Transport agnostic security: Inherent support for e2e for beckn messages #97
Description
Existing approach
From the specification, it is to be inferred the beckn is transport agnostic. The security is guaranteed by the transport on which it is being implemented.
Each beckn message follows a structure with 2 properties. 1) context 2) message
The context then carries metadata regarding the message which includes the encryption being used e.t.c
The existing approach lacks proper specification to convey how the encryption metadata must be constructed in such a way that parties involved can communicate securely. How can parties involved understand what are the different security mechanisms that is already supported?
Proposed approach
beckn message packets should be wrapped inside JWE, JWS envelopes.
This approach should be enforced within the specification for enabling transport agnostic security.
Note: I am creating this thread to initiate open discussions on the subject. Please feel free to share your thoughts or correct me if I am wrong in my assumptions.