IETF Logo Mail Archive

Re: [OAUTH-WG] Understanding the reasoning for Base64

Naitik Shah <n@daaku.org> Fri, 25 June 2010 23:42 UTC

Return-Path: <naitiks@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4705C3A68F1 for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 16:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.624
X-Spam-Level:
X-Spam-Status: No, score=0.624 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qIOxCH-K2KW for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 16:42:27 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id D147A3A68B0 for <oauth@ietf.org>; Fri, 25 Jun 2010 16:42:27 -0700 (PDT)
Received: by pvc21 with SMTP id 21so1507292pvc.31 for <oauth@ietf.org>; Fri, 25 Jun 2010 16:42:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received :in-reply-to:references:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type; bh=tceGwuhUMsgMQlqVRlypcxwa/EOZbBSUKLOjcLYfy2g=; b=Wp9X9TfZFKSVNGkw5lm4+42Xc8+s45NV/nH5cYC4OBZqKqg27/ylfenMEgS0fQY0tB AHQH5xpZUQPP0BXm1Q7k1nW3ppWIyezCNa+JkPN/ejytT/OSEhFTBmQWmRob/0tFD+Zs 15K7nicDR35d9mUyNr3qrhuydPGMLS82DZCIY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=V1xdvi+txW/cFs+fzIOQ1r4UjTvkadDstq+qtu5wtyWctIZYQnc4y8+Ji9cEKZl+ZI sZoMkqLjk0NtuSQqRGKc+0pGF26V6ZeBk71/XcNmV0a6F9neY1pdZJRAfzmFfLqFO3ep Az4d4XKiqukV4Zp/9wdBbLZTaKkLTBpD2hHNU=
Received: by 10.142.152.9 with SMTP id z9mr1851210wfd.314.1277509354143; Fri, 25 Jun 2010 16:42:34 -0700 (PDT)
MIME-Version: 1.0
Sender: naitiks@gmail.com
Received: by 10.142.223.10 with HTTP; Fri, 25 Jun 2010 16:42:13 -0700 (PDT)
In-Reply-To: <AANLkTin-7PNLv-Hc229JJcOrIBh4fJqY5CMaLCMbmoIk@mail.gmail.com>
References: <AANLkTimMruKyblUWROkPMDapFKtTztOXqL64PpQxCmKO@mail.gmail.com> <2625894F-2979-40BD-81E1-05A6EB8723CD@facebook.com> <AANLkTinvLOV0f3I-aWpeAbfIpfGyxZSB2RHu52iw5mDC@mail.gmail.com> <AANLkTilWNneonIRX21U1RZcE80FuVSJWXU7CNm5pV275@mail.gmail.com> <AANLkTin-7PNLv-Hc229JJcOrIBh4fJqY5CMaLCMbmoIk@mail.gmail.com>
From: Naitik Shah <n@daaku.org>
Date: Fri, 25 Jun 2010 16:42:13 -0700
X-Google-Sender-Auth: F4-__aWTjrWFLEVsDKws9sg_q40
Message-ID: <AANLkTikh_nQ8dXSp7QXJ79kCdbX1zeyPKAl_kgplb25x@mail.gmail.com>
To: John Panzer <jpanzer@google.com>
Content-Type: multipart/alternative; boundary="000e0cd2dfca40417d0489e3535a"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Understanding the reasoning for Base64
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 23:42:29 -0000

So my litmus test was looking on the web for "web base 64" or "web base64".
Both yield nothing useful. Looking at the docs for PHP, it doesn't seem to
support it, Python does, Ruby doesn't seem to. Java doesn't seem to have a
native base64, and the C# one doesn't seem to have the web version (a bit
unsure about these two). The point I'm trying to make is to someone who
comes and reads the docs for an API where we're talking about signature, web
base64 will need to be explained in detail.

I agree eliminating encoding problems is a good goal. But if we do have to
teach the developer a new, or slightly modified encoding scheme, why not
have it be URL encoding? It seems more valuable in the long term, since it's
a spec that shows up more frequently on the web. And OAuth 1 has already
taught this spec to at least some of the target audience.

While encoding/decoding with any format will result in some learning, I
think if we sign a JSON blob sans urlencoding or web-base64, it might work
out to be easier. The fact that it's still mostly plain text is also a plus
imho.


-Naitik


On Fri, Jun 25, 2010 at 1:36 PM, John Panzer <jpanzer@google.com> wrote:

> There are 2 characters that are different between base64 and base64url.
>  Many good libraries support both (as they're both useful, and both are in
> the base64 RFC spec); the ability to eliminate a class of encoding problems
> seems like a good trade-off for, in some languages without full base64
> support, an additional substitution of 2 characters.
>
> --
> John Panzer / Google
> jpanzer@google.com / abstractioneer.org <http://www.abstractioneer.org/> /
> @jpanzer
>
>
>
> On Fri, Jun 25, 2010 at 12:15 PM, Naitik Shah <n@daaku.org> wrote:
>
>> On Fri, Jun 25, 2010 at 11:39 AM, Breno <breno.demedeiros@gmail.com>wrote:
>>
>>> On Fri, Jun 25, 2010 at 10:49 AM, Luke Shepard <lshepard@facebook.com>
>>> wrote:
>>> > Brian, Dirk - just wondering if you had thoughts here?
>>> >
>>> > The only strong reason I can think of for base64 encoding is that it
>>> allows for a delimiter between the body and the signature. Is there any
>>> other reason?
>>>
>>> Without base64 encoding we have to define canonicalization procedures
>>> around spaces and we still have to URL encode separator characters
>>> such as {. There is also the risk that developers might be confused
>>> whether the URL encoding is to be performed before or after
>>> computation of the signature.  If you say that the signature is
>>> computed on the base64 encoded blob, there's less scope for confusion
>>> and interoperability issues.
>>>
>>>
>> Yep, I get that the "web" version makes the url encoding a no op. But I
>> fear we're trading one spec (urlencoding) to another one (web base64). I'm
>> imagining the sample code (that does not rely on an SDK) we'ed give out to
>> developers in our docs, and the thing that stands out is the "web" part in
>> the web_base64. It means that our sample code will look like
>>
>>   str_replace("+", "_", base64(json_encode(data))))
>>
>> or for validating signatures:
>>
>>   json_decode(decode64(str_replace("_", "+", data)))
>>
>> The str_replace() really stands out. From my quick read, it seemed like
>> there were one or two other characters that needed to get replaced too.
>> While some languages (like PHP) support arrays to specify multiple
>> replacement patterns, in other languages you'll end up with a few
>> str_replace calls. It would be nice if that wasn't necessary.
>>
>> I'm wondering if we can get away with "urlencode(json_encode(data) + '.' +
>> sig)" as the value. then, instead of str_replace for getting normal base64
>> logic to work, we would instead need a rsplit or something, since the dot is
>> not a reserved character in the json blob. Was that approach considered?
>>
>>
>> -Naitik
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>

v2.40.4 | Report a Bug | By Email | System Status