IETF Logo Mail Archive

Re: [jose] #26: Allow for signature payload to not be base64 encoded

Mike Jones <Michael.Jones@microsoft.com> Wed, 26 June 2013 19:10 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 233F011E81DC for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 12:10:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vgk+ecgVkKCq for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 12:10:46 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0205.outbound.protection.outlook.com [207.46.163.205]) by ietfa.amsl.com (Postfix) with ESMTP id 9732B11E812E for <jose@ietf.org>; Wed, 26 Jun 2013 12:10:45 -0700 (PDT)
Received: from BY2FFO11FD007.protection.gbl (10.1.15.202) by BY2FFO11HUB025.protection.gbl (10.1.14.111) with Microsoft SMTP Server (TLS) id 15.0.707.0; Wed, 26 Jun 2013 19:10:36 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD007.mail.protection.outlook.com (10.1.14.128) with Microsoft SMTP Server (TLS) id 15.0.707.0 via Frontend Transport; Wed, 26 Jun 2013 19:10:36 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.25]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0136.001; Wed, 26 Jun 2013 19:09:31 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>
Thread-Topic: [jose] #26: Allow for signature payload to not be base64 encoded
Thread-Index: AQHOcgNOsVoAPXc/s02k5Wh9HChUEZlIUkQAgAAIucA=
Date: Wed, 26 Jun 2013 19:09:31 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436789B3BC@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <061.c2fcfec0a75d48eb8b194991ce56157e@trac.tools.ietf.org> <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org> <033a01ce729b$26bc3910$7434ab30$@augustcellars.com>
In-Reply-To: <033a01ce729b$26bc3910$7434ab30$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.72]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464003)(51704005)(189002)(199002)(377454003)(69226001)(74706001)(77096001)(76482001)(76786001)(74662001)(74366001)(81342001)(31966008)(56816003)(46406003)(46102001)(53806001)(55846006)(76796001)(81542001)(80022001)(56776001)(4396001)(77982001)(74876001)(54356001)(51856001)(6806003)(47776003)(54316002)(63696002)(65816001)(20776003)(23726002)(561944002)(50466002)(47976001)(59766001)(16406001)(33656001)(49866001)(47736001)(79102001)(74502001)(47446002)(44976004)(66066001)(50986001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB025; H:TK5EX14HUBC103.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 08897B549D
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2013 19:10:51 -0000

Maybe I'm confused about what you were proposing.  These are the two ways of doing something that I thought you were describing:

1.  Have the signature payload be base64url encoded (the status quo)
2.  Have the signature payload be unencoded in the JSON Serialization if a flag is set in the header

If you're proposing that the default be unencoded for the JSON Serialization, that has the pitfall that a simple syntactic transformation is no longer possible between the Compact Serialization and the JSON Serialization.  The two would have unnecessarily diverged.

If I misunderstood your proposal, maybe you could describe it in closer to normative language - for instance, defining the flag you propose to say that the payload is not base64url encoded and saying what its semantics would be for the JSON Serialization and the Compact Serialization.

BTW, your response didn't address the point that a primary purpose of the base64url encoding is to harden the payload against changes that might otherwise occur during transmission.  Not hardening the payload will almost certainly lead to hard-to-debug interop problems in practice.

				-- Mike

-----Original Message-----
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad
Sent: Wednesday, June 26, 2013 11:30 AM
To: draft-ietf-jose-json-web-signature@tools.ietf.org; Mike Jones
Cc: jose@ietf.org
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded

Having multiple ways to do something can frequently buy you a great deal of benefit.  However, in this case it is my library that is doing this and not the standard.

The client gives the library an 8-bit string.  The library signs that string.  The library puts that string into the payload field.

The client needs to make the 8-bit string URL safe if it wants to use compact encoding.

Where is there two ways of doing something?

Jim


> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf 
> Of jose issue tracker
> Sent: Tuesday, June 25, 2013 5:23 PM
> To: draft-ietf-jose-json-web-signature@tools.ietf.org;
> michael.jones@microsoft.com
> Cc: jose@ietf.org
> Subject: Re: [jose] #26: Allow for signature payload to not be base64 
> encoded
> 
> #26: Allow for signature payload to not be base64 encoded
> 
> 
> Comment (by michael.jones@microsoft.com)
> 
>  Having multiple ways to do something is one of the classic pitfalls 
> to  avoid in standards.  They tend to generate interop problems 
> because  developers will often only build the way that they think they need, never
>  getting around to the others.   I don t think the potential benefits of
>  having multiple ways to encode the payload outweigh this cost.
> 
>  Next, this feature would only work with the JSON serialization; it 
> would  not work for the Compact Serialization because the payload must be URL  safe.
> The base64url encoding accomplishes that, and so is a necessary  part 
> of the encoding.  Having the two serializations diverge in this  
> manner seems suboptimal.
> 
>  Third, I am concerned that the payload will sometimes change during 
> transmission if not encoded in some manner.  Tabs can change to spaces.
>  LFs can change to CRLFs.  HTML is notorious for adding a blank at the 
> end  of each line.  Two spaces can change to a space and a non-breaking space.
>  Etc.  Not encoding the payload would open us up to all of these potential
> modification-during-transmission problems   all of which would render the
> JWS useless by breaking the signature.
> 
>  Finally, this feature seems to be motivated by detached signatures, 
> which  per my comment on Ticket #25, can be accomplished at the 
> application layer without adding general-purpose support for detached 
> signatures.  Thus, I  don t think this related feature is needed either.
> 
>  For all these reasons, I believe that this issue should be closed as   won t fix .
> 
> --
> -------------------------+--------------------------------------------
> -------------------------+--
> -------------------------+---
>  Reporter:               |       Owner:  draft-ietf-jose-json-web-
>   ietf@augustcellars.com |  signature@tools.ietf.org
>      Type:  defect       |      Status:  new
>  Priority:  major        |   Milestone:
> Component:  json-web-    |     Version:
>   signature              |  Resolution:
>  Severity:  -            |
>  Keywords:               |
> -------------------------+--------------------------------------------
> -------------------------+--
> -------------------------+---
> 
> Ticket URL: 
> <http://trac.tools.ietf.org/wg/jose/trac/ticket/26#comment:1>
> jose <http://tools.ietf.org/jose/>
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.39.1 | Report a Bug | By Email | System Status