Re: [security-dev] Implementing JSON Security

Looks like you're encrypting the whole document? Why not use S/MIME multipart/encrypted? http://docs.jboss.org/resteasy/docs/2.3.4.Final/userguide/html/ch38.html On 8/3/12 2:10 PM, Anil Saldhana wrote: > Last few hours, I prototyped the outgoing json payload encryption that > is described here: > https://docs.jboss.org/author/display/SECURITY/Securing+JAX-RS+Payload > > On 08/02/2012 11:28 AM, Bill Burke wrote: >> So why are you wasting your time with this? >> >> On 8/2/12 12:26 PM, Anil Saldhana wrote: >>> If Jackson needs to implement JSON security, they will have to code it. >>> The pragmatic thing for Jackson would be to just incorporate this teeny >>> library via maven dependency. >>> >>> On 08/02/2012 11:24 AM, Bill Burke wrote: >>>> FYI, again, unless this works with Jackson, the de facto JSON parser, >>>> you're probably not going to have many people taking advantage of this >>>> work... >>>> >>>> On 8/2/12 12:20 PM, Anil Saldhana wrote: >>>>> The German Researcher Axel Nennker created a separate project >>>>> http://code.google.com/p/jsoncrypto/. He has given me commit rights so I >>>>> can mavenize his project. >>>>> >>>>> On 07/31/2012 10:15 AM, Anil Saldhana wrote: >>>>>> I created a wiki article. >>>>>> https://docs.jboss.org/author/display/SECURITY/JSON+Security >>>>>> >>>>>> Will be adding more examples to this article. >>>>>> >>>>>> On 07/30/2012 11:22 AM, Anil Saldhana wrote: >>>>>>> Hi All, >>>>>>> as you know currently IETF is working on securing JSON. The drafts >>>>>>> are all available here: >>>>>>> http://datatracker.ietf.org/wg/jose/ >>>>>>> >>>>>>> So last week, I implemented at least the bare minimum we require to >>>>>>> secure JSON. But encryption is tricky given that there are a lot of >>>>>>> algorithms that are not yet available in the JDK implementation but are >>>>>>> available via the BouncyCastle project. >>>>>>> >>>>>>> Look at the supported table: >>>>>>> http://www.ietf.org/mail-archive/web/jose/current/msg00928.html >>>>>>> >>>>>>> While I was doing my implementation, I found out that there is a German >>>>>>> researcher working on a project called xmldap.org and has implemented >>>>>>> the drafts fully. He has been doing this for months. His license is MIT >>>>>>> style. I have requested him to create a separate independent project >>>>>>> for JOSE so everybody can reuse his work, rather than create umpteen >>>>>>> implementations. He has agreed to work with me. >>>>>>> http://ignisvulpis.blogspot.com/2012/06/ecdh-es-for-json-web-encryption.html >>>>>>> >>>>>>> Regards, >>>>>>> Anil >>>>>>> >>>>>>> > _______________________________________________ > security-dev mailing list > security-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev >