[jose] JWS Signing Input Options specification enabling non-base64-encoded payloads when safe to do so

Wed, 27 May 2015 17:07:56 -0700 

There's been interest being able to not base64url-encode the JWS Payload under 
some circumstances by a number of people.  I've occasionally thought about ways 
to accomplish this, and prompted again by discussions with Phillip 
Hallam-Baker, Martin Thomson, Jim Schaad, and others at IETF 92 in Dallas, 
recollections of conversations with Matt Miller and Richard Barnes on the 
topic, and with Anders Rundgren on the JOSE mailing list, I decided to write 
down a concrete proposal while there's still a JOSE working group to possibly 
consider taking it forward.  The abstract of the spec is:

JSON Web Signature (JWS) represents the payload of a JWS as a base64url encoded 
value and uses this value in the JWS Signature computation. While this enables 
arbitrary payloads to be integrity protected, some have described use cases in 
which the base64url encoding is unnecessary and/or an impediment to adoption, 
especially when the payload is large and/or detached. This specification 
defines a means of accommodating these use cases by defining an option to 
change the JWS Signing Input computation to not base64url-encode the payload.

Also, JWS includes a representation of the JWS Protected Header and a period 
('.') character in the JWS Signature computation. While this cryptographically 
binds the protected Header Parameters to the integrity protected payload, some 
of have described use cases in which this binding is unnecessary and/or an 
impediment to adoption, especially when the payload is large and/or detached. 
This specification defines a means of accommodating these use cases by defining 
an option to change the JWS Signing Input computation to not include a 
representation of the JWS Protected Header and a period ('.') character in the 
JWS Signing Input.

These options are intended to broaden the set of use cases for which the use of 
JWS is a good fit.

This specification is available at:

*         
https://tools.ietf.org/html/draft-jones-jose-jws-signing-input-options-00

An HTML formatted version is also available at:

*         
http://self-issued.info/docs/draft-jones-jose-jws-signing-input-options-00.html

                                                                -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=1398 and as 
@selfissued.


_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to