anvilresearch / jwt Goto Github PK

JWT/JWD to use @trust/jwk for signing/encryption/decryption operations and @trust/keycache for signature verification.

CC anvilresearch/jose#18

@johnny90 did some work on this. Is this a complete feature? Either way I think this should be completed for the v0.1.0 release.

CC anvilresearch/jose#6

The spec: https://w3c-dvcg.github.io/ld-signatures/

The JS lib: https://github.com/digitalbazaar/jsonld-signatures

Manu's 2013 post describing their design decisions and difference between JOSE and LDS: http://manu.sporny.org/2013/lds-vs-jose/
(Note that the LDS spec recently gives the indication that they're open to interoperating between JOSE and LDS.)

With npm allowing us to use namespaced package names and our current theme of @trust/jwX packages, it may be desirable for us to split JWD into it's own package that depends on @trust/jwt.

If we do decide to do this then we should probably only do it once JWT is refactored and working as intended.

Thoughts?

CC anvilresearch/jose#22

CC anvilresearch/jose#34

This is probably a necessary for the secure use of this libray. It will allow devs (users?) to allow the use of { alg: 'none' } but still be able to mandate when a signature is necessary.

CC anvilresearch/jose#24

Still need to make a decision about if these are getting a package of their own, but from @christiansmith's comments in the linked issue, I don't think so.

Current behaviour when calling JWT.verify({ serialized: token, jwk: '...' }) -- where the caller provides the public JWK for signature verification -- is that only one key may be provided.

This problem is only for the case where the caller is passing in the JWKs for signature verification. The default behaviour of using the JWKSet Cache to look up keys etc. will still look up all necessary keys and verify all signatures as expected.