0

DISCLAIMER: This is not a "recommend me a product or service" question.

I am interested in getting to know the technologies we can use for signing a JSON document, from the server-side. What are the technologies available? Especially signed by many organizations.

I am not looking for engaging with a specific commercial signing service nor blockchain, but rather to find a technology that allows many organizations to sign a document.

Using SSL certificates for signing sounds like a viable idea, but as certificates have an expiration date, they can present challenges.

Also, the service shall not only sign per request of the signer but also sign again for verifying the authenticity of the document or returning its public key on the fly.

Jaime
  • 5,770
  • 4
  • 23
  • 50
  • Have you seen the JOSE standard? https://tools.ietf.org/id/draft-erdtman-jose-cleartext-jws-00.html – Valery Nov 19 '21 at 12:13
  • Yes, have seen JOSE and canonical serialization, but it doesn't tell about the key management and signer infrastructure. – Jaime Nov 19 '21 at 14:33

1 Answers1

1

Using SSL certificates for signing sounds like a viable idea, but as certificates have an expiration date, they can present challenges.

You may use CMS Signature, which can store user certificate or complete trust certificate chain.

I am not looking for engaging with a specific commercial signing service nor blockchain, but rather to find a technology that allows many organizations to sign a document.

You may use HSM (with CSP or PKCS#11) or Commercial Key Storage hardware with Key Management Interoperability Protocol (KMIP) depending on size and needs of your orginization(s)

Bharat Vasant
  • 850
  • 3
  • 12
  • 46
  • Thanks @Bharat, this is a good starting point. Hardware is not an option as I cannot enforce dozens of organizations to use that. CMS sounds like a solid standard from the message POV, but what is the entity that administers the key and signs the messages? Any standard about that? – Jaime Nov 21 '21 at 02:58
  • If you are looking for signing from web application with user owning his private key on his device certificate store or smartcard/usb token, refer https://stackoverflow.com/a/63173083/9659885 Some organizations setup private CA and issue certificates to their users (which can be used on intranet (say internally only)) Refer to our commercial offering at https://stackoverflow.com/a/68556286/9659885 (and accept the answer if it's helpful..!) – Bharat Vasant Nov 22 '21 at 05:59
  • As I mentioned, device-based signing is not a good option for us. I am looking for something that can be configured by multiple organizations with less infrastructure. That's why I was thinking of something based on SSL or other certificates generated by a CA (and signed by the organization), so the consumer can verify the authenticity of the public key. – Jaime Nov 25 '21 at 05:41
  • Jaime, by 'device certificate store', I mean Certificate Stored in Certificate stored in users' laptop or desktop... I am not talking about any separate device... – Bharat Vasant Nov 25 '21 at 09:54
  • Even in that case, cannot rely on an individual's laptop or desktop for the following case: There is a document, let's say a JSON, multiple users (belonging to organizations) may append data and sign. How you can verify all signatures are legit? I may verify against every organization's CA or maybe a global CA. Still trying to find the "most standard" way to achieve that. – Jaime Nov 25 '21 at 19:56
  • If multiple organizations are involved (since you said 'evert organization's CA above..), it is not preferable to use private CA but should go for certificate provided by public CA of your country. Also seasoned PKI consultant can help you to design your requirement. – Bharat Vasant Nov 26 '21 at 05:27