Re: [OAUTH-WG] Understanding the reasoning for Base64
John Panzer <jpanzer@google.com> Fri, 25 June 2010 20:36 UTC
Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 47C7928C10D for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 13:36:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.746
X-Spam-Level:
X-Spam-Status: No, score=-99.746 tagged_above=-999 required=5 tests=[AWL=-0.370, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wW3dXLkKL+ex for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 13:36:26 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 2965128C10A for <oauth@ietf.org>; Fri, 25 Jun 2010 13:36:26 -0700 (PDT)
Received: from hpaq6.eem.corp.google.com (hpaq6.eem.corp.google.com [172.25.149.6]) by smtp-out.google.com with ESMTP id o5PKaX0f027597 for <oauth@ietf.org>; Fri, 25 Jun 2010 13:36:33 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1277498193; bh=8RMMSdSKO/4kFRwrMt1LKvjyLWM=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=J4aYbbtMZ3irv01sEAngOnwA9VeZ1wmntiNAMkN3bcvJZAmNNV6FMKUl81r7Rs5qJ Po5ykLQR9Ez3aoDjkZDww==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=vMHaM55PpGLUHi3EPikxK9awQpZ0Tbbx2LIFVQrxxwqRudCYuFo1fG6UfqGG76G4N lMZASmWj9OBlGGbX7xwCQ==
Received: from gxk19 (gxk19.prod.google.com [10.202.11.19]) by hpaq6.eem.corp.google.com with ESMTP id o5PKZscI000987 for <oauth@ietf.org>; Fri, 25 Jun 2010 13:36:32 -0700
Received: by gxk19 with SMTP id 19so4281893gxk.6 for <oauth@ietf.org>; Fri, 25 Jun 2010 13:36:32 -0700 (PDT)
Received: by 10.101.145.21 with SMTP id x21mr1501539ann.232.1277498192245; Fri, 25 Jun 2010 13:36:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.100.10 with HTTP; Fri, 25 Jun 2010 13:36:12 -0700 (PDT)
In-Reply-To: <AANLkTilWNneonIRX21U1RZcE80FuVSJWXU7CNm5pV275@mail.gmail.com>
References: <AANLkTimMruKyblUWROkPMDapFKtTztOXqL64PpQxCmKO@mail.gmail.com> <2625894F-2979-40BD-81E1-05A6EB8723CD@facebook.com> <AANLkTinvLOV0f3I-aWpeAbfIpfGyxZSB2RHu52iw5mDC@mail.gmail.com> <AANLkTilWNneonIRX21U1RZcE80FuVSJWXU7CNm5pV275@mail.gmail.com>
From: John Panzer <jpanzer@google.com>
Date: Fri, 25 Jun 2010 13:36:12 -0700
Message-ID: <AANLkTin-7PNLv-Hc229JJcOrIBh4fJqY5CMaLCMbmoIk@mail.gmail.com>
To: Naitik Shah <n@daaku.org>
Content-Type: multipart/alternative; boundary="0016e6d3cf18f3343c0489e0b9c0"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Understanding the reasoning for Base64
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 20:36:28 -0000
There are 2 characters that are different between base64 and base64url. Many good libraries support both (as they're both useful, and both are in the base64 RFC spec); the ability to eliminate a class of encoding problems seems like a good trade-off for, in some languages without full base64 support, an additional substitution of 2 characters. -- John Panzer / Google jpanzer@google.com / abstractioneer.org <http://www.abstractioneer.org/> / @jpanzer On Fri, Jun 25, 2010 at 12:15 PM, Naitik Shah <n@daaku.org> wrote: > On Fri, Jun 25, 2010 at 11:39 AM, Breno <breno.demedeiros@gmail.com>wrote: > >> On Fri, Jun 25, 2010 at 10:49 AM, Luke Shepard <lshepard@facebook.com> >> wrote: >> > Brian, Dirk - just wondering if you had thoughts here? >> > >> > The only strong reason I can think of for base64 encoding is that it >> allows for a delimiter between the body and the signature. Is there any >> other reason? >> >> Without base64 encoding we have to define canonicalization procedures >> around spaces and we still have to URL encode separator characters >> such as {. There is also the risk that developers might be confused >> whether the URL encoding is to be performed before or after >> computation of the signature. If you say that the signature is >> computed on the base64 encoded blob, there's less scope for confusion >> and interoperability issues. >> >> > Yep, I get that the "web" version makes the url encoding a no op. But I > fear we're trading one spec (urlencoding) to another one (web base64). I'm > imagining the sample code (that does not rely on an SDK) we'ed give out to > developers in our docs, and the thing that stands out is the "web" part in > the web_base64. It means that our sample code will look like > > str_replace("+", "_", base64(json_encode(data)))) > > or for validating signatures: > > json_decode(decode64(str_replace("_", "+", data))) > > The str_replace() really stands out. From my quick read, it seemed like > there were one or two other characters that needed to get replaced too. > While some languages (like PHP) support arrays to specify multiple > replacement patterns, in other languages you'll end up with a few > str_replace calls. It would be nice if that wasn't necessary. > > I'm wondering if we can get away with "urlencode(json_encode(data) + '.' + > sig)" as the value. then, instead of str_replace for getting normal base64 > logic to work, we would instead need a rsplit or something, since the dot is > not a reserved character in the json blob. Was that approach considered? > > > -Naitik > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Understanding the reasoning for Base64 Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Luke Shepard
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Breno
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… John Panzer
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Paul Tarjan
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Ben Laurie
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Luke Shepard
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Evan Gilbert
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt