Closed panva closed 2 years ago
We were originally intending on the suffix to mean "alternative encoding to JSON", rather than a compression flag. The main reason is that the flag will affect how systems are expecting the footer to be encoded too.
If you're not deviating from JSON, it might be easier to just specify this as a footer attribute.
Generally speaking, compression and cryptography don't mix well. See also BREACH, CRIME, and this iMessage attack.
If we decide to specify this, we should be very thoughtful about not enabling attacks.
The best practices RFC for JWT forbids compression.
Tempting it may be for some folks to implement, we shouldn't permit this.
I think it would be useful if payload compression was possible with e.g. using a
c
suffix (v1c.[purpose].
).One compression algorithm (raw inflate/deflate
v1c
, brotliv1b
, gzipv1g
) would be used?Payload processing for these versions would change to
or
This is technically possible today if a library exposes a raw payload construct but this approach lacks negotioation between the issuer and recipient that compression is used.
Feel free to take liberty with the suggested scheme.