Jump to content

JSON Web Signature: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Dabraham (talk | contribs)
25 edits
m →‎Web Commerce: fixing a typo that appears to have been introduced as an attempt to narrow the use of an overbroad term when there's a more precise one available
Adding local short description: "Proposed standard for signing arbitrary data", overriding Wikidata description "IETF proposed standard for signing arbitrary JSON"
 
(33 intermediate revisions by 26 users not shown)
Line 1: Line 1:
{{Short description|Proposed standard for signing arbitrary data}}
{{Orphan|date=January 2016}}
{{Infobox technology standard
| title = JWS
| long_name = JSON Web Signature
| image =
| image_size =
| alt =
| caption = standard for signing arbitrary JSON
| abbreviation = JWS
| native_name = <!-- Name in local language. If more than one, separate using {{plain list}} -->
| native_name_lang = <!-- ISO 639-2 code e.g. "fr" for French. If more than one, use {{lang}} inside native_name items instead -->
| status = [[Internet Standard#Proposed Standard|Proposed Standard]]
| year_started = <!-- {{Start date|YYYY|MM|DD|df=y}} -->
| first_published = <!-- {{Start date|YYYY|MM|DD|df=y}} -->
| version =
| version_date =
| preview =
| preview_date =
| organization = [[Internet Engineering Task Force|IETF]]
| committee = [[Internet Engineering Task Force#Internet Engineering Steering Group|IEGS]]
| series =
| editors =
| authors = {{Plainlist|
* Michael B. Jones
* [[Microsoft]]
* John Bradley
* [[Ping Identity]]
* Nat Sakimura
* [[Nomura Research Institute|NRI]]
}}
| base_standards = [[JSON]]
| related_standards = {{Plainlist|
* [[HMAC-based one-time password]]
* JSON Web Algorithms (JWA)
* [[JSON Web Encryption]] (JWE)
* [[JSON Web Token]] (JWT)
* [[SHA-2|Secure Hash Algorithm 2]] (SHA-2)
}}
| domain = [[Data exchange]]
| license =
| copyright =
| website = {{URL|https://datatracker.ietf.org/doc/html/rfc7515}}
}}
A '''JSON Web Signature''' (abbreviated '''JWS''') is an [[Internet Engineering Task Force|IETF]]-proposed standard ({{IETF RFC|7515}}) for [[Digital signature|signing]] arbitrary data.<ref>{{cite web|url=https://tools.ietf.org/html/rfc7515|title=JSON Web Signature (JWS) [RFC7515]|date=May 2015 |last1=Jones |first1=Michael B. |last2=Bradley |first2=John |last3=Sakimura |first3=Nat }}</ref> This is used as the basis for a variety of web-based technologies including [[JSON Web Token]].


== Purpose ==
A '''JSON Web Signature''' (abbreviated '''JWS''') is an [[IETF]] proposed standard for [[Digital signature|signing]] arbitrary [[JSON]].<ref>{{cite web|url=https://tools.ietf.org/html/rfc7515|title=JSON Web Signature (JWS)}}</ref> This is used as the basis for a variety of web based technologies including [[JSON Web Token]].
JWS is a way to ensure integrity of information in a highly [[Serialization|serializable]], machine-readable format. That means that it is information, along with proof that the information hasn't changed since being signed. It can be used for sending information from one web site to another, and is especially aimed at communications on the web. It even contains a compact form optimized for applications like [[Uniform resource identifier|URI]] query parameters.<ref>{{cite web|url=https://tools.ietf.org/html/rfc7515#section-3.1|title=JWS Compact Serialization Overview|date=May 2015 |last1=Jones |first1=Michael B. |last2=Bradley |first2=John |last3=Sakimura |first3=Nat }}</ref>


==Purpose==
=== Examples ===
JWS is a way to [[Authentication|authenticate]] (but not necessarily [[Encryption|encrypt]]) information in a highly [[Serialization|serializable]], machine-readable format. That means that it is information, along with proof that the information hasn't changed since being signed. It can be used for sending information from one web site to another, and is especially aimed at communications on the web. It even contains a compact form optimized for applications like [[Uniform resource identifier|URI]] query parameters.<ref>{{cite web|url=https://tools.ietf.org/html/rfc7515#section-3.1|title=JWS Compact Serialization Overview}}</ref>


===Examples===
==== Web commerce ====
JWS can be used for applications in which digitally signed information must be sent in a machine-readable format, such as [[E-commerce payment system|e-commerce]]. For example, say a user named Bob is browsing widget prices on a web site (widgets.com), and wishes to get a quote on one of them. Then widgets.com could provide Bob with a JWS object containing all relevant information about the widget, including the price, then sign it using their private key. Then Bob would have a [[Non-repudiation|non-repudiable]] price quote for the product.


====Web Commerce====
==== Access to third-party resources ====
Maybe Widgets.com and WidgetStorage.com have a deal in which WidgetStorage.com will accept coupons from Widgets.com in exchange for traffic. Widgets.com could issue JWS giving Bob a 10% discount on the WidgetStorage.com site. Again, because the data is signed, WidgetStorage can know that Widgets.com emitted this. If the data was not signed, then Bob could change his discount to 50% and no one would know just from looking at the data.
JWS can be used for applications in which digitally signed information must be sent in a machine readable format, such as [[E-commerce payment system|e-commerce]]. For example, say a user named Bob is browsing widget prices on a web site (widgets.com), and wishes to get a quote on one of them. Then widgets.com could provide Bob with a JWS object containing all relevant information about the widget, including the price, then sign it using their private key. Then Bob would have a [[Non-repudiation|non-repudiable]] price quote for the product.


== Limitations ==
====Access to third party resources====
JWS is one of the standards in the JOSE series<ref name="iana2015">{{cite web | title=JSON Object Signing and Encryption (JOSE) | website=Internet Assigned Numbers Authority | date=2015-01-23 | url=https://www.iana.org/assignments/jose/jose.xhtml | access-date=2018-11-19}}</ref> and is meant to be used in combination with them. For example, for encryption [[JSON Web Encryption]] (JWE)<ref>{{cite journal|url=https://tools.ietf.org/html/rfc7516|title=JSON Web Encryption (JWE) [RFC7516]|website=ietf.org|date=May 2015 |accessdate=13 May 2015 |last1=Jones |first1=Michael B. |last2=Hildebrand |first2=Joe }}</ref> is supposed to be used in conjunction.
Maybe Widgets.com and WidgetStorage.com have a deal in which WidgetStorage.com will accept coupons from Widgets.com in exchange for traffic. Widgets.com could issue JWS giving Bob a 10% discount on the WidgetStorage.com site. Again, because the data is signed, WidgetStorage can know that Widgets.com authorized this. If the data was not signed, then Bob could change his discount to 50% and no one could know just from looking at the data.


As of 2015, JWS was a proposed standard, and was part of several other IETF draft standards,<ref>{{cite journal|url=https://tools.ietf.org/html/rfc7517|title=JSON Web Key (JWK) [RFC7517]|website=ietf.org|date=May 2015 |accessdate=13 May 2015 |last1=Jones |first1=Michael B. }}</ref> and there was code available on the web to implement the draft standard.<ref>{{cite web|url=https://code.google.com/p/google-oauth-java-client/source/browse/google-oauth-client/src/main/java/com/google/api/client/auth/jsontoken/JsonWebSignature.java?r=c31891da772f2479cf47c2141c137f6c47a36685|title=google/google-oauth-java-client|work=GitHub|accessdate=13 May 2015}}</ref><ref>{{cite web|url=http://jwt.io/|title=JSON Web Tokens - jwt.io|work=jwt.io|accessdate=13 May 2015}}</ref>
==Limitations==
JWS does not include encryption, but is designed to work with encryption.<ref>{{cite web|url=https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40|title=draft-ietf-jose-json-web-encryption-40 - JSON Web Encryption (JWE)|work=ietf.org|accessdate=13 May 2015}}</ref>

JWS is a proposed standard, and is already being used as part of other IETF draft standards,<ref>{{cite web|url=https://tools.ietf.org/html/draft-barnes-acme-01|title=draft-barnes-acme-01 - Automatic Certificate Management Environment (ACME)|work=ietf.org|accessdate=13 May 2015}}</ref> and there is code available on the web to implement the draft standard.<ref>{{cite web|url=https://code.google.com/p/google-oauth-java-client/source/browse/google-oauth-client/src/main/java/com/google/api/client/auth/jsontoken/JsonWebSignature.java?r=c31891da772f2479cf47c2141c137f6c47a36685|title=google/google-oauth-java-client|work=GitHub|accessdate=13 May 2015}}</ref><ref>{{cite web|url=http://jwt.io/index.html|title=JSON Web Tokens - jwt.io|work=jwt.io|accessdate=13 May 2015}}</ref>


== References ==
== References ==
{{reflist}}
{{reflist}}

{{Data exchange}}


[[Category:Computer access control]]
[[Category:Computer access control]]

Latest revision as of 09:02, 21 May 2024

JWS
JSON Web Signature
AbbreviationJWS
StatusProposed Standard
OrganizationIETF
CommitteeIEGS
Authors
Base standardsJSON
Related standards
DomainData exchange
Websitedatatracker.ietf.org/doc/html/rfc7515

A JSON Web Signature (abbreviated JWS) is an IETF-proposed standard (RFC 7515) for signing arbitrary data.[1] This is used as the basis for a variety of web-based technologies including JSON Web Token.

Purpose[edit]

JWS is a way to ensure integrity of information in a highly serializable, machine-readable format. That means that it is information, along with proof that the information hasn't changed since being signed. It can be used for sending information from one web site to another, and is especially aimed at communications on the web. It even contains a compact form optimized for applications like URI query parameters.[2]

Examples[edit]

Web commerce[edit]

JWS can be used for applications in which digitally signed information must be sent in a machine-readable format, such as e-commerce. For example, say a user named Bob is browsing widget prices on a web site (widgets.com), and wishes to get a quote on one of them. Then widgets.com could provide Bob with a JWS object containing all relevant information about the widget, including the price, then sign it using their private key. Then Bob would have a non-repudiable price quote for the product.

Access to third-party resources[edit]

Maybe Widgets.com and WidgetStorage.com have a deal in which WidgetStorage.com will accept coupons from Widgets.com in exchange for traffic. Widgets.com could issue JWS giving Bob a 10% discount on the WidgetStorage.com site. Again, because the data is signed, WidgetStorage can know that Widgets.com emitted this. If the data was not signed, then Bob could change his discount to 50% and no one would know just from looking at the data.

Limitations[edit]

JWS is one of the standards in the JOSE series[3] and is meant to be used in combination with them. For example, for encryption JSON Web Encryption (JWE)[4] is supposed to be used in conjunction.

As of 2015, JWS was a proposed standard, and was part of several other IETF draft standards,[5] and there was code available on the web to implement the draft standard.[6][7]

References[edit]

  1. ^ Jones, Michael B.; Bradley, John; Sakimura, Nat (May 2015). "JSON Web Signature (JWS) [RFC7515]".
  2. ^ Jones, Michael B.; Bradley, John; Sakimura, Nat (May 2015). "JWS Compact Serialization Overview".
  3. ^ "JSON Object Signing and Encryption (JOSE)". Internet Assigned Numbers Authority. 2015-01-23. Retrieved 2018-11-19.
  4. ^ Jones, Michael B.; Hildebrand, Joe (May 2015). "JSON Web Encryption (JWE) [RFC7516]". ietf.org. Retrieved 13 May 2015.
  5. ^ Jones, Michael B. (May 2015). "JSON Web Key (JWK) [RFC7517]". ietf.org. Retrieved 13 May 2015.
  6. ^ "google/google-oauth-java-client". GitHub. Retrieved 13 May 2015.
  7. ^ "JSON Web Tokens - jwt.io". jwt.io. Retrieved 13 May 2015.
Retrieved from "https://en.wikipedia.org/w/index.php?title=JSON_Web_Signature&oldid=1224922923"