Jump to content

JSON Web Signature: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m →‎top: cleanup, removed orphan tag using AWB
No edit summary
Line 1: Line 1:
A '''JSON Web Signature''' (abbreviated '''JWS''') is an [[IETF]] proposed standard for [[Digital signature|signing]] arbitrary [[JSON]].<ref>{{cite web|url=https://tools.ietf.org/html/rfc7515|title=JSON Web Signature (JWS)}}</ref> This is used as the basis for a variety of web based technologies including [[JSON Web Token]].
A '''JSON Web Signature''' (abbreviated '''JWS''') is an [[Internet Engineering Task Force|IETF]] proposed standard for [[Digital signature|signing]] arbitrary [[JSON]].<ref>{{cite web|url=https://tools.ietf.org/html/rfc7515|title=JSON Web Signature (JWS)}}</ref> This is used as the basis for a variety of web-based technologies including [[JSON Web Token]].


==Purpose==
== Purpose ==
JWS is a way to [[Authentication|authenticate]] (but not necessarily [[Encryption|encrypt]]) information in a highly [[Serialization|serializable]], machine-readable format. That means that it is information, along with proof that the information hasn't changed since being signed. It can be used for sending information from one web site to another, and is especially aimed at communications on the web. It even contains a compact form optimized for applications like [[Uniform resource identifier|URI]] query parameters.<ref>{{cite web|url=https://tools.ietf.org/html/rfc7515#section-3.1|title=JWS Compact Serialization Overview}}</ref>
JWS is a way to [[Authentication|authenticate]] (but not necessarily [[Encryption|encrypt]]) information in a highly [[Serialization|serializable]], machine-readable format. That means that it is information, along with proof that the information hasn't changed since being signed. It can be used for sending information from one web site to another, and is especially aimed at communications on the web. It even contains a compact form optimized for applications like [[Uniform resource identifier|URI]] query parameters.<ref>{{cite web|url=https://tools.ietf.org/html/rfc7515#section-3.1|title=JWS Compact Serialization Overview}}</ref>


===Examples===
=== Examples ===


====Web Commerce====
==== Web commerce ====
JWS can be used for applications in which digitally signed information must be sent in a machine readable format, such as [[E-commerce payment system|e-commerce]]. For example, say a user named Bob is browsing widget prices on a web site (widgets.com), and wishes to get a quote on one of them. Then widgets.com could provide Bob with a JWS object containing all relevant information about the widget, including the price, then sign it using their private key. Then Bob would have a [[Non-repudiation|non-repudiable]] price quote for the product.
JWS can be used for applications in which digitally signed information must be sent in a machine-readable format, such as [[E-commerce payment system|e-commerce]]. For example, say a user named Bob is browsing widget prices on a web site (widgets.com), and wishes to get a quote on one of them. Then widgets.com could provide Bob with a JWS object containing all relevant information about the widget, including the price, then sign it using their private key. Then Bob would have a [[Non-repudiation|non-repudiable]] price quote for the product.


====Access to third party resources====
==== Access to third-party resources ====
Maybe Widgets.com and WidgetStorage.com have a deal in which WidgetStorage.com will accept coupons from Widgets.com in exchange for traffic. Widgets.com could issue JWS giving Bob a 10% discount on the WidgetStorage.com site. Again, because the data is signed, WidgetStorage can know that Widgets.com authorized this. If the data was not signed, then Bob could change his discount to 50% and no one could know just from looking at the data.
Maybe Widgets.com and WidgetStorage.com have a deal in which WidgetStorage.com will accept coupons from Widgets.com in exchange for traffic. Widgets.com could issue JWS giving Bob a 10% discount on the WidgetStorage.com site. Again, because the data is signed, WidgetStorage can know that Widgets.com authorized this. If the data was not signed, then Bob could change his discount to 50% and no one could know just from looking at the data.


==Limitations==
== Limitations ==
JWS does not include encryption, but is designed to work with encryption.<ref>{{cite web|url=https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40|title=draft-ietf-jose-json-web-encryption-40 - JSON Web Encryption (JWE)|work=ietf.org|accessdate=13 May 2015}}</ref>
JWS does not include encryption, but is designed to work with encryption.<ref>{{cite web|url=https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40|title=draft-ietf-jose-json-web-encryption-40 - JSON Web Encryption (JWE)|work=ietf.org|accessdate=13 May 2015}}</ref>


Revision as of 09:27, 1 June 2017

A JSON Web Signature (abbreviated JWS) is an IETF proposed standard for signing arbitrary JSON.[1] This is used as the basis for a variety of web-based technologies including JSON Web Token.

Purpose

JWS is a way to authenticate (but not necessarily encrypt) information in a highly serializable, machine-readable format. That means that it is information, along with proof that the information hasn't changed since being signed. It can be used for sending information from one web site to another, and is especially aimed at communications on the web. It even contains a compact form optimized for applications like URI query parameters.[2]

Examples

Web commerce

JWS can be used for applications in which digitally signed information must be sent in a machine-readable format, such as e-commerce. For example, say a user named Bob is browsing widget prices on a web site (widgets.com), and wishes to get a quote on one of them. Then widgets.com could provide Bob with a JWS object containing all relevant information about the widget, including the price, then sign it using their private key. Then Bob would have a non-repudiable price quote for the product.

Access to third-party resources

Maybe Widgets.com and WidgetStorage.com have a deal in which WidgetStorage.com will accept coupons from Widgets.com in exchange for traffic. Widgets.com could issue JWS giving Bob a 10% discount on the WidgetStorage.com site. Again, because the data is signed, WidgetStorage can know that Widgets.com authorized this. If the data was not signed, then Bob could change his discount to 50% and no one could know just from looking at the data.

Limitations

JWS does not include encryption, but is designed to work with encryption.[3]

As of 2015, JWS was a proposed standard, and was part of several other IETF draft standards,[4] and there was code available on the web to implement the draft standard.[5][6]

References

  1. ^ "JSON Web Signature (JWS)".
  2. ^ "JWS Compact Serialization Overview".
  3. ^ "draft-ietf-jose-json-web-encryption-40 - JSON Web Encryption (JWE)". ietf.org. Retrieved 13 May 2015.
  4. ^ "draft-barnes-acme-01 - Automatic Certificate Management Environment (ACME)". ietf.org. Retrieved 13 May 2015.
  5. ^ "google/google-oauth-java-client". GitHub. Retrieved 13 May 2015.
  6. ^ "JSON Web Tokens - jwt.io". jwt.io. Retrieved 13 May 2015.
Retrieved from "https://en.wikipedia.org/w/index.php?title=JSON_Web_Signature&oldid=783288186"