Re: [jose] #26: Allow for signature payload to not be base64 encoded
Dick Hardt <dick.hardt@gmail.com> Thu, 27 June 2013 23:56 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 720D611E8170 for <jose@ietfa.amsl.com>; Thu, 27 Jun 2013 16:56:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Cm+vxGTRyVl for <jose@ietfa.amsl.com>; Thu, 27 Jun 2013 16:56:53 -0700 (PDT)
Received: from mail-bk0-x233.google.com (mail-bk0-x233.google.com [IPv6:2a00:1450:4008:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 4E06F11E8163 for <jose@ietf.org>; Thu, 27 Jun 2013 16:56:51 -0700 (PDT)
Received: by mail-bk0-f51.google.com with SMTP id ji1so548541bkc.10 for <jose@ietf.org>; Thu, 27 Jun 2013 16:56:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=GJmnH02OUWfs+PFtzcrCAvX1UD3360Ko51m6gm1s+Ak=; b=irxgr6V2DDxwyQbkGForaG7RTkf8DFylZCmTFupfI48G6XtfV5pRjz2jUcSuDtzaHT VrgkOgOd79SpXo9wJ0puVYks5ynV9bw67LggkP6STtaGTTOeZAQ6RUsDim2Gf8hRK9tU j6bIaB6Rg3b6Mp2EpQ9uUCMDDqM+lD03AH2avsiw722+oUlnR3nOPD1eD6My4Kig/Jnx OIjT3crHc64xrFfUpOUhNYoiQQVH+7q5/hmYVORIFyAtJs4JLTka8/aJYXlvz9RLxs+b uRGprgtcKWp4BkzZ0Y/68uTTuCkGKP6M9chB/xgVucIgJIQXBsPQ2FeoBe12aDCaALOp oCNw==
X-Received: by 10.205.36.194 with SMTP id tb2mr1492073bkb.174.1372377409368; Thu, 27 Jun 2013 16:56:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.205.133.75 with HTTP; Thu, 27 Jun 2013 16:56:29 -0700 (PDT)
In-Reply-To: <CAL02cgTkUrQptGqOfQyhCembS1e3Qxw3peRFnO5QjswUW=XR-w@mail.gmail.com>
References: <061.c2fcfec0a75d48eb8b194991ce56157e@trac.tools.ietf.org> <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org> <033a01ce729b$26bc3910$7434ab30$@augustcellars.com> <51CBA981.4050006@nri.co.jp> <048f01ce7355$19f05bc0$4dd11340$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943678A0114@TK5EX14MBXC283.redmond.corp.microsoft.com> <04bf01ce7359$5ab862c0$10292840$@augustcellars.com> <CAL02cgTkUrQptGqOfQyhCembS1e3Qxw3peRFnO5QjswUW=XR-w@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 27 Jun 2013 16:56:29 -0700
Message-ID: <CAD9ie-sZ+w_HADMTnnkTC8XRJmjZvwYOmA+AhvJGTNPhhK=Z4g@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="bcaec52996ebfbea9004e02b8329"
Cc: Jim Schaad <ietf@augustcellars.com>, n-sakimura <n-sakimura@nri.co.jp>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, draft-ietf-jose-json-web-signature@tools.ietf.org
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 23:56:54 -0000
On Thu, Jun 27, 2013 at 3:24 PM, Richard Barnes <rlb@ipv.sx> wrote:
> I think there are two separable issues here, both of which Mike and I
> probably have divergent opinions on :)
> 1. Syntax: Should it be possible for the "payload" field JWS to be a JSON
> string (instead of base64) when the payload is simply a UTF-8 string?
>
One of the goals of the token was that it not require encoding for it to be
transported in a request. IE that it be safe and SIMPLE to include in an
HTTP header or in a URL
> 2. Crypto: Must the JWS Signing Input be base64url encoded.
>
> The current answers to these questions are:
> 1. It is not possible. Payload is always base64url encoded.
> 2. It is always base64url encoded.
>
> The answers should be:
> 1. The payload should not be base64url encoded unless it cannot be
> represented as a JSON string.
>
How does an implementation determine which parts are separated? Are '.'
escaped? Does the implementation need to parse the JSON to determine a
valid separator? How does it know the end of the JSON? That sounds really
hard to implement, or I am misunderstanding what you are proposing.
> 2. The JWS Signing Input should not be base64url encoded unless there is a
> JWS Protected Header
>
> Neither of these are complicated changes:
> 1. Add a "b64" header parameter that indicates that the payload is
> base64url-encoded binary, as opposed to a UTF-8 string. Specify that this
> parameter is on by default in compact-formatted JWS objects.
>
And how is the header separated from the payload?
> 2. Modify the signing/verification instructions to switch based on the
> presence of a JWS Protected Header: "If the JWS Protected Header is absent
> or empty, then the JWS Signing Input is simply the JWS Payload (not
> encoded). If the JWS Protected Header has a non-empty value, then the the
> JWS Signing Input is the concatenation of the Encoded JWS Header, a period
> ('.') character, and the Encoded JWS Payload"
>
> There are two reasons for these, both of which are important to make sure
> that this spec is applicable to a broad variety of use cases:
> 1. Compactness. As Jim notes, quoted strings are shorter than
> base64url-encoded strings
>
The tokens are already compact enough.
> 2. Crypto-compatibility: Avoiding base64-encoding means that there's
> nothing JWS-specific about the signature value. So for example, you could
> translate a JWS with no protected attributes to a CMS SignedData object
> with no protected attributes.
>
Not a useful feature from my point of view.
-- Dick
- [jose] #26: Allow for signature payload to not be… jose issue tracker
- Re: [jose] #26: Allow for signature payload to no… jose issue tracker
- Re: [jose] #26: Allow for signature payload to no… Jim Schaad
- Re: [jose] #26: Allow for signature payload to no… Mike Jones
- Re: [jose] #26: Allow for signature payload to no… John Bradley
- Re: [jose] #26: Allow for signature payload to no… n-sakimura
- Re: [jose] #26: Allow for signature payload to no… Jim Schaad
- Re: [jose] #26: Allow for signature payload to no… Jim Schaad
- Re: [jose] #26: Allow for signature payload to no… Mike Jones
- Re: [jose] #26: Allow for signature payload to no… Jim Schaad
- Re: [jose] #26: Allow for signature payload to no… Richard Barnes
- Re: [jose] #26: Allow for signature payload to no… Mike Jones
- Re: [jose] #26: Allow for signature payload to no… Dick Hardt
- Re: [jose] #26: Allow for signature payload to no… Edmund Jay
- Re: [jose] #26: Allow for signature payload to no… Matias Woloski
- Re: [jose] #26: Allow for signature payload to no… Richard Barnes
- Re: [jose] #26: Allow for signature payload to no… Richard Barnes
- Re: [jose] #26: Allow for signature payload to no… Dick Hardt
- Re: [jose] #26: Allow for signature payload to no… Mike Jones
- Re: [jose] #26: Allow for signature payload to no… Richard Barnes
- Re: [jose] #26: Allow for signature payload to no… Dick Hardt
- Re: [jose] #26: Allow for signature payload to no… Richard Barnes
- Re: [jose] #26: Allow for signature payload to no… Dick Hardt
- Re: [jose] #26: Allow for signature payload to no… Richard Barnes
- Re: [jose] #26: Allow for signature payload to no… Dick Hardt
- Re: [jose] #26: Allow for signature payload to no… John Bradley
- Re: [jose] #26: Allow for signature payload to no… Mike Jones
- Re: [jose] #26: Allow for signature payload to no… Mike Jones
- Re: [jose] #26: Allow for signature payload to no… Manger, James H
- Re: [jose] #26: Allow for signature payload to no… jose issue tracker