cx" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-cx</a><br>
><br>
><br>
><br>
> --<br>
> David Garcia<br>
> CTO<br>
> Tractis - Online contracts you can enforce<br>
> <a href="http://www.tractis.com" target="_blank">http://www.tractis.com</a><br>
> --<br>
> Email: <a href="mailto:david.garcia@tractis.com">david.garcia@tractis.com</a><br>
> Skype: deiffbcn<br>
> Blog: <a href="http://blog.negonation.com" target="_blank">http://blog.negonation.com</a><br>
> Linkedin: <a href="http://www.linkedin.com/in/davebcn" target="_blank">http://www.linkedin.com/in/davebcn</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Specs-cx mailing list<br>
> <a href="mailto:Specs-cx@lists.openid.net">Specs-cx@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-cx" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-cx</a><br>
><br>
><br>
_______________________________________________<br>
Specs-cx mailing list<br>
<a href="mailto:Specs-cx@lists.openid.net">Specs-cx@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-cx" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-cx</a><br>
</div></div></blockquote></div><br></div>