msporny
commented
6 years ago I suggest that browsers MAY verify signatures, but are not required to... the job of verifying the signatures is for the endpoints. We should be decoupling what the browser does (message passing) from the smarts of the edges of the network.
If you make browsers the gatekeeper of the crypto used, then they become the gatekeepers of how security is done in payments. The browsers should be "dumb pipes", where the smarts are pushed out to the edges (where the expertise in payments and security resides).
IF the group is considering the RFC above, then I also suggest it looks into Linked Data Signatures for at least the following reasons:
- The signatures are JWS compatible.
- It's shipping in production. E.g. Mastodon has shipped LD Signatures to over a million users.
- LD Signatures are the basis for the VCWG work.
- All of the W3C Credentials Community Group work is based on Linked Data Signatures.
- Between 10%-19% of all domains on the Web now publish LD as JSON-LD.
- You can express the signatures w/o re-signing in multiple syntaxes.
- They deal with ensuring the semantics of the messages are correct.
- They're fast - under 1ms to normalize web payments-like messages, signing takes the same amount of time as JWS.
Arguments against are:
There is still active development on the specs as we get implementation feedback from implementers.
The only reason I'm bringing this up is because this particular issue is considering a more experimental path forward.
More here:
https://w3c-dvcg.github.io/ld-signatures/
and here:
stpeter
ianbjacobs
adrianhopebailie
https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https%3A%2F%2Fraw.githubusercontent.com%2Ferdtman%2FCleartext-JOSE%2Fmaster%2Fdraft-erdtman-jose-cleartext-jws.xml
Currently an early draft but may be worth considering for signatures as this schema would be easier to express in WebIDL and validate in a browser.