Coze
Coze copied to clipboard
Cyphrme
Coze is a cryptographic JSON messaging specification.
During a [conversation](https://news.ycombinator.com/item?id=38506364), I was sent this example message: https://cyphr.me/coze#?input={%22pay%22:{%22msg%22:%22Hello%20Retr0id!%22,%22alg%22:%22ES256%22,%22iat%22:1701603747,%22tmb%22:%221KGZzsqiFAYE5uDO3CCh3PMl9pqwlG1RrI8i5gZY94c%22,%22typ%22:%22cyphr.me/msg/create%22},%22sig%22:%22vZEALUQShRlLYyhJoGmkxpQhhEeUPlzbIZqyTsUyPBMlJMIqGClgSs3uXTDiwumsMivFQKU8K4z4Ec7WlxYIew%22}&dontSignRevoke&updateIat&selectedAlg=ES256&verify By introducing a duplicate "msg" key, I was able to forge a new message that also passes signature verification according...
Instead of making various issues for various JSON concerns. I'm going to use this issue to track any concerns with JSON. Coze needs strictly defined JSON capabilities. Some of these...
Proposal here: https://github.com/Cyphrme/CozeX/blob/master/proposal/unsigned_alg_tmb.md - Wait for more feedback discussion (mostly in the matrix room) - Implement in Go Coze, CozeJS, the power Verifier, and the simple verifier.
if you can get python versions of this, there are entire ecosystems like django / flask that can adopt coze in place of JWT.
Although the [simple verifier](https://cyphr.me/coze_verifier_simple/coze.html) is already in-browser, offline compatible, and is easily locally hosted, eventually we hope to provide the same ability with power verifier. It probably could be done...
@LoupVaillant suggested doing the following when handling Ed25519: In my opinion standardizing signatures and public keys is much more important than worrying about anything related to the private key. And...
See issue https://github.com/golang/go/issues/51082#issuecomment-1357939248 Once that is addressed, I'll update the docs with package links.