[security-dev] Implementing JSON Security

Sun Aug 5 23:16:15 EDT 2012

You underestimate our effect on things.  If you provide a vision for our 
users, then they will use it.  If they say, we want json web encryption, 
and you say, well, S/MIME is better, they will use S/MIME.

On 8/3/12 3:26 PM, Anil Saldhana wrote:
> Bill, I agree on the S/Mime part.
>
> But the challenge is we cannot control what the clients use. If they use
> JSON Web Encryption and JSON Web Signatures as their payload interacting
> with a JAX-RS implementation, then you will fall short.
>
> JWE and JWS are being standardized at IETF along with OAuth2. JSON Web
> Token (JWT) is one of the prominent tokens in use with OAuth2. Of course
> Eran complained loudly about JWT.
>
> On 08/03/2012 01:54 PM, Bill Burke wrote:
>> Also multipart/signed or a combination of multipart/signed and encrypted
>> is supported as well.  I've tried it out in python as well.  So, JSON is
>> not required as a payload and you can sign or encrypt basically anything
>> you want.
>>
>> On 8/3/12 2:50 PM, Bill Burke wrote:
>>> Looks like you're encrypting the whole document?  Why not use S/MIME
>>> multipart/encrypted?
>>>
>>> http://docs.jboss.org/resteasy/docs/2.3.4.Final/userguide/html/ch38.html
>>>
>>> On 8/3/12 2:10 PM, Anil Saldhana wrote:
>>>> Last few hours, I prototyped the outgoing json payload encryption that
>>>> is described here:
>>>> https://docs.jboss.org/author/display/SECURITY/Securing+JAX-RS+Payload
>>>>
>>>> On 08/02/2012 11:28 AM, Bill Burke wrote:
>>>>> So why are you wasting your time with this?
>>>>>
>>>>> On 8/2/12 12:26 PM, Anil Saldhana wrote:
>>>>>> If Jackson needs to implement JSON security, they will have to code it.
>>>>>> The pragmatic thing for Jackson would be to just incorporate this teeny
>>>>>> library via maven dependency.
>>>>>>
>>>>>> On 08/02/2012 11:24 AM, Bill Burke wrote:
>>>>>>> FYI, again, unless this works with Jackson, the de facto JSON parser,
>>>>>>> you're probably not going to have many people taking advantage of this
>>>>>>> work...
>>>>>>>
>>>>>>> On 8/2/12 12:20 PM, Anil Saldhana wrote:
>>>>>>>> The German Researcher Axel Nennker created a separate project
>>>>>>>> http://code.google.com/p/jsoncrypto/. He has given me commit rights so I
>>>>>>>> can mavenize his project.
>>>>>>>>
>>>>>>>> On 07/31/2012 10:15 AM, Anil Saldhana wrote:
>>>>>>>>> I created a wiki article.
>>>>>>>>> https://docs.jboss.org/author/display/SECURITY/JSON+Security
>>>>>>>>>
>>>>>>>>> Will be adding more examples to this article.
>>>>>>>>>
>>>>>>>>> On 07/30/2012 11:22 AM, Anil Saldhana wrote:
>>>>>>>>>> Hi All,
>>>>>>>>>>              as you know currently IETF is working on securing JSON.  The drafts
>>>>>>>>>> are all available here:
>>>>>>>>>> http://datatracker.ietf.org/wg/jose/
>>>>>>>>>>
>>>>>>>>>> So last week, I implemented at least the bare minimum we require to
>>>>>>>>>> secure JSON.  But encryption is tricky given that there are a lot of
>>>>>>>>>> algorithms that are not yet available in the JDK implementation but are
>>>>>>>>>> available via the BouncyCastle project.
>>>>>>>>>>
>>>>>>>>>> Look at the supported table:
>>>>>>>>>> http://www.ietf.org/mail-archive/web/jose/current/msg00928.html
>>>>>>>>>>
>>>>>>>>>> While I was doing my implementation, I found out that there is a German
>>>>>>>>>> researcher working on a project called xmldap.org and has implemented
>>>>>>>>>> the drafts fully. He has been doing this for months. His license is MIT
>>>>>>>>>> style.  I have requested him to create a separate independent project
>>>>>>>>>> for JOSE so everybody can reuse his work, rather than create umpteen
>>>>>>>>>> implementations.  He has agreed to work with me.
>>>>>>>>>> http://ignisvulpis.blogspot.com/2012/06/ecdh-es-for-json-web-encryption.html
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com