JSON Web Signature

JWS
JSON Web Signature
Abbreviation	JWS
Status	Proposed Standard
Organization	IETF
Committee	IEGS
Authors	Michael B. Jones; Microsoft ; John Bradley; Ping Identity ; Nat Sakimura; NRI ;
Base standards	JSON
Related standards	HMAC-based one-time password ; JSON Web Algorithms (JWA); JSON Web Encryption (JWE); JSON Web Token (JWT); Secure Hash Algorithm 2 (SHA-2);
Domain	Data exchange
Website	datatracker.ietf.org/doc/html/rfc7515

Last updated February 28, 2024

A JSON Web Signature (abbreviated JWS) is an IETF-proposed standard ( RFC 7515) for signing arbitrary data.^[1] This is used as the basis for a variety of web-based technologies including JSON Web Token.

Purpose

JWS is a way to ensure integrity of information in a highly serializable, machine-readable format. That means that it is information, along with proof that the information hasn't changed since being signed. It can be used for sending information from one web site to another, and is especially aimed at communications on the web. It even contains a compact form optimized for applications like URI query parameters.^[2]

Examples

Web commerce

JWS can be used for applications in which digitally signed information must be sent in a machine-readable format, such as e-commerce. For example, say a user named Bob is browsing widget prices on a web site (widgets.com), and wishes to get a quote on one of them. Then widgets.com could provide Bob with a JWS object containing all relevant information about the widget, including the price, then sign it using their private key. Then Bob would have a non-repudiable price quote for the product.

Access to third-party resources

Maybe Widgets.com and WidgetStorage.com have a deal in which WidgetStorage.com will accept coupons from Widgets.com in exchange for traffic. Widgets.com could issue JWS giving Bob a 10% discount on the WidgetStorage.com site. Again, because the data is signed, WidgetStorage can know that Widgets.com emitted this. If the data was not signed, then Bob could change his discount to 50% and no one would know just from looking at the data.

Limitations

JWS is one of the standards in the JOSE series^[3] and is meant to be used in combination with them. For example, for encryption JSON Web Encryption (JWE)^[4] is supposed to be used in conjunction.

As of 2015, JWS was a proposed standard, and was part of several other IETF draft standards,^[5] and there was code available on the web to implement the draft standard.^[6]^[7]

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

In computing, serialization is the process of translating a data structure or object state into a format that can be stored or transmitted and reconstructed later. When the resulting series of bits is reread according to the serialization format, it can be used to create a semantically identical clone of the original object. For many complex objects, such as those that make extensive use of references, this process is not straightforward. Serialization of object-oriented objects does not include any of their associated methods with which they were previously linked.

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

The Resource Description Framework (RDF) is a World Wide Web Consortium (W3C) standard originally designed as a data model for metadata. It has come to be used as a general method for description and exchange of graph data. RDF provides a variety of syntax notations and data serialization formats, with Turtle currently being the most widely used notation.

Abstract Syntax Notation One (ASN.1) is a standard interface description language (IDL) for defining data structures that can be serialized and deserialized in a cross-platform way. It is broadly used in telecommunications and computer networking, and especially in cryptography.

YAML(see § History and name) is a human-readable data serialization language. It is commonly used for configuration files and in applications where data is being stored or transmitted. YAML targets many of the same communications applications as Extensible Markup Language (XML) but has a minimal syntax that intentionally differs from Standard Generalized Markup Language (SGML). It uses Python-style indentation to indicate nesting and does not require quotes around most string values.

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

JSON is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays. It is a commonly used data format with diverse uses in electronic data interchange, including that of web applications with servers.

In computing, logging is the act of keeping a log of events that occur in a computer system, such as problems, errors or just information on current operations. These events may occur in the operating system or in other software. A message or log entry is recorded for each such event. These log messages can then be used to monitor and understand the operation of the system, to debug problems, or during an audit. Logging is particularly important in multi-user software, to have a central overview of the operation of the system.

WebFinger is a protocol specified by the Internet Engineering Task Force IETF in RFC 7033 that allows for discovery of information about people and things identified by a URI. Information about a person might be discovered via an acct: URI, for example, which is a URI that looks like an email address.

JSON-LD is a method of encoding linked data using JSON. One goal for JSON-LD was to require as little effort as possible from developers to transform their existing JSON to JSON-LD. JSON-LD allows data to be serialized in a way that is similar to traditional JSON. It was initially developed by the JSON for Linking Data Community Group before being transferred to the RDF Working Group for review, improvement, and standardization, and is currently maintained by the JSON-LD Working Group. JSON-LD is a World Wide Web Consortium Recommendation.

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The HTTP/2 specification was published as RFC 7540 on May 14, 2015.

WAMP is a WebSocket subprotocol registered at IANA, specified to offer routed RPC and PubSub. Its design goal is to provide an open standard for soft, real-time message exchange between application components and ease the creation of loosely coupled architectures based on microservices. Because of this, it is a suitable enterprise service bus (ESB), fit for developing responsive web applications or coordinating multiple connected IoT devices.

JSON Web Token is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.

Web API security entails authenticating programs or users who are invoking a web API.

A well-known URI is a Uniform Resource Identifier for URL path prefixes that start with /.well-known/. They are implemented in webservers so that requests to the servers for well-known services or information are available at URLs consistent well-known locations across servers.

Token Binding is a proposed standard for a Transport Layer Security (TLS) extension that aims to increase TLS security by using cryptographic certificates on both ends of the TLS connection. Current practice often depends on bearer tokens, which may be lost or stolen. Bearer tokens are also vulnerable to man-in-the-middle attacks or replay attacks. In contrast, bound tokens are established by a user agent that generates a private-public key pair per target server, providing the public key to the server, and thereafter proving possession of the corresponding private key on every TLS connection to the server.

JSON Web Encryption (JWE) is an IETF standard providing a standardised syntax for the exchange of encrypted data, based on JSON and Base64. It is defined by RFC 7516. Along with JSON Web Signature (JWS), it is one of the two possible formats of a JWT. JWE forms part of the JavaScript Object Signing and Encryption (JOSE) suite of protocols.

The Thing Description (TD) (or W3C WoT Thing Description (TD)) is a royalty-free, open information model with a JSON based representation format for the Internet of Things (IoT). A TD provides a unified way to describe the capabilities of an IoT device or service with its offered data model and functions, protocol usage, and further metadata. Using Thing Descriptions help reduce the complexity of integrating IoT devices and their capabilities into IoT applications.

References

↑ Jones, Michael B.; Bradley, John; Sakimura, Nat (May 2015). "JSON Web Signature (JWS) [RFC7515]".
↑ Jones, Michael B.; Bradley, John; Sakimura, Nat (May 2015). "JWS Compact Serialization Overview".
↑ "JSON Object Signing and Encryption (JOSE)". Internet Assigned Numbers Authority. 2015-01-23. Retrieved 2018-11-19.
↑ Jones, Michael B.; Hildebrand, Joe (May 2015). "JSON Web Encryption (JWE) [RFC7516]". ietf.org. Retrieved 13 May 2015.
↑ Jones, Michael B. (May 2015). "JSON Web Key (JWK) [RFC7517]". ietf.org. Retrieved 13 May 2015.
↑ "google/google-oauth-java-client". GitHub. Retrieved 13 May 2015.
↑ "JSON Web Tokens - jwt.io". jwt.io. Retrieved 13 May 2015.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Jones, Michael B.; Bradley, John; Sakimura, Nat (May 2015). "JSON Web Signature (JWS) [RFC7515]".

[2] Jones, Michael B.; Bradley, John; Sakimura, Nat (May 2015). "JWS Compact Serialization Overview".

[iana2015-3] "JSON Object Signing and Encryption (JOSE)". Internet Assigned Numbers Authority. 2015-01-23. Retrieved 2018-11-19.

[4] Jones, Michael B.; Hildebrand, Joe (May 2015). "JSON Web Encryption (JWE) [RFC7516]". ietf.org. Retrieved 13 May 2015.

[5] Jones, Michael B. (May 2015). "JSON Web Key (JWK) [RFC7517]". ietf.org. Retrieved 13 May 2015.

[6] "google/google-oauth-java-client". GitHub. Retrieved 13 May 2015.

[7] "JSON Web Tokens - jwt.io". jwt.io. Retrieved 13 May 2015.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

v t e Data exchange formats
Human readable	Atom CSV EDIFACT JSON Web Encryption Web Token Web Signature Property list RDF Rebol TOML XML YAML
Binary	AMF ASN.1 SMI Avro Base32 Base64 BSON UBJSON Cap'n Proto CBOR FlatBuffers MessagePack Property list Protocol Buffers Thrift Cyphal DSDL XDR uuencode yEnc
Comparison of data-serialization formats