<html><body bgcolor="#FFFFFF"><div><span class="Apple-style-span" style="font-size: medium; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><span>John and Mike, </span></span></div><div><span class="Apple-style-span" style="font-size: medium; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-composition-fill-color: rgba(175, 192, 227, 0.226562); -webkit-composition-frame-color: rgba(77, 128, 180, 0.226562);"><br></span></div><div><span class="Apple-style-span" style="font-size: medium; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><span></span>(Added specs-ab in the distribution)<br><span></span><br><span>To allow multiple signatures, we made both signature parameters </span><span>(envelope parameters) and signatures both arrays. So, jwt-env needs </span><span>to be an array also, I suppose.</span><br><span></span><br><span>We have added types based on the feedback from a few developers that </span><span>they want to switch the routines based on them. It is not only for JSS </span><span>and JSE but consistent throughout Artifact Binding. We are actually </span><span>typing the JSON object explicitly so that we can validate as well. </span><span>Including it inside env breaks this pattern. This is one of the </span><span>drawback in including it within the env. </span></span></div><div><span class="Apple-style-span" style="font-size: medium; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-composition-fill-color: rgba(175, 192, 227, 0.226562); -webkit-composition-frame-color: rgba(77, 128, 180, 0.226562);"><br></span></div><div><span class="Apple-style-span" style="font-size: medium; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><span></span>We did not add types in the JWT serialization because we assumed that t<span class="Apple-style-span" style="-webkit-tap-highlight-color: rgba(26, 26, 26, 0.289062); -webkit-composition-fill-color: rgba(175, 192, 227, 0.222656); -webkit-composition-frame-color: rgba(77, 128, 180, 0.222656); ">he main use cases are in the HTTP headers and HTTP header has a standard mechanism to indicate them. When JSON is stored in a file system, we do not have such an mechanism. Thus, we have added these in the JSON serialization. </span></span></div><div><span class="Apple-style-span" style="font-size: medium; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><span></span><br><span>The other drawback is that in case of multiple signatures, it will be </span><span>verbose. We have only one data, so we do not need to repeat the types </span><span>in each element of the env array. </span></span></div><div><span class="Apple-style-span" style="font-size: medium; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-composition-fill-color: rgba(175, 192, 227, 0.226562); -webkit-composition-frame-color: rgba(77, 128, 180, 0.226562);"><br></span></div><div><span class="Apple-style-span" style="font-size: medium; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><span></span>Considering all these, I feel that having types outside the jwt-env is a better design. </span><br><br>=nat via iPad</div><div><br>On 2010/10/27, at 8:05, John Bradley <<a href="mailto:jbradley@mac.com">jbradley@mac.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>This is a example JSON serialized token<div><br></div><div><span class="Apple-style-span" style="font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small; "><pre style="font-family: 'Courier New', Courier, monospace; font-size: small; text-align: left; padding-top: 4px; padding-right: 4px; padding-bottom: 4px; padding-left: 4px; color: rgb(0, 0, 0); background-color: rgb(204, 204, 204); position: static; z-index: auto; ">{
"type": "<a href="http://openid.net/specs/ab/1.0#jss"><a href="http://openid.net/specs/ab/1.0#jss">http://openid.net/specs/ab/1.0#jss</a></a>",
"data_type": "application/json",
"data": "eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsIjAiOiJwYXlsb2FkIn0",
"sig_params": [
{
"key_id": "<a href="http://example.com"><a href="http://example.com">example.com</a></a>",
"algorithm": "HMAC-SHA256"
}
],
"sigs": [
"cfXgu64BQGFSQrY0ZcJBZASMvYvTHu9GQ0YM9rjPSso"
]
}</pre></span><div><br></div></div><div>The main difference is that we have two types one for the signed object and a separate one for the container.</div><div><br></div><div>If we allow things other than JWT claims envelopes to be signed then you windup overloading the singe type element.</div><div><br></div><div>We have a single payload, the data element that is the base64 encoded string of the JSON object. </div><div>You were more specific about converting it to UTF8 first. Good idea. </div><div><br></div><div>I have the sig parameters nested because that is cleaner for dealing with multiple signatures. </div><div><br></div><div>The JSON serialization is very close to the base64 one.</div><div><br></div><div>I suppose we could do something like:</div><div><br></div><div><span class="Apple-style-span" style="background-color: transparent;">{</span></div><div><span class="Apple-style-span" style="background-color: transparent;"> "jwt-env": </span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent;">"eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsIjAiOiJwYXlsb2F</span></span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent;">",</span></span></div><div><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent;"> "jwt-data":</span></span><span class="Apple-style-span" style="white-space: pre; ">"eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsIjAiOiJwYXlsb2F</span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent; ">",</span></span></div><div><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent; "> "jwt-sigs": [ </span></span><span class="Apple-style-span" style="white-space: pre; ">"eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsIjAiOiJwYXlsb2F</span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent; ">" ]</span></span></div><div><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent; ">}</span></span></div><div><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent; "><br></span></span></div><div><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent; ">It is harder to read and to edit the envelope info for adding a sig but is consistent with the other serialization.</span></span></div><div><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent; "><br></span></span></div><div><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="background-color: transparent; ">John B.</span></span></div><div><br></div></div></blockquote></body></html>