Quote:
Originally Posted by Pellanor
The website I linked, jwt.io, is basically a sandbox for playing with and testing these types of tokens. It's how I was able to generate the example so easily. Since this is an open standard that a lot of the web runs on, there are a lot of libraries out there that do all the heavy lifting an complex math for you. I can go get whatever library that google or facebook uses, give it my user data and private key, and it will create the token for me. On my app I can use the same library and my public key to verify the data. There's more to it than just that for a proper and secure implementation, for example you need a good way to store your private keys so not everybody at your organization has access to them, but the government is likely to have most of that infrastructure in place all ready. So just generating some signed QR codes would be pretty straight forward.
Of course this is just one way that the data could be signed and verified. It's the one I'm most familiar with, and quite popular, but there are plenty of other formats as well. |
Fantastic explanation. And signed JSON Web Tokens are exactly how the QR codes are validated, so your example is perfect.