Re: [jose] signing an existing JWT
Dick Hardt <dick.hardt@gmail.com> Tue, 30 October 2012 02:15 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE13021F85D4 for <jose@ietfa.amsl.com>; Mon, 29 Oct 2012 19:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EvWNY1gTaSr7 for <jose@ietfa.amsl.com>; Mon, 29 Oct 2012 19:15:03 -0700 (PDT)
Received: from mail-pa0-f44.google.com (mail-pa0-f44.google.com [209.85.220.44]) by ietfa.amsl.com (Postfix) with ESMTP id A6DCC21F852A for <jose@ietf.org>; Mon, 29 Oct 2012 19:15:03 -0700 (PDT)
Received: by mail-pa0-f44.google.com with SMTP id fb11so3759436pad.31 for <jose@ietf.org>; Mon, 29 Oct 2012 19:15:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=Se31L6HYjoujdpOxha0FV6a6ANlVA5FRsFhuZa+0IzU=; b=QPLbEqsSyOyQeRP5ZKwaUkODOf/hSBViALHAbeQUsKzk5VFyuV4fYpBrC5DBS0QbcS Vs2iWfvzEhPVd5PKrEG6mcNkHWwCkxkQrmFh56RZIl/mzG46qat89u+WGz/I8UnhlNx7 O3kurC+ZZnsRuQP15NM6a0QYaQ+U+U07gf1CFlX7cd1ucbh398A3EcFFW0lKoUh3I5uL lHCiqhPcmQpwZJWBqnZ2h9cg0vHEkfmU8shUDFESiPaQMcRNsyQsgZjfuscaTmT8O4/b +0YPXmKvefSc4ZszElaJ5v1Iy1II243KpTtWHpwDlGe+uOkD8LB0STHACg7Ywnncowgt Ghpw==
Received: by 10.68.223.66 with SMTP id qs2mr32932698pbc.139.1351563303487; Mon, 29 Oct 2012 19:15:03 -0700 (PDT)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id s1sm997477paz.0.2012.10.29.19.14.47 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 29 Oct 2012 19:14:55 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_AB158D5C-D8FB-456C-9FE3-AD74FF5900CF"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <CAHcDwFxYmgOhWt6gqhEV14xHLwCnZf7+VKwsEyzBQwLNr84VNA@mail.gmail.com>
Date: Mon, 29 Oct 2012 19:14:46 -0700
Message-Id: <347420ED-3223-4403-A592-51EBAAB2E2A3@gmail.com>
References: <E49DC4E2-6F5F-4C84-955F-BE3EE9EE34A9@gmail.com> <CAHcDwFxYmgOhWt6gqhEV14xHLwCnZf7+VKwsEyzBQwLNr84VNA@mail.gmail.com>
To: Axel Nennker <ignisvulpis@gmail.com>
X-Mailer: Apple Mail (2.1499)
Cc: jose@ietf.org, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] signing an existing JWT
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2012 02:15:05 -0000
Thanks Axel. I'm familiar with naive sign and encrypt issues (hopefully!) As I reflected on my implementation, I have to include other parameters in my payload besides the JWT, so an optimization does not look simple. I can use POST here as well, so size is not as much of an issue as it is with a redirect over GET. -- Dick On Oct 29, 2012, at 5:10 PM, Axel Nennker <ignisvulpis@gmail.com> wrote: > An answer not related to the size issue which might be relevant regardless: http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html > > --Axel > > 2012/10/29 Dick Hardt <dick.hardt@gmail.com> > > Let's say we have created a JWE as such: > > headerOne.encryptedKeyOne.initializationVectorOne.ciphertextOne.integritityVectorOne > > This is now the payload to a JWS. Rather than increasing the token size by 4/3 by URL safe base 64 encoding the payload (since it is already URL safe), it would be useful to have a JWS header parameter that indicates the payload was not re-encoded and does not need to be URL safe base 64 decoded. > > As there are more periods than expected in a JWS, decoding would ignore all periods except the first and last one for separating out the header, payload and signature. > > The indicating parameter would seem to be either "tip" or "cty". I'm still confused about the difference between the two parameters, so not sure which one is appropriate. > > -- Dick > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] signing an existing JWT Dick Hardt
- Re: [jose] signing an existing JWT Axel Nennker
- Re: [jose] signing an existing JWT Dick Hardt