Make VERSION signature support more flexible
Description
PR is addressed in
Activity
Pablo Pazos October 30, 2015 at 12:17 AM
I know JSON Web Token is used to sign requests, but I don't see why this can't be used for other purposes: http://jwt.io/
Please let me know what you think about that.
Also find this signing guide for Java: https://docs.oracle.com/javase/tutorial/security/apisign/gensig.html
Maybe there are similar guides / ways for other technology stacks.
Thomas Beale October 29, 2015 at 10:25 AM
Agree, I think we should publish pseudo-code as well.
Erik Sundvall October 29, 2015 at 10:05 AMEdited
Via SEC teleconference 29 Oct we discussed creating a proper canonical openEHR data format in release 1.1 usable for signatures etc.
When converting this PR to CR(s) we might need to address two related things:
#1. allowing different signature algorithms and suggesting a modern algorithm (some strong SHA-version?) as default (mandatory to be supported as fallback)
#2. creating a canonical format, Perhaps some compact JSON frormat (without indentation or extra spaces etc) also consider the ordering of JSON siblings (alphabetical?). Publish pseudo code and possibly point to open source implementations
I did something like #2 for creating SHA-hashes used to identify (and create IDs for) parametric AQL-queries in LiU EEE, perhaps that work is useful as input to pseudo code etc.
Thomas Beale October 29, 2015 at 9:46 AMEdited
Have to agree on canonical serial format for basis of signing as well as preferred libs and field format.
Compressed JSON?
Questions - polymorphic attachment of objects and representing type info; id fields etc.
Pablo Pazos October 28, 2015 at 11:23 PM
Should we focus on signing XML or signing objects in the DB? Or both? IMO is difficult to have just one approach to be used in all contexts / technologies, but maybe I'm wrong.
Version.signature has very specific implementation assuming particular technology solution to creating a signature. More recent approaches may use SHA1 and XML Digital Signature payload documents. These should be supported along with other cryptography libraries other than openPGP including Microsoft.NET and other open source libraries.
To support these variations, the should be an additional attribute in the Version class to indicate what signature algorithm is used (similar to the DvMultimedia integrity check algorithm attribute) rather than relying on the self describing PGP byte stream.
There should be additional implementation guideance to support interoperable signatures using different cryptography libraries.