2:26 p.m.
Bill, I agree on the S/Mime part.
But the challenge is we cannot control what the clients use. If they use
JSON Web Encryption and JSON Web Signatures as their payload interacting
with a JAX-RS implementation, then you will fall short.
JWE and JWS are being standardized at IETF along with OAuth2. JSON Web
Token (JWT) is one of the prominent tokens in use with OAuth2. Of course
Eran complained loudly about JWT.
On 08/03/2012 01:54 PM, Bill Burke wrote:
Also multipart/signed or a combination of multipart/signed and
encrypted
is supported as well. I've tried it out in python as well. So, JSON is
not required as a payload and you can sign or encrypt basically anything
you want.
On 8/3/12 2:50 PM, Bill Burke wrote:
> Looks like you're encrypting the whole document? Why not use S/MIME
> multipart/encrypted?
>
> http://docs.jboss.org/resteasy/docs/2.3.4.Final/userguide/html/ch38.html
>
> On 8/3/12 2:10 PM, Anil Saldhana wrote:
>> Last few hours, I prototyped the outgoing json payload encryption that
>> is described here:
>> https://docs.jboss.org/author/display/SECURITY/Securing+JAX-RS+Payload
>>
>> On 08/02/2012 11:28 AM, Bill Burke wrote:
>>> So why are you wasting your time with this?
>>>
>>> On 8/2/12 12:26 PM, Anil Saldhana wrote:
>>>> If Jackson needs to implement JSON security, they will have to code it.
>>>> The pragmatic thing for Jackson would be to just incorporate this teeny
>>>> library via maven dependency.
>>>>
>>>> On 08/02/2012 11:24 AM, Bill Burke wrote:
>>>>> FYI, again, unless this works with Jackson, the de facto JSON
parser,
>>>>> you're probably not going to have many people taking advantage of
this
>>>>> work...
>>>>>
>>>>> On 8/2/12 12:20 PM, Anil Saldhana wrote:
>>>>>> The German Researcher Axel Nennker created a separate project
>>>>>> http://code.google.com/p/jsoncrypto/. He has given me commit
rights so I
>>>>>> can mavenize his project.
>>>>>>
>>>>>> On 07/31/2012 10:15 AM, Anil Saldhana wrote:
>>>>>>> I created a wiki article.
>>>>>>> https://docs.jboss.org/author/display/SECURITY/JSON+Security
>>>>>>>
>>>>>>> Will be adding more examples to this article.
>>>>>>>
>>>>>>> On 07/30/2012 11:22 AM, Anil Saldhana wrote:
>>>>>>>> Hi All,
>>>>>>>> as you know currently IETF is working on
securing JSON. The drafts
>>>>>>>> are all available here:
>>>>>>>> http://datatracker.ietf.org/wg/jose/
>>>>>>>>
>>>>>>>> So last week, I implemented at least the bare minimum we
require to
>>>>>>>> secure JSON. But encryption is tricky given that there
are a lot of
>>>>>>>> algorithms that are not yet available in the JDK
implementation but are
>>>>>>>> available via the BouncyCastle project.
>>>>>>>>
>>>>>>>> Look at the supported table:
>>>>>>>>
http://www.ietf.org/mail-archive/web/jose/current/msg00928.html
>>>>>>>>
>>>>>>>> While I was doing my implementation, I found out that
there is a German
>>>>>>>> researcher working on a project called xmldap.org and has
implemented
>>>>>>>> the drafts fully. He has been doing this for months. His
license is MIT
>>>>>>>> style. I have requested him to create a separate
independent project
>>>>>>>> for JOSE so everybody can reuse his work, rather than
create umpteen
>>>>>>>> implementations. He has agreed to work with me.
>>>>>>>>
http://ignisvulpis.blogspot.com/2012/06/ecdh-es-for-json-web-encryption.html
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Anil