[security-dev] Implementing JSON Security
Bill Burke
bburke at redhat.com
Fri Aug 3 14:54:53 EDT 2012
Also multipart/signed or a combination of multipart/signed and encrypted
is supported as well. I've tried it out in python as well. So, JSON is
not required as a payload and you can sign or encrypt basically anything
you want.
On 8/3/12 2:50 PM, Bill Burke wrote:
> Looks like you're encrypting the whole document? Why not use S/MIME
> multipart/encrypted?
>
> http://docs.jboss.org/resteasy/docs/2.3.4.Final/userguide/html/ch38.html
>
> On 8/3/12 2:10 PM, Anil Saldhana wrote:
>> Last few hours, I prototyped the outgoing json payload encryption that
>> is described here:
>> https://docs.jboss.org/author/display/SECURITY/Securing+JAX-RS+Payload
>>
>> On 08/02/2012 11:28 AM, Bill Burke wrote:
>>> So why are you wasting your time with this?
>>>
>>> On 8/2/12 12:26 PM, Anil Saldhana wrote:
>>>> If Jackson needs to implement JSON security, they will have to code it.
>>>> The pragmatic thing for Jackson would be to just incorporate this teeny
>>>> library via maven dependency.
>>>>
>>>> On 08/02/2012 11:24 AM, Bill Burke wrote:
>>>>> FYI, again, unless this works with Jackson, the de facto JSON parser,
>>>>> you're probably not going to have many people taking advantage of this
>>>>> work...
>>>>>
>>>>> On 8/2/12 12:20 PM, Anil Saldhana wrote:
>>>>>> The German Researcher Axel Nennker created a separate project
>>>>>> http://code.google.com/p/jsoncrypto/. He has given me commit rights so I
>>>>>> can mavenize his project.
>>>>>>
>>>>>> On 07/31/2012 10:15 AM, Anil Saldhana wrote:
>>>>>>> I created a wiki article.
>>>>>>> https://docs.jboss.org/author/display/SECURITY/JSON+Security
>>>>>>>
>>>>>>> Will be adding more examples to this article.
>>>>>>>
>>>>>>> On 07/30/2012 11:22 AM, Anil Saldhana wrote:
>>>>>>>> Hi All,
>>>>>>>> as you know currently IETF is working on securing JSON. The drafts
>>>>>>>> are all available here:
>>>>>>>> http://datatracker.ietf.org/wg/jose/
>>>>>>>>
>>>>>>>> So last week, I implemented at least the bare minimum we require to
>>>>>>>> secure JSON. But encryption is tricky given that there are a lot of
>>>>>>>> algorithms that are not yet available in the JDK implementation but are
>>>>>>>> available via the BouncyCastle project.
>>>>>>>>
>>>>>>>> Look at the supported table:
>>>>>>>> http://www.ietf.org/mail-archive/web/jose/current/msg00928.html
>>>>>>>>
>>>>>>>> While I was doing my implementation, I found out that there is a German
>>>>>>>> researcher working on a project called xmldap.org and has implemented
>>>>>>>> the drafts fully. He has been doing this for months. His license is MIT
>>>>>>>> style. I have requested him to create a separate independent project
>>>>>>>> for JOSE so everybody can reuse his work, rather than create umpteen
>>>>>>>> implementations. He has agreed to work with me.
>>>>>>>> http://ignisvulpis.blogspot.com/2012/06/ecdh-es-for-json-web-encryption.html
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Anil
>>>>>>>>
>>>>>>>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list