[OAUTH-WG] JSON token draft based upon a convergence proposal
Mike Jones <Michael.Jones@microsoft.com> Tue, 26 October 2010 00:01 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 193983A6C16 for <oauth@core3.amsl.com>; Mon, 25 Oct 2010 17:01:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZAf6IEEsgvA for <oauth@core3.amsl.com>; Mon, 25 Oct 2010 17:01:32 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 717E23A6C0E for <oauth@ietf.org>; Mon, 25 Oct 2010 17:01:29 -0700 (PDT)
Received: from TK5EX14CASC130.redmond.corp.microsoft.com (157.54.52.9) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Mon, 25 Oct 2010 17:03:15 -0700
Received: from TK5EX14MBXC201.redmond.corp.microsoft.com ([169.254.8.185]) by TK5EX14CASC130.redmond.corp.microsoft.com ([157.54.52.9]) with mapi id 14.01.0255.003; Mon, 25 Oct 2010 17:03:14 -0700
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: JSON token draft based upon a convergence proposal
Thread-Index: Act0oS7NGc2KiqWMSi6mXz79GnRB9w==
Date: Tue, 26 Oct 2010 00:03:13 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394324589908@TK5EX14MBXC201.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.71]
Content-Type: multipart/mixed; boundary="_005_4E1F6AAD24975D4BA5B168042967394324589908TK5EX14MBXC201r_"
MIME-Version: 1.0
Cc: "openid-specs-ab@lists.openid.net" <openid-specs-ab@lists.openid.net>
Subject: [OAUTH-WG] JSON token draft based upon a convergence proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2010 00:01:33 -0000
I've produced a new JSON token draft (attached and also at http://self-issued.info/docs/draft-jones-json-web-token-00.html) based on a convergence proposal discussed with the authors of the other JSON signing proposals. I borrowed portions of this draft with permission from Dirk Balfanz, John Bradley, John Panzer, and Nat Sakimura, and so listed them as co-authors. (You shouldn't take their being listed as authors as their blanket endorsement of its content, but I appreciate their willingness to let me build upon their work.) There are still open issues. In particular, while I call out the need for including mechanism(s) for retrieving public keys that are not encoded in X.509 certificates in the Open Issues (Section 11), I have not yet incorporated them into the draft. For one thing, there was a comment that we should consider publishing public keys as JWTs, which I haven't had the time to investigate yet. I'd also like to discuss whether we should assume that the issuer claim can always be used to retrieve a simple public key or whether we need to define a new claim or envelope parameter for that. Hopefully we can develop consensus positions on these and any other issues found during IIW. This doc is intended as a further step in that direction. A detailed comparison of the precursor documents, which led to the convergence proposal incorporated in this draft, is as follows: Feature<http://self-issued.info/docs/draft-goland-json-web-token-00.html> JSON Tokens<http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html> JSON Simple Sign (JSS)<http://jsonenc.info/jss/1.0/> Canvas Application Signatures<http://developers.facebook.com/docs/authentication/canvas> JSON Web Token (JWT)<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Proposed Resolution<http://self-issued.info/docs/draft-jones-json-web-token-00.html> Envelope distinct from payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Reserved claims defined for use in payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes - for optional use<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Overhead of encoding<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Medium<http://self-issued.info/docs/draft-goland-json-web-token-00.html> High<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Low<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Low<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Low<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Signature algorithms supported (recommended marked +, optional marked *)<http://self-issued.info/docs/draft-goland-json-web-token-00.html> HMAC SHA-256, RSA SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html> HMAC SHA-256, RSA SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html>, ECDSA-SHA256 HMAC SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html> HMAC SHA-256, RSA SHA-256+, ECDSA-SHA256+, larger key sizes*<http://self-issued.info/docs/draft-goland-json-web-token-00.html> HMAC SHA-256, RSA SHA-256, ECDSA-SHA256+, larger key sizes*<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Signing required<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> (but "none" algorithm could be separately defined) Location of algorithm parameter<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Key ID parameter<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional in Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional in Envelope for HMAC SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html> N/A<http://self-issued.info/docs/draft-goland-json-web-token-00.html> None<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional in Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Key location parameter<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Discovery method defined for RSA keys<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Required in envelope for RSA SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html> N/A<http://self-issued.info/docs/draft-goland-json-web-token-00.html> None<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional key location or public key in Envelope; any key discovery in separate specification(s)<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Key representation specified<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes - Magic Keys for RSA<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes - X.509 certificates for RSA SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html> N/A<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional use of X.509 certificates specified; also specify non-X.509 method(s) of public key retrieval; methods<http://self-issued.info/docs/draft-goland-json-web-token-00.html> not in core spec can also be used Type description for envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Required type URI<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional using concise representation<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Type description for payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional in Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional in Payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Optional in Payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Encoding algorithm<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url with padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url without padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url without padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url without padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url without padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Token representations<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url encodings separated by periods<http://self-issued.info/docs/draft-goland-json-web-token-00.html>; (JSON serialization specified in Magic Signatures) Base64url encodings separated by periods; JSON serialization<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url encodings separated by periods<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url encodings separated by periods<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Base64url encodings separated by periods<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Multiple signatures<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No (but supported by Magic Signatures)<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Not<http://self-issued.info/docs/draft-goland-json-web-token-00.html> in base spec, but could be defined as an extension Encryption supported<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> In related specification<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> No<http://self-issued.info/docs/draft-goland-json-web-token-00.html> In related specification<http://self-issued.info/docs/draft-goland-json-web-token-00.html> Hope to see many of you next week! -- Mike