[security-dev] Implementing JSON Security

Bill Burke bburke at redhat.com
Fri Aug 3 14:50:54 EDT 2012

Looks like you're encrypting the whole document?  Why not use S/MIME 


On 8/3/12 2:10 PM, Anil Saldhana wrote:
> Last few hours, I prototyped the outgoing json payload encryption that
> is described here:
> https://docs.jboss.org/author/display/SECURITY/Securing+JAX-RS+Payload
> On 08/02/2012 11:28 AM, Bill Burke wrote:
>> So why are you wasting your time with this?
>> On 8/2/12 12:26 PM, Anil Saldhana wrote:
>>> If Jackson needs to implement JSON security, they will have to code it.
>>> The pragmatic thing for Jackson would be to just incorporate this teeny
>>> library via maven dependency.
>>> On 08/02/2012 11:24 AM, Bill Burke wrote:
>>>> FYI, again, unless this works with Jackson, the de facto JSON parser,
>>>> you're probably not going to have many people taking advantage of this
>>>> work...
>>>> On 8/2/12 12:20 PM, Anil Saldhana wrote:
>>>>> The German Researcher Axel Nennker created a separate project
>>>>> http://code.google.com/p/jsoncrypto/. He has given me commit rights so I
>>>>> can mavenize his project.
>>>>> On 07/31/2012 10:15 AM, Anil Saldhana wrote:
>>>>>> I created a wiki article.
>>>>>> https://docs.jboss.org/author/display/SECURITY/JSON+Security
>>>>>> Will be adding more examples to this article.
>>>>>> On 07/30/2012 11:22 AM, Anil Saldhana wrote:
>>>>>>> Hi All,
>>>>>>>           as you know currently IETF is working on securing JSON.  The drafts
>>>>>>> are all available here:
>>>>>>> http://datatracker.ietf.org/wg/jose/
>>>>>>> So last week, I implemented at least the bare minimum we require to
>>>>>>> secure JSON.  But encryption is tricky given that there are a lot of
>>>>>>> algorithms that are not yet available in the JDK implementation but are
>>>>>>> available via the BouncyCastle project.
>>>>>>> Look at the supported table:
>>>>>>> http://www.ietf.org/mail-archive/web/jose/current/msg00928.html
>>>>>>> While I was doing my implementation, I found out that there is a German
>>>>>>> researcher working on a project called xmldap.org and has implemented
>>>>>>> the drafts fully. He has been doing this for months. His license is MIT
>>>>>>> style.  I have requested him to create a separate independent project
>>>>>>> for JOSE so everybody can reuse his work, rather than create umpteen
>>>>>>> implementations.  He has agreed to work with me.
>>>>>>> http://ignisvulpis.blogspot.com/2012/06/ecdh-es-for-json-web-encryption.html
>>>>>>> Regards,
>>>>>>> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list