Skip to content

A specification for signing methods and formats used by Secure Systems Lab projects.

License

Notifications You must be signed in to change notification settings

patricklawsongoogle/dsse

 
 

Repository files navigation

DSSE: Dead Simple Signing Envelope

Simple, foolproof standard for signing arbitrary data.

Features

  • Supports arbitrary message encodings, not just JSON.
  • Authenticates the message and the type to avoid confusion attacks.
  • Avoids canonicalization to reduce attack surface.
  • Allows any desired crypto primitives or libraries.

See Background for more information, including design considerations and rationale.

What is it?

Specifications for:

  • Protocol (required)
  • Data structure, a.k.a. "Envelope" (recommended)
  • (pending #9) Suggested crypto primitives

Out of scope (for now at least):

Why not...?

  • Why not raw signatures? Too fragile.
  • Why not JWS? Too many insecure implementations and features.
  • Why not PASETO? JSON-specific, too opinionated.
  • Why not the legacy TUF/in-toto signature scheme? JSON-specific, relies on canonicalization.

See Background for further motivation.

Who uses it?

About

A specification for signing methods and formats used by Secure Systems Lab projects.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Jupyter Notebook 86.8%
  • Python 13.2%