-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RFC for JWS-signing PGXN releases #5
base: main
Are you sure you want to change the base?
Conversation
Also add some items to the "Unresolved questions" section and a "Future possibilities" item for author signing.
8a4ad64
to
fa66f7a
Compare
text/0000-release-meta-spec-v2.md
Outdated
"protected":"eyJhbGciOiJSUzI1NiJ9", | ||
"header": {"kid": "2024-12-29" }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Normally a JWS is like headerB64.payloadB64.signatureB64
, and therefore I am wondering about why the payload is separate from the header and signature. I believe it is like that in order to support multiple signatures.
Questions to consider are...
- is it necessary to support multiple signatures?
- For 'protected' and 'header', both of these parts typically included in the "header" as described in RFC 7515, so why not combine that into just 'header' as b64 encoded.
- Wondering because if you take the payload, the header (as suggested in previous comment), signature, and concatenate them with "." joined (RFC7515 section 3.3), then would that make it exactly like a "normal" signature? i.e. easier to use with existing clients that do signature validation maybe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's an official RFC 7515 format called JWS JSON Serialization. We don't need URL-safe serialization, so this is just a little friendlier for clients. And yes, it allows multiple signatures, which could be useful for author signing or gradual key rotation.
- I think it's useful to support multiple signatures because, unlike ephemeral HTTP requests, there's are records at rest and will be around for many years.
protected
andheader
are not combined because the JWS JSON Serialization format separates them.- Clients should also support this format, as it's part of the standard. But even if they don't, conversion will be trivial, as you point out.
Really I wanted the payload not to be Base64 URL-encoded, as specified in JWS-JS, but I believe that spec was abandoned in favor of RFC 7515 JWS JSON Serialization, so going with that approved standard, instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Embedding the public key in clients seems questionable to me, but looks good otherwise.
No description provided.