search

paragonie / paseto

Platform-Agnostic Security Tokens
https://paseto.io
Other
3.24k stars 108 forks source link

Footer format not clear in spec #107

Closed bdemers closed 3 years ago

bdemers commented 4 years ago

The footer in the README example is: Paragon Initiative Enterprises, however, the spec hint at this field being JSON. That said, other than making reference to an empty footer should be treated as an empty string, the format of the Footer is NOT specified.

If the footer was alwasy JSON (when not empty) this would simplify libraries and usages of the library

paragonie-scott commented 4 years ago

The format is unspecified. You can drop whatever string you want there. It may be (but does not have to be) JSON. It may be a UUID identifying the key being used.

The footer only exists for key rotation. It's never encrypted. You should almost never drop any data in the footer unless you need key rotation.

bdemers commented 4 years ago

Thanks for following up! It would be great if this was called out in the spec. I think it could reduce a lot of confusion if the spec makes the assertion that the Footer was always JSON.

Implementing libraries can more easily provide functions around getting the footer claims (or example kid) and they wouldn't need to provide a Footer object that could either be a map/hash/dict or a string value.

Users of these libraries also wouldn't need any special handling to detect what type of information is in the footer.

ghost commented 4 years ago

Actually, I think it would be better if the footer was "free form", except maybe that it needs to be Base64 URL encoded, like the other part of the token.

This has the benefit that there is no need to first perform JSON parsing before being able to figure out which key to use. JSON parsing is complicated so it is best avoided on untrusted input. I remember some good articles about the complexity of parsing JSON, but I can't find them anymore...

bdemers commented 4 years ago

@fkooman I partially agree with you, however, there is already registered footer claim which implies that this is the standard way to do this.

paragonie-security commented 3 years ago

We're considering making the JSON format mandatory in v3/v4 just to make it less surprising. Folks using non-JSON claims in v1/v2 may continue to do so.

paragonie-security commented 3 years ago

This has tentatively landed in #127 / #128. Please comment in #127 if you do not like this change.