JSON Web Signature (JWS) Unencoded Payload Option
Draft of message to be sent after approval:
Technical Summary JSON Web Signature (JWS) [RFC 7515] represents the payload as a base64url encoded value and uses this value in the Signature computation. While this enables arbitrary payloads to be integrity protected, some have described use cases in which the base64url encoding is unnecessary and/or an impediment to adoption, especially when the payload is large and/or detached. This specification defines an alternate signature computation method that avoids the requirement to base64url-encode the payload. Working Group Summary This document defines an alternate method to form the octet string that signatures are computed over for a JWS object. This was the main focus of the discussions as it means that there are now potentially two different messages, one with and one without base64 encoding, that will have the same signature value. The group believes that this has been adequately addressed in the current document. Document Quality The document comes with examples of the new signatures, these examples have been validated by a non-author implementation. A number of people have indicated that they are either planning to implement or are considering implementing the change in the signature scheme here. Note that the document explicitly states that the JOSN Web Token community is not going to take this change. Personnel Jim Schaad acted as the Document Shepherd and Kathleen Moriarty is the Responsible Area Director.