On 2013-09-02 15:18, Richard Barnes wrote: > Why would "/" be escaped?
Well, the example shows a JSON object and then it would be logical to escape / since this is a part of the JSON "standard". However, when looking further I note that JOSE requires some kind of non-standard/additional JSON normalizing before applying base64url: http://tools.ietf.org/id/draft-ietf-jose-json-web-signature-14.html#rfc.section.5.3 Anders > > On Monday, September 2, 2013, Anders Rundgren wrote: > > Spurred by James Manger's intelligent observations regarding JCS, I began > to do some research on the state of \/ in JSON these days. > > From an extract of > http://tools.ietf.org/id/draft-ietf-oauth-json-web-token-11.html > > The following is an example of a JWT Claims Set: > > {"iss":"joe", > "exp":1300819380, > "http://example.com/is_root":true} > > Base64url encoding the bytes of the UTF-8 representation of the JSON > Claims Set > yields this Encoded JWS Payload, which is used as the JWT Second Part > (with line breaks for display purposes only): > > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt > cGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > > AFAICT the serialized output doesn't perform the expected (?) escaping of > /. > > Although I think this just fine, I'm still puzzled by the lack of > stringency that seems to be plaguing th JSON world. > > In JCS I made it simple by claiming that \/ is not only unnecessary; it > actually forbidden! > > The JOSE WG probably need to specify which particular "camp" you belong > to since a "standard" JSON serializer presumably wouldn't be compliant with > your sample code. > > Cheers > Anders > > _______________________________________________ > jose mailing list > [email protected] <javascript:;> > https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
