saibotsivad
commented
8 years ago I'm leaning towards requiring base64url only for the components of the URI.
Open saibotsivad opened 8 years ago
saibotsivad
commented
8 years ago I'm leaning towards requiring base64url only for the components of the URI.
saibotsivad
commented
8 years ago I went through the core specifications and noted where base64url was currently being used, and what it was used for (there are many more in the non-core specs):
sdmp.schemas (full URI)encrypted.iv (byte array)encrypted.payload (byte array)encrypted.recipients[].key (byte array)identity.key (byte array)identity.fingerprint (URI section)resource.user (fingerprint, URI section) change to resource.fingerprint?resource.trust (full URI)signature.identifier (payload hash, URI section)signature.payload (byte array)signature.signatures[].fingerprint (URI section)signature.signatures[].signature (byte array)It seems to me that there are three main possibilities:
base64url encoding everywhere.The benefit is that all encoded data is the same encoding.
The problem is that base64url encoding is not as well supported, so implementations will probably need to escape/unescape base64 data to ingest it properly. It adds a requirement on the developer, and that's kind of annoying.
base64 encoding everywhere except for URI sections.The benefit is that the byte array data is in base64 encoding, which makes it easy for developers to ingest.
The problem is that it is unclear which properties should be encoded which way. It adds complexity to the developer to make sure they are encoding each property correctly.
base64 encoding everywhere, URIs are specialThe benefit is that building and ingesting container objects is mostly easier: everything is base64 encoded.
The drawback is that the property values and reference values (the URI sections) are different. Requests will need to take a base64url link and translate it to base64.
In 0.12 there is a lot of use of base64url which is possibly not necessary.
The main reason to use base64url is so that the key fingerprint and the resource identifier can be combined into a valid URI.
However, there is no particular reason that, for example, the encrypted payload or the signature itself, would need to be base64url encoded.
Additionally, since base64url is not as well supported, it will likely impede adoption since anyone wanting to make an implementation will need to make a base64url transform.
I think it's reasonable to require base64url for URI formation, since a simple regex replace will suffice, but for longer payloads will require streaming for max optimisation.