Skip to content
/ dsse Public
forked from secure-systems-lab/dsse

A specification for signing methods and formats used by Secure Systems Lab projects.

License

Apache-2.0 license
1 star 18 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MarkLodato/dsse

BranchesTags
 
 

Repository files navigation

signing-spec

Simple, foolproof standard for signing arbitrary data.

Features

  • Supports arbitrary message encodings, not just JSON.
  • Authenticates the message and the type to avoid confusion attacks.
  • Avoids canonicalization to reduce attack surface.
  • Allows any desired crypto primitives or libraries.

See Background for more information, including design considerations and rationale.

What is it?

Specifications for:

  • Protocol (required)
  • Data structure, a.k.a. "Envelope" (recommended)
  • (pending #9) Suggested crypto primitives

Out of scope (for now at least):

  • Key management / PKI

Why not...?

  • Why not raw signatures? Too fragile.
  • Why not JWS? Too many insecure implementations and features.
  • Why not PASETO? JSON-specific, too opinionated.
  • Why not the legacy TUF/in-toto signature scheme? JSON-specific, relies on canonicalization.

See Background for further motivation.

Who uses it?

About

A specification for signing methods and formats used by Secure Systems Lab projects.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Jupyter Notebook 100.0%