Hi Mike
The JWS JSON example at
https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-01#section-4.2
shows elements in the wrong order, according to
https://tools.ietf.org/html/rfc7515#section-7.2.2
the 'payload' should go first...
thanks, Sergey
On 10/08/15 21:01, Sergey Beryozkin wrote:
Hi Mike
Thanks for the clarification, indeed it all makes sense now (I would
like to think a bit more about JWT as JWS JSON, will send a separate
email if anything relevant comes to mind).
Cheers, Sergey
On 10/08/15 16:40, Mike Jones wrote:
Hi Sergey,
Actually, the JWT restriction to only using the compact serialization
is already in the JWT spec itself. The last sentence of the first
paragraph of the introduction at
http://tools.ietf.org/html/rfc7519#section-1 says "JWTs are always
represented using the JWS Compact Serialization or the JWE Compact
Serialization". The new text in the JWS Unsigned Payload Option spec
just adds the restriction that JWTs are to continue to use RFC7515 as
written - base64url encoding the JWT claims as they always have been -
for interop purposes.
That doesn't mean that other applications can't use JWS to sign
detached unencoded JSON payloads with the "b64":false option using
either JWS serialization.
Does that address what you were thinking about or do you still have
concerns?
-- Mike
-----Original Message-----
From: Sergey Beryozkin [mailto:[email protected]]
Sent: Monday, August 10, 2015 2:39 AM
To: Mike Jones; [email protected]
Subject: Re: [jose] JWS Signing Input Options initial working group draft
Hi, thanks for adding the JWS JSON (flattened serialization) example,
I thought the earlier text was also clear about having to use the
detached payloads in case of JWS Compact.
Re the new JWT restriction.
I know JWT is meant to be used primarily in OAuth2 contexts as a token
or grant (or as one of token or grant property) representation and
hence it is JWS Compact.
But I wonder, should this particular text effectively block the
possible future use of JWT in (JWS JSON) message payloads...
Cheers, Sergey
On 10/08/15 05:21, Mike Jones wrote:
You can't use an unencoded non-detached JSON payload using the JWS
Compact Serialization because it uses characters that aren't
URL-safe, such as "{". For that reason, the spec now makes it clear
that JWTs cannot use the "b64":false option.
You *can* use JSON payloads with the JWS JSON Serialization. Any
double-quote characters in the JSON would have to be quoted -
typically using \" - so that the double-quotes don't terminate the
"payload" value. See the new section
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-ietf-jose-jws-signing-input-options-01%23section-5&data=01%7c01%7cMichael.Jones%40microsoft.com%7c634a8171fb874a34dbe908d2a1678cfb%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=FdTmmqFjXX9LBw56a1%2bk2K3dPmhp89ZqEec%2bgbAcRZA%3d
for more on character restrictions in unencoded payloads.
-- Mike
-----Original Message-----
From: jose [mailto:[email protected]] On Behalf Of Sergey
Beryozkin
Sent: Saturday, July 25, 2015 3:01 AM
To: [email protected]
Subject: Re: [jose] JWS Signing Input Options initial working group
draft
Hi, can you please add an example showing a b64 header affecting JWS
JSON payload ? I can imagine how it will look like but it is good to
see an example that can be tested locally...
Cheers, Sergey
On 23/07/15 19:17, Mike Jones wrote:
The initial working group version of JWS Signing Input Options has
been posted. It contains no normative changes from
draft-jones-jose-jws-signing-input-options-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fself-issued.info%2f%3fp%3d1398&data=01%7c01%7cmichael.jones%40microsoft.com%7cf40ec174fcc442a4249308d294d7e6e0%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=zQrvoO4fBOa1nUomMVoBT862ELgRpuIQ%2fBaV17ijH7Y%3d>.
Let the working group discussions begin! I particularly call your
attention to Martin Thomson's review at
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.i
e
tf.org%2fmail-archive%2fweb%2fjose%2fcurrent%2fmsg05158.html%2c&data=
0
1%7c01%7cmichael.jones%40microsoft.com%7cf40ec174fcc442a4249308d294d7
e
6e0%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=2mVSuUk74d8ZGB9gxWRy
b f%2bUz5pxOXmLiUcAqL%2bVvNk%3d Nat Sakimura's review at
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2fjose%2fcurrent%2fmsg05189.html%2c&data=01%7c01%7cmichael.jones%40microsoft.com%7cf40ec174fcc442a4249308d294d7e6e0%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=zdSucPmd5z%2b5Q5Zi%2fB61FmoUn9bhxmvatIl3R9WOdhQ%3d
and Matias Woloski's review at
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2fjose%2fcurrent%2fmsg05191.html&data=01%7c01%7cmichael.jones%40microsoft.com%7cf40ec174fcc442a4249308d294d7e6e0%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=raojbpPQjvnjNDynLSzSydtnVe%2fnfmWvIRTD9oXoKqA%3d
to start things off.
The specification is available at:
*https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftoo
l
s.ietf.org%2fhtml%2fdraft-ietf-jose-jws-signing-input-options-00&data
=
01%7c01%7cmichael.jones%40microsoft.com%7cf40ec174fcc442a4249308d294d
7
e6e0%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=B7CCBZSw%2f9mJ354xj
1
Vplr0CKN3KjSDXHeFuUbWYx%2fs%3d
An HTML formatted version is also available at:
*https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fself
-
issued.info%2fdocs%2fdraft-ietf-jose-jws-signing-input-options-00.htm
l
&data=01%7c01%7cmichael.jones%40microsoft.com%7cf40ec174fcc442a424930
8
d294d7e6e0%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=H0jHGZqOrtsxM
B
EY3W7lFx2agz8V54RDoALY%2bxcjWV0%3d
-- Mike
P.S. This note is also posted at
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fself-issued.info%2f%3fp%3d1432&data=01%7c01%7cmichael.jones%40microsoft.com%7cf40ec174fcc442a4249308d294d7e6e0%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Ehd0PdoNA2rZx9b%2bTrPOgO5G2Nxkp1FutbTnL7cD9dg%3d
and as @selfissued
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftwitter.com%2fselfissued&data=01%7c01%7cmichael.jones%40microsoft.com%7cf40ec174fcc442a4249308d294d7e6e0%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=54dOa%2fD75zbVVpfbjYFAq4yL9zmJ7q9p2qIbJRY%2flIA%3d>.
_______________________________________________
jose mailing list
[email protected]
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.
i
etf.org%2fmailman%2flistinfo%2fjose&data=01%7c01%7cmichael.jones%40mi
c
rosoft.com%7cf40ec174fcc442a4249308d294d7e6e0%7c72f988bf86f141af91ab2
d
7cd011db47%7c1&sdata=fOZrXA8pnh4Z5XsMQw5ro6Fc0%2bECj%2bKjeEziSJ5V5xM%
3
d
_______________________________________________
jose mailing list
[email protected]
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.i
etf.org%2fmailman%2flistinfo%2fjose&data=01%7c01%7cmichael.jones%40mic
rosoft.com%7cf40ec174fcc442a4249308d294d7e6e0%7c72f988bf86f141af91ab2d
7cd011db47%7c1&sdata=fOZrXA8pnh4Z5XsMQw5ro6Fc0%2bECj%2bKjeEziSJ5V5xM%3
d
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
