[Openid-specs-fapi] RFC 8785 - JSON Canonicalization Scheme
Anders Rundgren
anders.rundgren.net at gmail.com
Tue Jun 30 05:28:44 UTC 2020
https://www.rfc-editor.org/rfc/rfc8785
In case you would like to test what you can do with JSON canonicalization, there are two public Web applications at your disposal:
Using JWS: https://mobilepki.org/jws-jcs
Using an "unwrapped" JWS called Java Signature Format (JSF): https://mobilepki.org/jsf-lab
A real-world implementation from OWASP using JSF: https://cyclonedx.org/use-cases/#authenticity
In Saturn JSF is not only a security solution, it is also used for counter-signatures to simplify state-holding in payment systems. That is, a two-phase payment works as follows:
Merchant - Bank
1. Signed request for a RESERVATION -> Create and store a unique identifier in a reservation-record
2. <- Return signed authorization embedding the request as well as the unique identifier.
3. Signed request for a TRANSACTION embedding the previous message -> Bank verifies that it was the signer in #2, find the record associated with the unique identifier and that's about it.
https://cyberphone.github.io/doc/saturn/hybrid-payment.html#6
By securely embedding related messages in each other (aka "Russian doll"), there is no need for external references to previous messages.
Enjoy!
Anders
More information about the Openid-specs-fapi
mailing list