+1 I would argue that there should be no MTI serialization. Clearly JWT implementations will want to be compact-only, and I have no doubt that there will be apps that are JSON-only (or CBOR-only, etc.). There's no need for interop at this level (as with algorithms), since applications already need to specify which one(s) they require.
There is CMS precedent for this. The ASN.1 structures defined by RFC 5652 can be encoded using a variety of encoding rules -- DER, BER, XER, etc. (Everyone uses DER, but in principle, you could use another.) Some signed things have to be DER encoded before signing/verification, but there's no requirement for the whole object to have a given serialization. Likewise in JOSE, some things have to be base64-encoded for processing, but the overall object can be either compact or JSON. --Richard On Thu, Sep 12, 2013 at 4:22 PM, Jim Schaad <[email protected]> wrote: > This also covers issue #176 for encryption**** > > ** ** > > The current document says that the serialization that must be implemented > is the compact serialization. I don’t think that this is going to be a > position that passes the smell test with the IESG. There was a large > amount of push back from various members of the IESG the last time that we > went through the re-chartering process about how what it mean to be a JSON > based specification. I think that if we don’t have a JSON serialization as > part of the MTI features, then we are going to get clobbered by the people > who were not in love with the last set of charter text.**** > > ** ** > > I would note that this requirement does not change the ability of an > application, for example JWT, to mandate that either the compact or JSON > serialization is what is required for that application. This is basically > a requirement that specific abilities be available from library > implementations of the JOSE specifications. **** > > ** ** > > A minimum level that I would consider to be even passable would be to make > the statement that the set of features to support the syntactic conversion > between the compact and JOSE serialization needs to be supported. This > allows for simplistic conversions that work.**** > > ** ** > > A minimum level of support that I would consider to be reasonable, is to > say that JOSE needs to support single signer and/or single recipient cases > and would also support all of the unprotected header things that are not > supported by the compact serialization case.**** > > ** ** > > I worry that we are making the mandatory serialization be that which is > supported by JWT and not that which will be required by future applications > which are not JWT and want to use JSON rather than the compact > serialization that is used by JWT. The library that I put together > focused on the JSON serializations as the core implementation, and it will > only produce the compact serializations if specific conditions are met.*** > * > > ** ** > > Jim**** > > ** ** > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
