IETF Logo Mail Archive

Re: [jose] #26: Allow for signature payload to not be base64 encoded

"Jim Schaad" <ietf@augustcellars.com> Wed, 26 June 2013 18:30 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E56611E811F for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 11:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oi9rfXKc+5oI for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id B712D11E811D for <jose@ietf.org>; Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
Received: from Philemon (mccpool-66-89.ci.monterey.ca.us [205.155.66.89]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 21FA638F35; Wed, 26 Jun 2013 11:30:49 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: draft-ietf-jose-json-web-signature@tools.ietf.org, michael.jones@microsoft.com
References: <061.c2fcfec0a75d48eb8b194991ce56157e@trac.tools.ietf.org> <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org>
In-Reply-To: <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org>
Date: Wed, 26 Jun 2013 11:29:52 -0700
Message-ID: <033a01ce729b$26bc3910$7434ab30$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFbtMM0AVMbmndwUUG6vntocHGkoALWvDclmhcGO3A=
Content-Language: en-us
Cc: jose@ietf.org
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2013 18:30:54 -0000

Having multiple ways to do something can frequently buy you a great deal of benefit.  However, in this case it is my library that is doing this and not the standard.

The client gives the library an 8-bit string.  The library signs that string.  The library puts that string into the payload field.

The client needs to make the 8-bit string URL safe if it wants to use compact encoding.

Where is there two ways of doing something?

Jim


> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> jose issue tracker
> Sent: Tuesday, June 25, 2013 5:23 PM
> To: draft-ietf-jose-json-web-signature@tools.ietf.org;
> michael.jones@microsoft.com
> Cc: jose@ietf.org
> Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
> 
> #26: Allow for signature payload to not be base64 encoded
> 
> 
> Comment (by michael.jones@microsoft.com)
> 
>  Having multiple ways to do something is one of the classic pitfalls to  avoid in
> standards.  They tend to generate interop problems because  developers will
> often only build the way that they think they need, never
>  getting around to the others.   I don t think the potential benefits of
>  having multiple ways to encode the payload outweigh this cost.
> 
>  Next, this feature would only work with the JSON serialization; it would  not
> work for the Compact Serialization because the payload must be URL  safe.
> The base64url encoding accomplishes that, and so is a necessary  part of the
> encoding.  Having the two serializations diverge in this  manner seems
> suboptimal.
> 
>  Third, I am concerned that the payload will sometimes change during
> transmission if not encoded in some manner.  Tabs can change to spaces.
>  LFs can change to CRLFs.  HTML is notorious for adding a blank at the end  of
> each line.  Two spaces can change to a space and a non-breaking space.
>  Etc.  Not encoding the payload would open us up to all of these potential
> modification-during-transmission problems   all of which would render the
> JWS useless by breaking the signature.
> 
>  Finally, this feature seems to be motivated by detached signatures, which  per
> my comment on Ticket #25, can be accomplished at the application layer
> without adding general-purpose support for detached signatures.  Thus, I  don
> t think this related feature is needed either.
> 
>  For all these reasons, I believe that this issue should be closed as   won t fix .
> 
> --
> -------------------------+----------------------------------------------
> -------------------------+---
>  Reporter:               |       Owner:  draft-ietf-jose-json-web-
>   ietf@augustcellars.com |  signature@tools.ietf.org
>      Type:  defect       |      Status:  new
>  Priority:  major        |   Milestone:
> Component:  json-web-    |     Version:
>   signature              |  Resolution:
>  Severity:  -            |
>  Keywords:               |
> -------------------------+----------------------------------------------
> -------------------------+---
> 
> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/26#comment:1>
> jose <http://tools.ietf.org/jose/>
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.39.1 | Report a Bug | By Email | System Status