On 2015-05-28 02:06, Mike Jones wrote:
There’s been interest being able to not base64url-encode the
> JWS Payload under some circumstances by a number of people.
> I’ve occasionally thought about ways to accomplish this, and
> prompted again by discussions with Phillip Hallam-Baker, Martin Thomson,
> Jim Schaad, and others at IETF 92 in Dallas, recollections of conversations
> with Matt Miller and Richard Barnes on the topic, and with Anders Rundgren
> on the JOSE mailing list, I decided to write down a concrete proposal while
> there’s still a JOSE working group to possibly consider taking it forward.
Hi Mike,
It is good to see this going forward!
The current proposals seem to either depend on an external signature
parser/generator
or as in my proposal [1], a slightly enhanced JSON serializer/deserializer.
I never bothered about saving bytes; JCS is really only about adding an optional
"Signature" attribute to an existing JSON object which is kind of nice for
processing and documentation. Although JCS's "predictable serialization" is not
a part of JSON, it is anyway requested by many JSON practitioners.
A guess the problem for JOSE is probably not creating a standard, but getting it
generally adopted since the proposals appear to target quite different
use-cases.
Cheers,
Anders
1] https://cyberphone.github.io/openkeystore/resources/docs/jcs.html
The abstract of the spec is:
JSON Web Signature (JWS) represents the payload of a JWS as a base64url encoded
value and uses this value in the JWS Signature computation. While this enables
arbitrary payloads to be integrity protected, some have described use cases in
which the base64url encoding is unnecessary and/or an impediment to adoption,
especially when the payload is large and/or detached. This specification
defines a means of accommodating these use cases by defining an option to
change the JWS Signing Input computation to not base64url-encode the payload.
Also, JWS includes a representation of the JWS Protected Header and a period
('.') character in the JWS Signature computation. While this cryptographically
binds the protected Header Parameters to the integrity protected payload, some
of have described use cases in which this binding is unnecessary and/or an
impediment to adoption, especially when the payload is large and/or detached.
This specification defines a means of accommodating these use cases by defining
an option to change the JWS Signing Input computation to not include a
representation of the JWS Protected Header and a period ('.') character in the
JWS Signing Input.
These options are intended to broaden the set of use cases for which the use of
JWS is a good fit.
This specification is available at:
·https://tools.ietf.org/html/draft-jones-jose-jws-signing-input-options-00
An HTML formatted version is also available at:
·http://self-issued.info/docs/draft-jones-jose-jws-signing-input-options-00.html
-- Mike
P.S. This note was also posted at http://self-issued.info/?p=1398 and as
@selfissued.
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
