[Openid-specs-fapi] External : Re: External : FW: OBE JWS Profile - Version 0.10b for Approval

Anders Rundgren anders.rundgren.net at gmail.com
Tue Sep 22 12:02:56 UTC 2020


On 2020-09-22 10:39, Freddi Gyara via Openid-specs-fapi wrote:
> 
> Around a year ago at least, must JWT libraries did not honour the ‘b64’ header (they simply ignored it). As a result, we ended up with signatures in the ecosystem where participants thought they were unencoded, but actually were and verification methods where they were trying to verify against un-encoded payloads. As you can imagine, it just caused a lot of confusion.
> 
> We paused the implemented under a waiver which expired a few months ago and we are beginning to see very few issues with usage of signatures in the ecosystem (after an initial round of incorrect implementations that have largely been fixed). TBH, payment volumes are low, but increasing and we haven’t seen a similar increase in support tickets or complaints around signature generation and validation.
> 
> The approach that is now followed is to b64 encode and sign the HTTP body, then drop the central part of the resulting JWT (as described in Appendix F).
> 

Hi Freddy,

I don't understand how to interpret this.  Do you mean that the HTTP body actually is B64 encoded?

If not, I don't see the point with b64-encoding.  I thought that was a part of a JWS library/encoder:
https://github.com/cyberphone/openkeystore/blob/ba7d8a9ec6b8c87dbad937481049dbcd81693a8d/library/src/org/webpki/jose/JOSESupport.java#L158

thanx,
Anders


More information about the Openid-specs-fapi mailing list