Arbitrary payload signing use cases?

paragonie / paseto

Platform-Agnostic Security Tokens

https://paseto.io

Other

3.24k stars 108 forks source link

Arbitrary payload signing use cases? #90

Closed anweiss closed 3 years ago

anweiss commented 5 years ago

In its current state, can paseto be used to simply sign arbitrary payloads ... e.g. generic JSON or any base64 encoded value? Looking for an alternative to JWS and came across paseto, but it seems to be primarily focused on claims and an alternative to JWTs.

paragonie-scott commented 5 years ago

There's actually two components to PASETO:

The encryption/signing layer.
The JSON token (claims) layer.

You can pull out just Version1 and Version2 and use them for arbitrary text. We just built a token API on top of them in PASETO proper.

Alternatively: drop everything into a footer if you're only using v2.public (which uses Ed25519), since those are arbitrary data.

anweiss commented 5 years ago

@paragonie-scott in your second example where everything is dropped into a footer if only v2.public is used, is it assumed that the message, m, is therefore empty and the footer, f, houses the arbitrary data? As written, the spec seems to require a message, m and only the footer, f, is optional. Thus the message format becomes as follows:

version.purpose.footer

paragonie-security commented 3 years ago

@anweiss The message part contains the signature and/or MAC, so it's not possible to have an empty message there.

paragonie-security commented 3 years ago

I'm going to close this. If you still have a question, please let us know.

https://github.com/paseto-standard/paseto-spec is where the specification lives now