On 2010-07-27, at 12:34 AM, Nat Sakimura wrote:
> I have a fundamental question. > > While separating signature and payload by a dot "." seems ok, > I still have not the answer for the question "why not make everything > into JSON and base64url it?". bloat from base64 encoding twice > > BTW, some of the envelope parameters such as alg needs to be signed as > well to thwart the algorithm replacing attack. would you elaborate on the attack? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
