[Openid-specs-fapi] Signatures in FAPI and W3C's PaymentRequest
Anders Rundgren
anders.rundgren.net at gmail.com
Fri Dec 21 04:41:53 UTC 2018
Hi FAPIers,
There are multiple issues here but let me focus on a subject which I have spent considerable time and effort on, namely "Signed JSON".
Since PaymentRequest is a JavaScript API running in a browser, FAPI's current HTTP-bound signature scheme is not applicable.
That is, the W3C have to come up with another model for https://www.w3.org/securepay/charter.html which is a pity since it means that JSON signature solutions (possibly even within a single application), will be different.
Effectively W3C's at this stage only known choices are:
- JWS [1]
- JWS-JCS [2, 3]
- Starting from scratch
Personally, I would be very surprised if the W3C settles on JWS because it pretty much destroys the API concept.
WDYT?
Anders
1] https://tools.ietf.org/html/rfc7515
2] Underpinning Internet-Draft: https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-02
3] On-line testing: https://mobilepki.org/jws-jcs/home
More information about the Openid-specs-fapi
mailing list