[security-dev] Implementing JSON Security

Anil Saldhana Anil.Saldhana at redhat.com
Thu Aug 2 12:26:52 EDT 2012


If Jackson needs to implement JSON security, they will have to code it. 
The pragmatic thing for Jackson would be to just incorporate this teeny 
library via maven dependency.

On 08/02/2012 11:24 AM, Bill Burke wrote:
> FYI, again, unless this works with Jackson, the de facto JSON parser,
> you're probably not going to have many people taking advantage of this
> work...
>
> On 8/2/12 12:20 PM, Anil Saldhana wrote:
>> The German Researcher Axel Nennker created a separate project
>> http://code.google.com/p/jsoncrypto/. He has given me commit rights so I
>> can mavenize his project.
>>
>> On 07/31/2012 10:15 AM, Anil Saldhana wrote:
>>> I created a wiki article.
>>> https://docs.jboss.org/author/display/SECURITY/JSON+Security
>>>
>>> Will be adding more examples to this article.
>>>
>>> On 07/30/2012 11:22 AM, Anil Saldhana wrote:
>>>> Hi All,
>>>>        as you know currently IETF is working on securing JSON.  The drafts
>>>> are all available here:
>>>> http://datatracker.ietf.org/wg/jose/
>>>>
>>>> So last week, I implemented at least the bare minimum we require to
>>>> secure JSON.  But encryption is tricky given that there are a lot of
>>>> algorithms that are not yet available in the JDK implementation but are
>>>> available via the BouncyCastle project.
>>>>
>>>> Look at the supported table:
>>>> http://www.ietf.org/mail-archive/web/jose/current/msg00928.html
>>>>
>>>> While I was doing my implementation, I found out that there is a German
>>>> researcher working on a project called xmldap.org and has implemented
>>>> the drafts fully. He has been doing this for months. His license is MIT
>>>> style.  I have requested him to create a separate independent project
>>>> for JOSE so everybody can reuse his work, rather than create umpteen
>>>> implementations.  He has agreed to work with me.
>>>> http://ignisvulpis.blogspot.com/2012/06/ecdh-es-for-json-web-encryption.html
>>>>
>>>> Regards,
>>>> Anil
>>>>   



More information about the security-dev mailing list