From 08be722de0bf5e38f39b6a06ffb2ee01479e6788 Mon Sep 17 00:00:00 2001
From: Paragon Initiative Enterprises <security@paragonie.com>
Date: Fri, 10 Jun 2022 02:16:34 -0400
Subject: [PATCH] Be canonical with Base64url

---
 docs/01-Protocol-Versions/Common.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/01-Protocol-Versions/Common.md b/docs/01-Protocol-Versions/Common.md
index 6edc21d..7303bcb 100644
--- a/docs/01-Protocol-Versions/Common.md
+++ b/docs/01-Protocol-Versions/Common.md
@@ -9,6 +9,15 @@ without `=` padding.
 This is implemented in our [constant-time RFC 4648 library](https://github.com/paragonie/constant_time_encoding)
 as `Base64UrlSafe::encodeUnpadded()`.
 
+### Base64 Decoding
+
+When decoding a base64url-encoded segment of a PASETO token, implementations
+**MUST** be strict about the padding:
+
+* Padding with `=` characters is *forbidden*.
+* If there are trailing bits (2 or 4) due to the length of the segment, all trailing 
+  **MUST** be cleared, or the message is rejected.
+
 ## Authentication Padding
 
 Multi-part messages (e.g. header, content, footer) are encoded