Order is already required and this would be maintained. Your point 2 is I
think what Vladimir had in mind as well.
-- Mike
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Richard
Barnes
Sent: Thursday, September 20, 2012 6:32 PM
To: Matt Miller
Cc: <[email protected]>; Vladimir Dzhuvinov / NimbusDS
Subject: Re: [jose] Use JSON array for JWS/JWE x5c parameter?
+1
Two quick comments:
1. As long as we're using an ordered type, it might be nice to require that the
chain be in order, as in TLS.
2. Since PEM is just base64-encoded DER, we should just specify that each
element in the array is base64url-encoded DER (assuming that that's the base64
variant we're using).
On Sep 20, 2012, at 3:30 PM, Matt Miller (mamille2) wrote:
> That works for me.
>
>
> - m&m
>
> Matt Miller - <[email protected]>
> Cisco Systems, Inc.
>
> On Sep 20, 2012, at 09:54, Vladimir Dzhuvinov / NimbusDS wrote:
>
>> Hi guys,
>>
>> If I understand correctly, the JWS and JWE specs say that the "x5c"
>> parameter is a JSON string:
>>
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-05#sect
>> ion-4.1.6
>>
>> The example:
>>
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-05#appe
>> ndix-B
>>
>>
>> Wouldn't be more sensible to use a JSON array to represent the chain
>> of
>> X.509 certs? Instead of a string of concatenated B64 data with
>> "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
>> delimiters?
>>
>>
>> My case for using a JSON array:
>>
>> 1. A single parse of the header will do the chain as well - saves an
>> extra non-JSON parse operation to split the x5c into chunks.
>>
>> 2. Saves space.
>>
>> 3. Makes better use of the existing JSON header structure.
>>
>>
>> I suppose the current format was influenced by how X.509 chains are
>> typically exported by programs for file transfer/storage. However, in
>> the case of JWS/JWE, the x5c parameter will be created
>> programmatically and there a JSON array fits better.
>>
>> What do you guys think?
>>
>> Cheers,
>>
>> Vladimir
>>
>> --
>> Vladimir Dzhuvinov : www.NimbusDS.com : [email protected]
>> _______________________________________________
>> jose mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/jose
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
