Simple, foolproof standard for signing arbitrary data.
- Supports arbitrary message encodings, not just JSON.
- Authenticates the message and the type to avoid confusion attacks.
- Avoids canonicalization to reduce attack surface.
- Allows any desired crypto primitives or libraries.
See Background for more information, including design considerations and rationale.
Specifications for:
- Protocol (required)
- Data structure, a.k.a. "Envelope" (recommended)
- (pending #9) Suggested crypto primitives
Out of scope (for now at least):
- Key management / PKI / exclusive ownership
- Why not raw signatures? Too fragile.
- Why not JWS? Too many insecure implementations and features.
- Why not PASETO? JSON-specific, too opinionated.
- Why not the legacy TUF/in-toto signature scheme? JSON-specific, relies on canonicalization.
See Background for further motivation.