[Openid-specs-fapi] Polish PSD2 API - JWS Detached

Sat Jan 20 04:20:34 UTC 2018

I think it is time for the Open Banking UK folks to "come out of the closet" and
tell us if they intend (re)adjusting their specification to FAPI w.r.t. signatures,
or if they will stick with the detached solution.

Anders

On 2018-01-18 15:28, Anders Rundgren wrote:
> https://docs.polishapi.org/files/PolishAPI-business-part-draft_v0.8.3.pdf
> 
> For me (with my special interests in JSON signatures...), I found that they in similarity to Open Banking use JWS in detached mode which confirms my view that Base64Url-encoded "business messages" probably won't go that far.
> 
> Is detached JWS then the new "de-facto standard" for securing JSON business messages?  I hope not because it binds messages to HTTP, cannot be used in Web pages, cannot be embedded in other JSON messages, and needs quirky serialization schemes.
> 
> The following "JWS meets EcmaScript" signature scheme [*] seems like a possible alternative:
> 
>       {
>           "amount": "2.55",
>           "currency": "USD",
>           "signature": {
>               "alg": "ES256",
>               "jwk": {
>                   "kty": "EC",
>                   "crv": "P-256",
>                   "x": "PxlJQu9Q6dOvM4LKoZUh2XIe9-pdcLkvKfBfQk11Sb0",
>                   "y": "6IDquxrbdq5ABe4-HQ78_dhM6eEBUbvDtdqK31YfRP8"
>               },
>               "val": "V3NauNJXINmJ5pnS7hDU9CmNS9y3_dXxmv5gcG0jDF_tUyuhWI3b2I_B5pESfiUxi3ueiE2nqOy4OasNDpG0lA"
>           }
>       }
> 
> thanx,
> Anders
> 
> *] Using ECMA-standardized JSON processing rules:
> 
>       // Parse the signed JSON message
>       var obj = JSON.parse(jsonString);
> 
>       // Get the signature value
>      var signatureValue = obj.signature.val;
> 
>       // "Canonicalization":
>       delete obj.signature.val;
>       normalizedData = JSON.stringify(obj);
> 
>       // Now perform JOSE/JWS compatible crypto...
> 