JOSE Feature signing and verifying?

Hi I like how this library is organized, but I'm struggling to find a way to do the following:

Create a JWK from system randomness
Create a signature with that key
Verify the signature with a JWK

Is this library capable of doing this yet? Or is it still in progress?

Jun 02 '24 18:06 wellcaffeinated

You can call it "in progress" however work in this repo has largely stalled

Jun 03 '24 17:06 tarcieri

Ah thanks. Just curious... It seems like almost all JOSE libraries have stalled in their development. Is there a larger reason for this? I've heard of some security flaws in the protocol. Are there alternatives we should be considering?

Jun 03 '24 17:06 wellcaffeinated

In the case of this repo I think the original contributors simply lost interest.

For signatures you can just sign data directly without involving some other protocol. X.509 SPKI provides a widely-used public key format which is supported by all of our crates.

Jun 03 '24 17:06 tarcieri

Interest, no. Resources, yes.

Jun 03 '24 17:06 npmccallum

Ok thanks. I'm storing keys in a larger data structure that can be formatted as JSON, hence my interest in JWK.

I suppose I could do away with any JWS formatting and just encode the signature directly as base64 or similar...

Jun 03 '24 17:06 wellcaffeinated

@wellcaffeinated all of the signature algorithm implementations we maintain have serde support

Jun 03 '24 20:06 tarcieri

I am interested in further developing this library because RFC 8995 extensions need it. How would I go on about to contribute?

Jun 18 '24 06:06 juliankrieger

@juliankrieger perhaps sketch out what you have in mind here, and then open a PR which implements it

Jun 18 '24 14:06 tarcieri