Supporting signatures

[fterpstra]

would you consider supporting signatures of cityJSON files, for instance using the Jason Web Signature standard (https://www.rfc-editor.org/rfc/rfc7515.txt)? This would be a nice feature that enables a user to verify the authentic source of a city JSON document regardless of the way he acquired it.

[hugoledoux]

I read a bit, and I think it'd be a nice addition. I propose you make an example and describe how that would work? If you added a section in the file docs/specs.rst in the same style as the other ones and send me a PR I'd be very happy to accept it. Or perhaps it should be part of metadata, does that make sense conceptually? I'll let you decide, or we can discuss further in this thread.

You could also had an example in the file example-datasets/dummy-values/example.json.

I'll take care of updating the schema.

[fterpstra]

Hi Hugo, I did some more research on this and discussed my findings in the OGC security DWG. Basic conclusion is that rfc7515 is not very suitable. It is an enveloping signature format which means that if you use it your cityJSON payload will repackeged as Base64encoded data inside a signature format. It is not an Enveloped signature format where the signature would just be an optional extra element in your cityJSON format. I think the enveloping approach is not very user friendly for people who do not want to check the integrity of data. Unfortunately at the moment there are no suitable enveloped JSON signature signature alternatives. https://cyberphone.github.io/doc/security/jcs.html does exist and is technically what I intended for digital signatures in JSON, but it is not a real standard and there is just one(or very few) implementation(s). We are going to discuss this in the joint OGC/W3C spatial data on the web working group and see if maybe W3C sees a good solution for this.

[hugoledoux]

CityJSON is also under the w3c/ogc umbrella now (incubation period), so perfect!

Thanks for the update.