[Openid-specs-ab] Magic Signature or JSON Token Signature?
nara hideki
hdknr at ic-tact.co.jp
Thu Jul 22 05:34:25 UTC 2010
I've not found the exact definition of "JSON Token Signature" yet and
not analyzed pros and cons of that.
Anyway, Magic Signatures seems to be easier to understand for me.
2010/7/21 Nat Sakimura <sakimura at gmail.com>:
> In OAuth 2.0, IETF is starting to define JSON Token Signature.
> It is very similar to Magic Signatures, but a bit different.
> In Magic Signatures, the Signature itself is inside the JSON
> structure. Simply put, it will look like
>
> {
> "data":"base64url encoded data without padding",
> "alg":"RSA-SHA256",
> "sigs": [
> { "value":"signature value",
> "sighash":"key_and_exponent"
> }
> ]
> }
>
> In JSON Token Signature, the signature is outside. Envelope parameters
> like "alg" and other unencoded data is put into JSON and base64url
> encoded.
> Then, signature is taken and the two are concatenated with ".".
>
> So, it looks like:
>
> base64_url_encoded_data_with_envelope_parameters.signature_value
>
> As of draft12, AB uses Magic Signature, but looking at what goes on at
> OAuth2.0, I am debating if we should use JSON Token Signature instead.
>
> Which do you prefer?
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
More information about the Openid-specs-ab
mailing list