On Thu, Jan 8, 2026 at 10:52 AM Martin Thomson <mt@lowentropy.net> wrote: > On Thu, Jan 8, 2026, at 20:24, Dick Hardt wrote: > > I've just published -01 to clarify that all parameter values are > > strings. While some parameters could be tokens, my view is consistency > > of having all parameters be strings is simpler for implementers. > > It's not tokens (RFC 9651 recommends strings over tokens in most cases), > but byte sequences. You have a lot of base64, which could very easily use > : instead of " as a delimiter and get the benefit of syntax checking and > other facilities in structured fields. > > Yes, I know that you might prefer the URL safe base64 variant, as I do, > but the difference is pretty minor. > Let's discuss. A jwk uses base64url encoding -- so converting jwk to / from hwk would require the implementor to convert between base64 and base64url. That is not hard to do, but if an implementation forgets, then they will have an intermittent bug that only shows up when the base64url string has a '-' or '_' in it. I personally prefer the hwk key scheme to use base64url to be more aligned with jwk (and hence use string instead of byte sequence) The only other string that could be a byte sequence is the x509 x5t parameter. That is base64 -- and using a byte sequence instead of a string could make sense there. /Dick
Received on Thursday, 8 January 2026 10:45:38 UTC