Re: [woes] Proposed charter, post-Quebec edition

[Phillip Hallam-Baker <hallam@gmail.com>]

On Thu, Aug 4, 2011 at 8:52 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> In the JWS/JWE drafts the goal was to provide JSON envelopes for base64url
> encoded blobs.
>
> In most cased we intend for those to be JSON, but nothing prevents this
> from being used with XML similar to the failed SAML simple sign.
>
> With JSON payloads we really wanted to avoid touching the payload.
>  Inserting elements, canonicalization  and other things that touch the
> payload are highly problematic.
>

I really want to avoid C18N as well. The problem is how to do it.

If the data object is small it is no big deal base64 encoding it and storing
it as an attribute.

But if the data object is larger (XML document, image, etc.) then some form
of indirection is going to be necessary. For example take the digest of the
data and sign that or if multiple objects are involved some sort of manifest
scheme.


I really don't want to have to BASE64 a multimedia stream. So I think I am
going to need some MIME like packaging scheme that allows us to send a JSON
structure with attachments. I think that is going to be a very common
requirement for others as well and I would like that to be a part of the
standards toolkit rather than have to re-invent it for each protocol.


Another very common corner case that is related is how to take a standard
data object such as a JPEG, sign it and then attach the signature inside the
data object.

The blunder committed in XML Signature was to use XPath for that which
introduced a mechanism for arbitrary transformations - yuk!

I really don't want to specify the precise means of embedding signatures in
various media types but I certainly need an approach that makes it possible
to use the spec as a basis for doing that.


-- 
Website: http://hallambaker.com/