[Openid-specs-ab] Standardize on Magic Signature format for everything?

Nat Sakimura sakimura at gmail.com
Wed May 26 15:03:03 UTC 2010


Yesterday, I had a talk with John B. that it might be better to use
Magic Signature Envelope all the time whether we sign or not.

Right now, our request and response when not signed looks like this:

{
    "ns":"http://specs.openid.net/auth/2.0",
    "mode":"direct_checkid_setup",
    "redirect_url":"https://example.com/rp/endpoint_url"
    "ns.ax":"http://openid.net/srv/ax/1.0"
    "ax.mode":"fetch_request"
    "ax.type.fname":"http://example.com/schema/fullname"
    "ax.type.gender":"http://example.com/schema/gender"
    "ax.required":"fname,gender"
    "ax.update_url":"http://idconsumer.com/update?transaction_id=a6b5c4"
}

If we encapsulate it in Magic Envelope, it will be like

{
  "data_type":"application/json",
  "encoding":"base64url",
  "alg":"NONE"
  "data":"base64url_encoded data",
  "plain":
    {
    "ns":"http://specs.openid.net/auth/2.0",
    "mode":"direct_checkid_setup",
    "redirect_url":"https://example.com/rp/endpoint_url",
    "ns.ax":"http://openid.net/srv/ax/1.0",
    "ax.mode":"fetch_request",
    "ax.type.fname":"http://example.com/schema/fullname",
    "ax.type.gender":"http://example.com/schema/gender",
    "ax.required":"fname,gender",
    "ax.update_url":"http://idconsumer.com/update?transaction_id=a6b5c4"
     }
  "sigs": [
    {
    "value": "",
    "keyhash": ""
    }
  ]
}

While this certainly is a possibility and gives us more consistent and
uniform request/response format,
I think it is too busy for no-sign case. Also, it will be less
compatible with "Connect" etc.
What do you guys think?

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en


More information about the Openid-specs-ab mailing list