Closed llemeurfr closed 5 years ago
I am not an expert in this area, but I stumbled across these references:
JSON Web Signature (JWS): "JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification."
JSON Web Algorithms (JWA): "This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers."
JSON Web Key (JWK): "A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification."
JSON Web Encryption (JWE): "JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification."
These are all proposed RFC standards. Bottom line: there are a number of JSON-based specifications that could be used...
How many creators of EPUB sign their EPUBs? Do any existing audiobook workflows or formats involve digitally signing the files? Blackstone's format does provide a way to record the hash of the individual audio files... is this enough for existing uses?
At least for now [audiobooks] (and likely long term), I'd just expunge signature.xml.
We (Blackstone) do not digitally sign our audio or epubs. We do (as @dauwhe mentions) gather an MD5, which is used by our apps to validate a download is complete. Could be facilitated with w3c/wpub#398 ?
I have a preference for something like https://github.com/w3c/wpub/issues/398, just as @geoffjukes proposes. Having yet another separate file sounds over the top; having slots in the metadata file for some sort of a checksum sounds reasonable (and also mimics what happens elsewhere).
@dauwhe actually at Hachette Livre digital distribution, we do sign our EPUBs and send the MD5 in the ONIX feed describing the file. That's systematic.
A signature of the JSON won't be a signature of the package nor its contents, so the scenarios and moment of verification should be considered thoroughly.
This issue was discussed in a meeting.
Proposal:
This issue was discussed in a meeting.
RESOLVED: Don’t define a signature mechanism (certainly not signature.xml!)
no update needed.
The new packaging format should not mix xml with json. Therefore the reuse of the signature.xml file is not the way to go and we have to find a "json" way to handle the signature of WP resources.