On Mon, Oct 22, 2012 at 4:12 PM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Mon, 22 Oct 2012 15:49:34 -0400 > Daniel Holth <dho...@gmail.com> wrote: >> On Mon, Oct 22, 2012 at 3:37 PM, Antoine Pitrou <solip...@pitrou.net> wrote: >> > On Mon, 22 Oct 2012 15:20:01 -0400 >> > Daniel Holth <dho...@gmail.com> wrote: >> >> >> >> The decoded contents are like the JSON documents at >> >> http://www.python.org/dev/peps/pep-0427/#json-web-signatures-extensions >> >> >> >> Signing is implemented at: >> >> https://bitbucket.org/dholth/wheel/src/tip/wheel/signatures/__init__.py?at=default#cl-25 >> >> >> >> The SHA-256 hash of RECORD is what is signed together with JWS >> >> signature header. The JWS spec elaborates on the general format. >> > >> > Thank you. Could you fix the terminology in the PEP? You are using the >> > term "payload" in a different sense from the JWS draft. Specifically, >> > the PEP should mention that the "JWS Payload" is the binary >> > contents of the RECORD file. >> > >> > What you are calling payload is actually the "JWS Signature". >> > >> > Regards >> >> Which line is confusing? The payload is the hash of the contents of >> RECORD as a small JSON document: { "hash": >> "sha256=ADD-r2urObZHcxBW3Cr-vDCu5RJwT4CaRTHiFmbcIYY" } instead of >> including a base64-encoded copy of RECORD in the signature. > > Thanks for the explanation. Can you add it to the PEP? > > In your JWS header example: > > { > "alg": "Ed25519", > "typ": "JWT", > "key": { > "alg": "Ed25519", > "vk": "tmAYCrSfj8gtJ10v3VkvW7jOndKmQIYE12hgnFu3cvk" > } > } > > Why are you using "key" instead of "jwk" for the JSON Web Key?
bug. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
