IETF Logo Mail Archive

Re: [jose] JWS Unencoded Payload Option and the % character

"Manger, James" <James.H.Manger@team.telstra.com> Wed, 23 September 2015 01:04 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D359B1B3044 for <jose@ietfa.amsl.com>; Tue, 22 Sep 2015 18:04:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjBbSzaAgFAY for <jose@ietfa.amsl.com>; Tue, 22 Sep 2015 18:04:46 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id C2FE11B3041 for <jose@ietf.org>; Tue, 22 Sep 2015 18:04:44 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="5.17,575,1437400800"; d="scan'208,217"; a="29608030"
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipobvi.tcif.telstra.com.au with ESMTP; 23 Sep 2015 11:04:43 +1000
X-IronPort-AV: E=McAfee;i="5700,7163,7932"; a="28720431"
Received: from wsmsg3706.srv.dir.telstra.com ([172.49.40.80]) by ipcavi.tcif.telstra.com.au with ESMTP; 23 Sep 2015 11:04:43 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3706.srv.dir.telstra.com ([172.49.40.80]) with mapi; Wed, 23 Sep 2015 11:04:43 +1000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Date: Wed, 23 Sep 2015 11:04:41 +1000
Thread-Topic: JWS Unencoded Payload Option and the % character
Thread-Index: AdD1hT2A8m9ACawFRC6C6gO928KtywADQoyw
Message-ID: <255B9BB34FB7D647A506DC292726F6E13BAE035A11@WSMSG3153V.srv.dir.telstra.com>
References: <BY2PR03MB4426BED954F4CAC80447B4EF5450@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB4426BED954F4CAC80447B4EF5450@BY2PR03MB442.namprd03.prod.outlook.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E13BAE035A11WSMSG3153Vsrv_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/4w4LTil1I4LdVPbw1W8mXSP_bxU>
Subject: Re: [jose] JWS Unencoded Payload Option and the % character
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 01:04:51 -0000

Or a 5th option:

5. "b64":false affects the Signing Input, but not the Compact Serialization (which remains a URL-safe string for any Payload). The 2nd dot-separated component of the Compact Serialization is always BASE64URL(JWS Payload); a '%' in the Payload causes no issues, neither does a '.' nor any other octet.

The only corner case option 5 prevents is when you have: (1) a large payload; (2) that doesn't contain octet 0x2E '.'; (3) probably doesn't contain any of the other 190 octet values not in the URL-safe set; (4) you want to use the Compact Serialization; (5) you don't want to use a detached payload; and (6) you cannot tolerate the additional 33% space overhead from base64url-encoding the Payload. I don't think this is a corner case anyone is interested in.

--
James Manger

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, 23 September 2015 8:23 AM
To: jose@ietf.org
Subject: [jose] JWS Unencoded Payload Option and the % character

There's one outstanding issue with the JWS Unencoded Payload Option specification that I'd like to see working group discussion on:  What should the processing rules be for a '%' character in the JWS Payload for a non-detached payload using "b64":false with the JWS Compact Serialization?  I see the possibilities as being:

1.  Use of '%' is prohibited, because it is not URL-safe.  This is the behavior current specified in https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-02#section-5.2.  This is the simplest option.  It means that inline unencoded payloads are limited to using letters, numbers, dash, underscore, and tilde.

2.  Use of '%' is allowed and has no defined semantics at the JWS level; it's just another allowed character.  This maintains the invariant that the JWS Signing input consists of the characters before the second '.' in the JWS representation.  Note that because '%' is not URL-safe, any URLs containing JWS containing '%' characters would have to form-url-encode them - resulting in them being represented in the URL as "%25".  Applications *could* use '%' at the application level to escape octets using the '%' <hex> <hex> convention but this escaping would not be understood by JWS.  For example, the JWS Payload could be "%24%2E02", be represented in the JWS as "%24%2E02", be represented in URLs as "%2524%252E02", and the JWS Signing Input would contain "%24%2E02".  I believe that this is the position that was being advocated by Sergey Beryozkin in http://www.ietf.org/mail-archive/web/jose/current/msg05257.html.

3.  Use of '%' is allowed and is used for '%' <hex> <hex> encoding of payload octets, with the JWS Signing Input keeping the '%' <hex> <hex> characters as-is.  This maintains the invariant that the JWS Signing input consists of the characters before the second '.' in the JWS representation.  It requires form-url-decoding of any payload value containing '%' when returning the JWS Payload.    For example, the JWS Payload could be "$.02", be represented in the JWS as "%24%2E02", be represented in URLs as "%2524%252E02", and the JWS Signing Input would contain "%24%2E02".

4.  Use of '%' is allowed and is used for '%' <hex> <hex> encoding of payload octets, with the JWS Signing Input containing the encoded octets.  This loses the invariant that the JWS Signing input consists of the characters before the second '.' in the JWS representation.  It requires form-url-decoding of any payload value containing '%' both when doing signing and when returning the JWS Payload.    For example, the JWS Payload could be "$.02", be represented in the JWS as "%24%2E02", be represented in URLs as "%2524%252E02", and the JWS Signing Input would contain "$.02".  This is the most consistent with the JWS JSON Serialization processing rules in https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-02#section-5.3, in which the JWS Payload and JWS Signing Input values are determined after performing any escape processing.  I believe that this is the position that was being advocated by Jim Schaad in http://www.ietf.org/mail-archive/web/jose/current/msg05259.html.

How would working group members like to see us use (or not use) '%'?

                                                                -- Mike

v2.23.0 | Report a Bug | By Email