[Openid-specs-ab] Magic Signature or JSON Token Signature?

[nara hideki]

I've found the "JSON Tokens" at http://bit.ly/json_tokens .
(I noted at http://post.ly/oFGt with some Japanese translations )

It's not bad idea.  Both of them would work.
JSON Tokens can slightly save some decoding costs when used in URL.

If JSON Token will be used, JSON Encryption Envelope would  alo be
reformed into JSON Encrypted Tokens or something like that
in same manner using "." separater.
---
hdknr

2010/7/22 nara hideki <hdknr at ic-tact.co.jp>:
> I've not found the exact definition of "JSON Token Signature" yet and
> not analyzed pros and cons of that.
> Anyway, Magic Signatures seems to be easier to understand for me.
>
>
> 2010/7/21 Nat Sakimura <sakimura at gmail.com>:
>> In OAuth 2.0, IETF is starting to define JSON Token Signature.
>> It is very similar to Magic Signatures, but a bit different.
>> In Magic Signatures, the Signature itself is inside the JSON
>> structure. Simply put, it will look like
>>
>> {
>>   "data":"base64url encoded data without padding",
>>   "alg":"RSA-SHA256",
>>   "sigs": [
>>        {    "value":"signature value",
>>             "sighash":"key_and_exponent"
>>        }
>>     ]
>> }
>>
>> In JSON Token Signature, the signature is outside. Envelope parameters
>> like "alg" and other unencoded data is put into JSON and base64url
>> encoded.
>> Then, signature is taken and the two are concatenated with ".".
>>
>> So, it looks like:
>>
>> base64_url_encoded_data_with_envelope_parameters.signature_value
>>
>> As of draft12, AB uses Magic Signature, but looking at what goes on at
>> OAuth2.0, I am debating if we should use JSON Token Signature instead.
>>
>> Which do you prefer?
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>