Technical Summary
JSON Web Signature (JWS) [RFC 7515] represents the payload as a
base64url encoded value and uses this value in the Signature
computation. While this enables arbitrary payloads to be integrity
protected, some have described use cases in which the base64url
encoding is unnecessary and/or an impediment to adoption, especially
when the payload is large and/or detached. This specification defines
an alternate signature computation method that avoids the
requirement to base64url-encode the payload.
Working Group Summary
This document defines an alternate method to form the octet string that
signatures are computed over for a JWS object. This was the main focus
of the discussions as it means that there are now potentially two different
messages, one with and one without base64 encoding, that will have the
same signature value. The group believes that this has been adequately
addressed in the current document.
Document Quality
The document comes with examples of the new signatures, these examples
have been validated by a non-author implementation. A number of people
have indicated that they are either planning to implement or are
considering implementing the change in the signature scheme here. Note
that the document explicitly states that the JOSN Web Token community is
not going to take this change.
Personnel
Jim Schaad acted as the Document Shepherd and
Kathleen Moriarty is the Responsible Area Director.