Feature signing and verifying?

[wellcaffeinated]

Hi I like how this library is organized, but I'm struggling to find a way to do the following:

1. Create a JWK from system randomness
2. Create a signature with that key
3. Verify the signature with a JWK

Is this library capable of doing this yet? Or is it still in progress?

[tarcieri]

You can call it "in progress" however work in this repo has largely stalled

[wellcaffeinated]

Ah thanks. Just curious... It seems like almost all JOSE libraries have stalled in their development. Is there a larger reason for this? I've heard of some security flaws in the protocol. Are there alternatives we should be considering?

[tarcieri]

In the case of this repo I think the original contributors simply lost interest.

For signatures you can just sign data directly without involving some other protocol. X.509 SPKI provides a widely-used public key format which is supported by all of our crates.

[npmccallum]

Interest, no. Resources, yes.

[wellcaffeinated]

Ok thanks. I'm storing keys in a larger data structure that can be formatted as JSON, hence my interest in JWK.

I suppose I could do away with any JWS formatting and just encode the signature directly as base64 or similar...

[tarcieri]

@wellcaffeinated all of the signature algorithm implementations we maintain have serde support

[juliankrieger]

I am interested in further developing this library because RFC 8995 extensions need it. How would I go on about to contribute?

[tarcieri]

@juliankrieger perhaps sketch out what you have in mind here, and then open a PR which implements it