On 2010-07-15, at 6:45 PM, Naitik Shah wrote: > On Thu, Jul 15, 2010 at 5:43 PM, Dirk Balfanz <balf...@google.com> wrote: > > One question: What's the deal with having the signature go first? If you can > explain to me why that is a good idea, I'm happy to oblige. > > > When we were talking about base64url or not, putting the signature before the > dot meant it was okay for a dot to show up in the payload in an unencoded > fashion, which was coupled with the fact that lsplit or split with a limit > are more common in standard libraries based on some rough exploration. But > that's not relevant anymore. > > Is there a downside to having the signature first? I like it better because > the signature length is predictable, meaning the first X chars will be the > sig, and then the X+1 char will be the dot. I like the consistency it > provides :)
If we put the envelope first, then we know what to do with the token. Signatures don't exist in an encrypted token. Think of the envelope like HTTP headers. They makes sense to go first. After the envelope, I don't have a preference between signature and payload or payload and signature. btw: signature length is not predictable -- it is dependant on the algorithm. *when* a different hash algorithm is used the length will likely change. The only way to know this is to look at algorithm first. -- Dick
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
