idnits 2.17.1 draft-jones-jose-jws-json-serialization-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 27, 2012) is 4138 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track J. Bradley 5 Expires: June 30, 2013 independent 6 N. Sakimura 7 Nomura Research Institute 8 December 27, 2012 10 JSON Web Signature JSON Serialization (JWS-JS) 11 draft-jones-jose-jws-json-serialization-04 13 Abstract 15 The JSON Web Signature JSON Serialization (JWS-JS) is a means of 16 representing content secured with digital signatures or Message 17 Authentication Codes (MACs) using JavaScript Object Notation (JSON) 18 data structures. This specification describes a means of 19 representing secured content as a JSON data object (as opposed to the 20 JWS specification, which uses a compact serialization with a URL-safe 21 representation). It enables multiple digital signatures and/or MACs 22 to be applied to the same content (unlike JWS). Cryptographic 23 algorithms and identifiers used with this specification are described 24 in the separate JSON Web Algorithms (JWA) specification. The JSON 25 Serialization for related encryption functionality is described in 26 the separate JSON Web Encryption JSON Serialization (JWE-JS) 27 specification. 29 Status of this Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on June 30, 2013. 46 Copyright Notice 48 Copyright (c) 2012 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3 65 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 3. JSON Serialization . . . . . . . . . . . . . . . . . . . . . . 3 67 4. Example JWS-JS . . . . . . . . . . . . . . . . . . . . . . . . 4 68 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 70 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 71 7.1. Normative References . . . . . . . . . . . . . . . . . . . 5 72 7.2. Informative References . . . . . . . . . . . . . . . . . . 6 73 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 6 74 Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . . 6 75 Appendix C. Document History . . . . . . . . . . . . . . . . . . . 6 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 78 1. Introduction 80 The JSON Web Signature JSON Serialization (JWS-JS) is a format for 81 representing content secured with digital signatures or Message 82 Authentication Codes (MACs) as a JavaScript Object Notation (JSON) 83 [RFC4627] object. It enables multiple digital signatures and/or MACs 84 to be applied to the same content (unlike JWS [JWS]). The digital 85 signature and MAC mechanisms used are independent of the type of 86 content being secured, allowing arbitrary content to be secured. 87 Cryptographic algorithms and identifiers used with this specification 88 are described in the separate JSON Web Algorithms (JWA) [JWA] 89 specification. The JSON Serialization for related encryption 90 functionality is described in the separate JSON Web Encryption JSON 91 Serialization (JWE-JS) [JWE-JS] specification. 93 1.1. Notational Conventions 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 97 document are to be interpreted as described in Key words for use in 98 RFCs to Indicate Requirement Levels [RFC2119]. 100 2. Terminology 102 This specification uses the same terminology as the JSON Web 103 Signature (JWS) [JWS] specification. 105 3. JSON Serialization 107 The JSON Serialization represents secured content as a JSON object 108 with a "recipients" member containing an array of per-recipient 109 information and a "payload" member containing a shared Encoded JWS 110 Payload value. Each member of the "recipients" array is a JSON 111 object with a "header" member containing an Encoded JWS Header value 112 and a "signature" member containing an Encoded JWS Signature value. 114 Unlike the compact serialization used by JWSs, content using the JSON 115 Serialization MAY be secured with more than one digital signature 116 and/or MAC value. Each is represented as an Encoded JWS Signature 117 value in the "signature" member of an object in the "recipients" 118 array. For each, there is an Encoded JWS Encoded Header value in the 119 "header" member of the same object in the "recipients" array. This 120 specifies the digital signature or MAC applied to the Encoded JWS 121 Header value and the shared Encoded JWS Payload value to create the 122 JWS Signature value. Therefore, the syntax is: 124 {"recipients":[ 125 {"header":"
", 126 "signature":""}, 127 ... 128 {"header":"
", 129 "signature":""}], 130 "payload":"" 131 } 133 The contents of the Encoded JWS Header, Encoded JWS Payload, and 134 Encoded JWS Signature values are exactly as specified in JSON Web 135 Signature (JWS) [JWS]. They are interpreted and validated in the 136 same manner, with each corresponding "header" and "signature" value 137 being created and validated together. 139 Each JWS Signature value is computed on the JWS Secured Input 140 corresponding to the concatenation of the Encoded JWS Header, a 141 period ('.') character, and the Encoded JWS Payload in the same 142 manner described in the JWS specification. This has the desirable 143 result that each Encoded JWS signature value in the "recipients" 144 array is identical to the value that would be used for the same 145 parameters in a JWS. 147 4. Example JWS-JS 149 This section contains an example using the JWS JSON Serialization. 150 This example demonstrates the capability for conveying multiple 151 digital signatures and/or MACs for the same payload. 153 The Encoded JWS Payload used in this example is the same as used in 154 the examples in Appendix A of JWS (with line breaks for display 155 purposes only): 157 eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt 158 cGxlLmNvbS9pc19yb290Ijp0cnVlfQ 160 Two digital signatures are used in this example: an RSA SHA-256 161 signature, for which the header and signature values are the same as 162 in Appendix A.2 of JWS, and an ECDSA P-256 SHA-256 signature, for 163 which the header and signature values are the same as in Appendix A.3 164 of JWS. The two Decoded JWS Header Segments used are: 166 {"alg":"RS256"} 168 and: 170 {"alg":"ES256"} 172 Since the computations of the JWS Header and JWS Signature values are 173 the same as in Appendix A.2 and Appendix A.3 of JWS, they are not 174 repeated here. 176 The complete JSON Web Signature JSON Serialization (JWS-JS) for these 177 values is as follows (with line breaks for display purposes only): 179 {"recipients":[ 180 {"header":"eyJhbGciOiJSUzI1NiJ9", 181 "signature": 182 "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZ 183 mh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjb 184 KBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHl 185 b1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZES 186 c6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AX 187 LIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw"}, 188 {"header":"eyJhbGciOiJFUzI1NiJ9", 189 "signature": 190 "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS 191 lSApmWQxfKTUJqPP3-Kg6NU1Q"}], 192 "payload": 193 "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGF 194 tcGxlLmNvbS9pc19yb290Ijp0cnVlfQ" 195 } 197 5. IANA Considerations 199 This specification makes no requests of IANA. 201 6. Security Considerations 203 The security considerations for this specification are the same as 204 those for the JSON Web Signature (JWS) [JWS] specification. 206 7. References 208 7.1. Normative References 210 [JWA] Jones, M., "JSON Web Algorithms (JWA)", 211 draft-ietf-jose-json-web-algorithms (work in progress), 212 December 2012. 214 [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 215 Signature (JWS)", draft-ietf-jose-json-web-signature (work 216 in progress), December 2012. 218 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 219 Requirement Levels", BCP 14, RFC 2119, March 1997. 221 [RFC4627] Crockford, D., "The application/json Media Type for 222 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 224 7.2. Informative References 226 [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", 227 September 2010. 229 [JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization 230 (JWE-JS)", draft-jones-jose-jwe-json-serialization (work 231 in progress), December 2012. 233 [MagicSignatures] 234 Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic 235 Signatures", January 2011. 237 Appendix A. Acknowledgements 239 JSON serializations for secured content were previously explored by 240 Magic Signatures [MagicSignatures] and JSON Simple Sign [JSS]. 242 Appendix B. Open Issues 244 [[ to be removed by the RFC editor before publication as an RFC ]] 246 The following items remain to be considered or done in this draft: 248 o Track changes that occur in the JWS spec. 250 Appendix C. Document History 252 [[ to be removed by the RFC editor before publication as an RFC ]] 254 -04 256 o Added seriesInfo information to Internet Draft references. 258 -03 260 o Updated references. 262 -02 263 o Changed to use an array of structures for per-recipient values, 264 rather than a set of parallel arrays. 266 -01 268 o Generalized language to refer to Message Authentication Codes 269 (MACs) rather than Hash-based Message Authentication Codes 270 (HMACs). 272 -00 274 o Renamed draft-jones-json-web-signature-json-serialization to 275 draft-jones-jose-jws-json-serialization to have "jose" be in the 276 document name so it can be included in the Related Documents list 277 at http://datatracker.ietf.org/wg/jose/. No normative changes. 279 draft-jones-json-web-signature-json-serialization-02 281 o Tracked editorial changes made to the JWS spec. 283 draft-jones-json-web-signature-json-serialization-01 285 o Corrected the Magic Signatures reference. 287 draft-jones-json-web-signature-json-serialization-00 289 o Created the initial version incorporating JOSE working group input 290 and drawing from the JSON Serialization previously proposed in 291 draft-jones-json-web-token-01. 293 Authors' Addresses 295 Michael B. Jones 296 Microsoft 298 Email: mbj@microsoft.com 299 URI: http://self-issued.info/ 301 John Bradley 302 independent 304 Email: ve7jtb@ve7jtb.com 305 Nat Sakimura 306 Nomura Research Institute 308 Email: n-sakimura@nri.co.jp