IETF Logo Mail Archive

Re: [OAUTH-WG] Understanding the reasoning for Base64

Naitik Shah <n@daaku.org> Fri, 25 June 2010 19:15 UTC

Return-Path: <naitiks@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A34928C0F0 for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 12:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.046
X-Spam-Level:
X-Spam-Status: No, score=-1.046 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f11fhoDV9QpP for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 12:15:48 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id B71B828C122 for <oauth@ietf.org>; Fri, 25 Jun 2010 12:15:43 -0700 (PDT)
Received: by iwn39 with SMTP id 39so624732iwn.31 for <oauth@ietf.org>; Fri, 25 Jun 2010 12:15:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received :in-reply-to:references:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type; bh=N5mZ8GQfRQqI7MLfTW1836xLyT1Ks7Ll9r1cyJskhmA=; b=pyFZUhfZ4yggkEg8C29P7zrcsqKqR18F13xnoq1jGLf2851WbLvR2h+cCIE76lptwn fEawB4L4qvXF6EEUA9U0qtmFPLAURzyVxK2LOBqPPsmRcPYfCoa4XxoQTc7ospSbhBB+ Ge0OuFlsN5j1D62v3kPBtYibBC6Pc6VfsDzVc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=uuUtCAvXIca32yoXS+cG6wjvl8bpYopN1qa1m2n0rRpIs+54R5frUjeeZfW9DuZYkL v2W2yeymPQCQfFLaadU9SeqY0RrVhXrT4OLpAxv8tKOlmSSJ4LTc2+uQQCMOYkWG1NIE UzpcFcYuxGHhjEzvzWVOOlyA1KI8I7HfI9YKU=
Received: by 10.231.194.223 with SMTP id dz31mr1190216ibb.87.1277493352559; Fri, 25 Jun 2010 12:15:52 -0700 (PDT)
MIME-Version: 1.0
Sender: naitiks@gmail.com
Received: by 10.231.170.9 with HTTP; Fri, 25 Jun 2010 12:15:31 -0700 (PDT)
In-Reply-To: <AANLkTinvLOV0f3I-aWpeAbfIpfGyxZSB2RHu52iw5mDC@mail.gmail.com>
References: <AANLkTimMruKyblUWROkPMDapFKtTztOXqL64PpQxCmKO@mail.gmail.com> <2625894F-2979-40BD-81E1-05A6EB8723CD@facebook.com> <AANLkTinvLOV0f3I-aWpeAbfIpfGyxZSB2RHu52iw5mDC@mail.gmail.com>
From: Naitik Shah <n@daaku.org>
Date: Fri, 25 Jun 2010 12:15:31 -0700
X-Google-Sender-Auth: xR-pByVeCMI722oYCC-9_q_nNFo
Message-ID: <AANLkTilWNneonIRX21U1RZcE80FuVSJWXU7CNm5pV275@mail.gmail.com>
To: Breno <breno.demedeiros@gmail.com>
Content-Type: multipart/alternative; boundary="00504501748b7b759f0489df991f"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Understanding the reasoning for Base64
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 19:16:00 -0000

On Fri, Jun 25, 2010 at 11:39 AM, Breno <breno.demedeiros@gmail.com> wrote:

> On Fri, Jun 25, 2010 at 10:49 AM, Luke Shepard <lshepard@facebook.com>
> wrote:
> > Brian, Dirk - just wondering if you had thoughts here?
> >
> > The only strong reason I can think of for base64 encoding is that it
> allows for a delimiter between the body and the signature. Is there any
> other reason?
>
> Without base64 encoding we have to define canonicalization procedures
> around spaces and we still have to URL encode separator characters
> such as {. There is also the risk that developers might be confused
> whether the URL encoding is to be performed before or after
> computation of the signature.  If you say that the signature is
> computed on the base64 encoded blob, there's less scope for confusion
> and interoperability issues.
>
>
Yep, I get that the "web" version makes the url encoding a no op. But I fear
we're trading one spec (urlencoding) to another one (web base64). I'm
imagining the sample code (that does not rely on an SDK) we'ed give out to
developers in our docs, and the thing that stands out is the "web" part in
the web_base64. It means that our sample code will look like

  str_replace("+", "_", base64(json_encode(data))))

or for validating signatures:

  json_decode(decode64(str_replace("_", "+", data)))

The str_replace() really stands out. From my quick read, it seemed like
there were one or two other characters that needed to get replaced too.
While some languages (like PHP) support arrays to specify multiple
replacement patterns, in other languages you'll end up with a few
str_replace calls. It would be nice if that wasn't necessary.

I'm wondering if we can get away with "urlencode(json_encode(data) + '.' +
sig)" as the value. then, instead of str_replace for getting normal base64
logic to work, we would instead need a rsplit or something, since the dot is
not a reserved character in the json blob. Was that approach considered?


-Naitik

v2.40.4 | Report a Bug | By Email | System Status