Display Domain name when signing JWT messages
neithanmo opened this issue · 1 comments
Sharing a commend from the ledger team:
JWT tokens are signed on a dedicated path (888'/0').
Header for JWW tokens must be exactly {"typ":"JWT","alg":"ES256K"}. I find it a bit restrictive (some wallets may add spaces).
Displaying the hash of the data to sign is not good from a security point of view.
I suggest, if possible, displaying the domain name contained in the JWT token on the device screen. This could be added in a future version.
This could be a bit problematic as it would probably require a full JSON parser in a device whose memory is very limited.
We will close this issue for now as it poses really complex problems regarding data decoding and parsing for which the device could run out of memory.