| < draft-ietf-jose-json-web-key-07.txt | draft-ietf-jose-json-web-key-08.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track November 6, 2012 | Intended status: Standards Track December 27, 2012 | |||
| Expires: May 10, 2013 | Expires: June 30, 2013 | |||
| JSON Web Key (JWK) | JSON Web Key (JWK) | |||
| draft-ietf-jose-json-web-key-07 | draft-ietf-jose-json-web-key-08 | |||
| Abstract | Abstract | |||
| A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data | A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data | |||
| structure that represents a public key. This specification also | structure that represents a public key. This specification also | |||
| defines a JSON Web Key Set (JWK Set) JSON data structure for | defines a JSON Web Key Set (JWK Set) JSON data structure for | |||
| representing a set of JWKs. Cryptographic algorithms and identifiers | representing a set of JWKs. Cryptographic algorithms and identifiers | |||
| for use with this specification are described in the separate JSON | for use with this specification are described in the separate JSON | |||
| Web Algorithms (JWA) specification. | Web Algorithms (JWA) specification. | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 10, 2013. | This Internet-Draft will expire on June 30, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 13 ¶ | skipping to change at page 2, line 13 ¶ | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Example JSON Web Key Set . . . . . . . . . . . . . . . . . . . 4 | 3. Example JSON Web Key Set . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. JSON Web Key (JWK) Format . . . . . . . . . . . . . . . . . . 4 | 4. JSON Web Key (JWK) Format . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. "alg" (Algorithm Family) Parameter . . . . . . . . . . . . 5 | 4.1. "kty" (Key Type) Parameter . . . . . . . . . . . . . . . . 5 | |||
| 4.2. "use" (Key Use) Parameter . . . . . . . . . . . . . . . . 5 | 4.2. "use" (Key Use) Parameter . . . . . . . . . . . . . . . . 5 | |||
| 4.3. "kid" (Key ID) Parameter . . . . . . . . . . . . . . . . . 5 | 4.3. "alg" (Algorithm) Parameter . . . . . . . . . . . . . . . 5 | |||
| 4.4. "kid" (Key ID) Parameter . . . . . . . . . . . . . . . . . 6 | ||||
| 5. JSON Web Key Set (JWK Set) Format . . . . . . . . . . . . . . 6 | 5. JSON Web Key Set (JWK Set) Format . . . . . . . . . . . . . . 6 | |||
| 5.1. "keys" (JSON Web Key Set) Parameter . . . . . . . . . . . 6 | 5.1. "keys" (JSON Web Key Set) Parameter . . . . . . . . . . . 6 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 6. String Comparison Rules . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. JSON Web Key Parameters Registry . . . . . . . . . . . . . 7 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1.1. Registration Template . . . . . . . . . . . . . . . . 7 | 7.1. JSON Web Key Parameters Registry . . . . . . . . . . . . . 7 | |||
| 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 8 | 7.1.1. Registration Template . . . . . . . . . . . . . . . . 8 | |||
| 6.2. JSON Web Key Set Parameters Registry . . . . . . . . . . . 8 | 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 8 | |||
| 6.2.1. Registration Template . . . . . . . . . . . . . . . . 8 | 7.2. JSON Web Key Set Parameters Registry . . . . . . . . . . . 8 | |||
| 6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 8 | 7.2.1. Registration Template . . . . . . . . . . . . . . . . 9 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 7.2.2. Initial Registry Contents . . . . . . . . . . . . . . 9 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 10 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 10 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 | |||
| Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . . 10 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix C. Document History . . . . . . . . . . . . . . . . . . 10 | Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . . 11 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 | Appendix C. Document History . . . . . . . . . . . . . . . . . . 11 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 1. Introduction | 1. Introduction | |||
| A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) [RFC4627] | A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) [RFC4627] | |||
| data structure that represents a public key. This specification also | data structure that represents a public key. This specification also | |||
| defines a JSON Web Key Set (JWK Set) JSON data structure for | defines a JSON Web Key Set (JWK Set) JSON data structure for | |||
| representing a set of JWKs. Cryptographic algorithms and identifiers | representing a set of JWKs. Cryptographic algorithms and identifiers | |||
| for use with this specification are described in the separate JSON | for use with this specification are described in the separate JSON | |||
| Web Algorithms (JWA) [JWA] specification. | Web Algorithms (JWA) [JWA] specification. | |||
| Goals for this specification do not include representing private | Goals for this specification do not include representing private | |||
| keys, representing symmetric keys, representing certificate chains, | keys, representing symmetric keys, representing certificate chains, | |||
| representing certified keys, and replacing X.509 certificates. | representing certified keys, and replacing X.509 certificates. | |||
| However the JSON Private and Symmetric Key [JPSK] specification does | ||||
| extend this specification to define JSON representations of private | ||||
| keys and symmetric keys. | ||||
| JWKs and JWK Sets are used in the JSON Web Signature (JWS) [JWS] and | JWKs and JWK Sets are used in the JSON Web Signature (JWS) [JWS] and | |||
| JSON Web Encryption (JWE) [JWE] specifications. | JSON Web Encryption (JWE) [JWE] specifications. | |||
| 1.1. Notational Conventions | 1.1. Notational Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in Key words for use in | document are to be interpreted as described in Key words for use in | |||
| RFCs to Indicate Requirement Levels [RFC2119]. | RFCs to Indicate Requirement Levels [RFC2119]. | |||
| 2. Terminology | 2. Terminology | |||
| JSON Web Key (JWK) A JSON data structure that represents a public | JSON Web Key (JWK) A JSON object that represents a public key. | |||
| key. | ||||
| JSON Web Key Set (JWK Set) A JSON object that contains an array of | JSON Web Key Set (JWK Set) A JSON object that contains an array of | |||
| JWKs as a member. | JWKs as the value of its "keys" member. | |||
| Base64url Encoding The URL- and filename-safe Base64 encoding | Base64url Encoding The URL- and filename-safe Base64 encoding | |||
| described in RFC 4648 [RFC4648], Section 5, with the (non URL- | described in RFC 4648 [RFC4648], Section 5, with the (non URL- | |||
| safe) '=' padding characters omitted, as permitted by Section 3.2. | safe) '=' padding characters omitted, as permitted by Section 3.2. | |||
| (See Appendix C of [JWS] for notes on implementing base64url | (See Appendix C of [JWS] for notes on implementing base64url | |||
| encoding without padding.) | encoding without padding.) | |||
| Collision Resistant Namespace A namespace that allows names to be | Collision Resistant Namespace A namespace that allows names to be | |||
| allocated in a manner such that they are highly unlikely to | allocated in a manner such that they are highly unlikely to | |||
| collide with other names. For instance, collision resistance can | collide with other names. For instance, collision resistance can | |||
| skipping to change at page 4, line 12 ¶ | skipping to change at page 4, line 14 ¶ | |||
| IDentifiers (UUIDs) [RFC4122]. When using an administratively | IDentifiers (UUIDs) [RFC4122]. When using an administratively | |||
| delegated namespace, the definer of a name needs to take | delegated namespace, the definer of a name needs to take | |||
| reasonable precautions to ensure they are in control of the | reasonable precautions to ensure they are in control of the | |||
| portion of the namespace they use to define the name. | portion of the namespace they use to define the name. | |||
| 3. Example JSON Web Key Set | 3. Example JSON Web Key Set | |||
| The following example JWK Set contains two public keys represented as | The following example JWK Set contains two public keys represented as | |||
| JWKs: one using an Elliptic Curve algorithm and a second one using an | JWKs: one using an Elliptic Curve algorithm and a second one using an | |||
| RSA algorithm. The first specifies that the key is to be used for | RSA algorithm. The first specifies that the key is to be used for | |||
| encryption. Both provide a Key ID for key matching purposes. In | encryption. The second specifies that the key is to be used with the | |||
| both cases, integers are represented using the base64url encoding of | "RS256" algorithm. Both provide a Key ID for key matching purposes. | |||
| their big endian representations. (Long lines are broken are for | In both cases, integers are represented using the base64url encoding | |||
| of their big endian representations. (Long lines are broken are for | ||||
| display purposes only.) | display purposes only.) | |||
| {"keys": | {"keys": | |||
| [ | [ | |||
| {"alg":"EC", | {"kty":"EC", | |||
| "crv":"P-256", | "crv":"P-256", | |||
| "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", | "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", | |||
| "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", | "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", | |||
| "use":"enc", | "use":"enc", | |||
| "kid":"1"}, | "kid":"1"}, | |||
| {"alg":"RSA", | {"kty":"RSA", | |||
| "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx | "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx | |||
| 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs | 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs | |||
| tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2 | tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2 | |||
| QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI | QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI | |||
| SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb | SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb | |||
| w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", | w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", | |||
| "e":"AQAB", | "e":"AQAB", | |||
| "alg":"RS256", | ||||
| "kid":"2011-04-29"} | "kid":"2011-04-29"} | |||
| ] | ] | |||
| } | } | |||
| 4. JSON Web Key (JWK) Format | 4. JSON Web Key (JWK) Format | |||
| A JSON Web Key (JWK) is a JSON object containing specific members, as | A JSON Web Key (JWK) is a JSON object containing specific members, as | |||
| specified below. Those members that are common to all key types are | specified below. Those members that are common to all key types are | |||
| defined below. | defined below. | |||
| skipping to change at page 5, line 11 ¶ | skipping to change at page 5, line 14 ¶ | |||
| the parameters of the key. Section 5 of the JSON Web Algorithms | the parameters of the key. Section 5 of the JSON Web Algorithms | |||
| (JWA) [JWA] specification defines multiple kinds of public keys and | (JWA) [JWA] specification defines multiple kinds of public keys and | |||
| their associated members. | their associated members. | |||
| The member names within a JWK MUST be unique; objects with duplicate | The member names within a JWK MUST be unique; objects with duplicate | |||
| member names MUST be rejected. | member names MUST be rejected. | |||
| Additional members MAY be present in the JWK. If present, they MUST | Additional members MAY be present in the JWK. If present, they MUST | |||
| be understood by implementations using them. Member names used for | be understood by implementations using them. Member names used for | |||
| representing key parameters for different kinds of keys need not be | representing key parameters for different kinds of keys need not be | |||
| distinct. Member names SHOULD either be registered in the IANA JSON | distinct. Any new member name SHOULD either be registered in the | |||
| Web Key Parameters registry Section 6.1 or be URIs that contain a | IANA JSON Web Key Parameters registry Section 7.1 or be a value that | |||
| Collision Resistant Namespace. | contains a Collision Resistant Namespace. | |||
| 4.1. "alg" (Algorithm Family) Parameter | 4.1. "kty" (Key Type) Parameter | |||
| The "alg" (algorithm family) member identifies the cryptographic | The "kty" (key type) member identifies the cryptographic algorithm | |||
| algorithm family used with the key. "alg" values SHOULD either be | family used with the key. "kty" values SHOULD either be registered in | |||
| registered in the IANA JSON Web Key Algorithm Families registry [JWA] | the IANA JSON Web Key Types registry [JWA] or be a value that | |||
| or be a URI that contains a Collision Resistant Namespace. The "alg" | contains a Collision Resistant Namespace. The "kty" value is a case | |||
| value is a case sensitive string. This member is REQUIRED. | sensitive string. Use of this member is REQUIRED. | |||
| A list of defined "alg" values can be found in the IANA JSON Web Key | A list of defined "kty" values can be found in the IANA JSON Web Key | |||
| Algorithm Families registry [JWA]; the initial contents of this | Types registry [JWA]; the initial contents of this registry are the | |||
| registry are the values defined in Section 5.1 of the JSON Web | values defined in Section 5.1 of the JSON Web Algorithms (JWA) [JWA] | |||
| Algorithms (JWA) [JWA] specification. | specification. | |||
| Additional members used with these "alg" values can be found in the | Additional members used with these "kty" values can be found in the | |||
| IANA JSON Web Key Parameters registry Section 6.1; the initial | IANA JSON Web Key Parameters registry Section 7.1; the initial | |||
| contents of this registry are the values defined in Sections 5.2 and | contents of this registry are the values defined in Sections 5.2 and | |||
| 5.3 of the JSON Web Algorithms (JWA) [JWA] specification. | 5.3 of the JSON Web Algorithms (JWA) [JWA] specification. | |||
| 4.2. "use" (Key Use) Parameter | 4.2. "use" (Key Use) Parameter | |||
| The "use" (key use) member identifies the intended use of the key. | The "use" (key use) member identifies the intended use of the key. | |||
| Values defined by this specification are: | Values defined by this specification are: | |||
| o "sig" (signature) | o "sig" (signature) | |||
| o "enc" (encryption) | o "enc" (encryption) | |||
| Other values MAY be used. The "use" value is a case sensitive | Other values MAY be used. The "use" value is a case sensitive | |||
| string. This member is OPTIONAL. | string. Use of this member is OPTIONAL. | |||
| 4.3. "kid" (Key ID) Parameter | 4.3. "alg" (Algorithm) Parameter | |||
| The "alg" (algorithm) member identifies the algorithm intended for | ||||
| use with the key. The values used in this field are the same as | ||||
| those used in the JWS [JWS] and JWE [JWE] "alg" and "enc" header | ||||
| parameters; these values can be found in the JSON Web Signature and | ||||
| Encryption Algorithms registry [JWA]. Use of this member is | ||||
| OPTIONAL. | ||||
| 4.4. "kid" (Key ID) Parameter | ||||
| The "kid" (key ID) member can be used to match a specific key. This | The "kid" (key ID) member can be used to match a specific key. This | |||
| can be used, for instance, to choose among a set of keys within a JWK | can be used, for instance, to choose among a set of keys within a JWK | |||
| Set during key rollover. The interpretation of the "kid" value is | Set during key rollover. The interpretation of the "kid" value is | |||
| unspecified. Key ID values within a JWK Set need not be unique. The | unspecified. Key ID values within a JWK Set need not be unique. The | |||
| "kid" value is a case sensitive string. This member is OPTIONAL. | "kid" value is a case sensitive string. Use of this member is | |||
| OPTIONAL. | ||||
| When used with JWS or JWE, the "kid" value MAY be used to match a JWS | When used with JWS or JWE, the "kid" value MAY be used to match a JWS | |||
| or JWE "kid" header parameter value. | or JWE "kid" header parameter value. | |||
| In some contexts, different keys using the same Key ID value might be | In some contexts, different keys using the same Key ID value might be | |||
| present, with the keys being disambiguated using other information, | present, with the keys being disambiguated using other information, | |||
| such as the "alg" or "use" values. For example, imagine "kid" values | such as the "kty" or "use" values. For example, imagine "kid" values | |||
| like "Current", "Upcoming", and "Deprecated", used for key rollover | like "Current", "Upcoming", and "Deprecated", used for key rollover | |||
| guidance. One could apply a label to all keys where the | guidance. One could apply a label to all keys where the | |||
| classification fits. If there are multiple "Current" keys, then in | classification fits. If there are multiple "Current" keys, then in | |||
| this example, they might be differentiated either by having different | this example, they might be differentiated either by having different | |||
| "alg" or "use" values, or some combination of both. As one example, | "kty" or "use" values, or some combination of both. As one example, | |||
| there might only be one current RSA signing key and one current | there might only be one current RSA signing key and one current | |||
| Elliptic Curve signing key, but both would be "Current". | Elliptic Curve signing key, but both would be "Current". | |||
| 5. JSON Web Key Set (JWK Set) Format | 5. JSON Web Key Set (JWK Set) Format | |||
| A JSON Web Key Set (JWK Set) is a JSON object that contains an array | A JSON Web Key Set (JWK Set) is a JSON object that contains an array | |||
| of JSON Web Key values as the value of its "keys" member. | of JSON Web Key values as the value of its "keys" member. | |||
| The member names within a JWK Set MUST be unique; objects with | The member names within a JWK Set MUST be unique; objects with | |||
| duplicate member names MUST be rejected. | duplicate member names MUST be rejected. | |||
| Additional members MAY be present in the JWK Set. If present, they | Additional members MAY be present in the JWK Set. If present, they | |||
| MUST be understood by implementations using them. Parameters for | MUST be understood by implementations using them. Parameters for | |||
| representing additional properties of JWK Sets SHOULD either be | representing additional properties of JWK Sets SHOULD either be | |||
| registered in the IANA JSON Web Key Set Parameters registry | registered in the IANA JSON Web Key Set Parameters registry | |||
| Section 6.2 or be a URI that contains a Collision Resistant | Section 7.2 or be a value that contains a Collision Resistant | |||
| Namespace. | Namespace. | |||
| 5.1. "keys" (JSON Web Key Set) Parameter | 5.1. "keys" (JSON Web Key Set) Parameter | |||
| The value of the "keys" (JSON Web Key Set) member is an array of JSON | The value of the "keys" (JSON Web Key Set) member is an array of JSON | |||
| Web Key (JWK) values. This member is REQUIRED. | Web Key (JWK) values. Use of this member is REQUIRED. | |||
| 6. IANA Considerations | 6. String Comparison Rules | |||
| Processing a JWK inevitably requires comparing known strings to | ||||
| values in JSON objects. For example, in checking what the key type | ||||
| is, the Unicode string encoding "kty" will be checked against the | ||||
| member names in the JWK to see if there is a matching name. | ||||
| Comparisons between JSON strings and other Unicode strings MUST be | ||||
| performed by comparing Unicode code points without normalization as | ||||
| specified in the String Comparison Rules in Section 5.3 of [JWS]. | ||||
| 7. IANA Considerations | ||||
| The following registration procedure is used for all the registries | The following registration procedure is used for all the registries | |||
| established by this specification. | established by this specification. | |||
| Values are registered with a Specification Required [RFC5226] after a | Values are registered with a Specification Required [RFC5226] after a | |||
| two-week review period on the [TBD]@ietf.org mailing list, on the | two-week review period on the [TBD]@ietf.org mailing list, on the | |||
| advice of one or more Designated Experts. However, to allow for the | advice of one or more Designated Experts. However, to allow for the | |||
| allocation of values prior to publication, the Designated Expert(s) | allocation of values prior to publication, the Designated Expert(s) | |||
| may approve registration once they are satisfied that such a | may approve registration once they are satisfied that such a | |||
| specification will be published. | specification will be published. | |||
| skipping to change at page 7, line 21 ¶ | skipping to change at page 7, line 44 ¶ | |||
| Within the review period, the Designated Expert(s) will either | Within the review period, the Designated Expert(s) will either | |||
| approve or deny the registration request, communicating this decision | approve or deny the registration request, communicating this decision | |||
| to the review list and IANA. Denials should include an explanation | to the review list and IANA. Denials should include an explanation | |||
| and, if applicable, suggestions as to how to make the request | and, if applicable, suggestions as to how to make the request | |||
| successful. | successful. | |||
| IANA must only accept registry updates from the Designated Expert(s) | IANA must only accept registry updates from the Designated Expert(s) | |||
| and should direct all requests for registration to the review mailing | and should direct all requests for registration to the review mailing | |||
| list. | list. | |||
| 6.1. JSON Web Key Parameters Registry | 7.1. JSON Web Key Parameters Registry | |||
| This specification establishes the IANA JSON Web Key Parameters | This specification establishes the IANA JSON Web Key Parameters | |||
| registry for reserved JWK parameter names. The registry records the | registry for reserved JWK parameter names. The registry records the | |||
| reserved parameter name and a reference to the specification that | reserved parameter name and a reference to the specification that | |||
| defines it. This specification registers the parameter names defined | defines it. This specification registers the parameter names defined | |||
| in Section 4. The same JWK parameter name may be registered multiple | in Section 4. The same JWK parameter name may be registered multiple | |||
| times, provided that duplicate parameter registrations are only for | times, provided that duplicate parameter registrations are only for | |||
| algorithm-specific JWK parameters; in this case, the meaning of the | algorithm-specific JWK parameters; in this case, the meaning of the | |||
| duplicate parameter name is disambiguated by the "alg" value of the | duplicate parameter name is disambiguated by the "kty" value of the | |||
| JWK containing it. | JWK containing it. | |||
| 6.1.1. Registration Template | 7.1.1. Registration Template | |||
| Parameter Name: | Parameter Name: | |||
| The name requested (e.g., "example"). This name is case | The name requested (e.g., "example"). This name is case | |||
| sensitive. Names that match other registered names in a case | sensitive. Names that match other registered names in a case | |||
| insensitive manner SHOULD NOT be accepted. | insensitive manner SHOULD NOT be accepted. | |||
| Change Controller: | Change Controller: | |||
| For Standards Track RFCs, state "IETF". For others, give the name | For Standards Track RFCs, state "IETF". For others, give the name | |||
| of the responsible party. Other details (e.g., postal address, | of the responsible party. Other details (e.g., postal address, | |||
| email address, home page URI) may also be included. | email address, home page URI) may also be included. | |||
| Specification Document(s): | Specification Document(s): | |||
| Reference to the document(s) that specify the parameter, | Reference to the document(s) that specify the parameter, | |||
| preferably including URI(s) that can be used to retrieve copies of | preferably including URI(s) that can be used to retrieve copies of | |||
| the document(s). An indication of the relevant sections may also | the document(s). An indication of the relevant sections may also | |||
| be included but is not required. | be included but is not required. | |||
| 6.1.2. Initial Registry Contents | 7.1.2. Initial Registry Contents | |||
| o Parameter Name: "alg" | o Parameter Name: "kty" | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Specification Document(s): Section 4.1 of [[ this document ]] | o Specification Document(s): Section 4.1 of [[ this document ]] | |||
| o Parameter Name: "use" | o Parameter Name: "use" | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Specification Document(s): Section 4.2 of [[ this document ]] | o Specification Document(s): Section 4.2 of [[ this document ]] | |||
| o Parameter Name: "kid" | o Parameter Name: "alg" | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Specification Document(s): Section 4.3 of [[ this document ]] | o Specification Document(s): Section 4.3 of [[ this document ]] | |||
| 6.2. JSON Web Key Set Parameters Registry | o Parameter Name: "kid" | |||
| o Change Controller: IETF | ||||
| o Specification Document(s): Section 4.4 of [[ this document ]] | ||||
| 7.2. JSON Web Key Set Parameters Registry | ||||
| This specification establishes the IANA JSON Web Key Set Parameters | This specification establishes the IANA JSON Web Key Set Parameters | |||
| registry for reserved JWK Set parameter names. The registry records | registry for reserved JWK Set parameter names. The registry records | |||
| the reserved parameter name and a reference to the specification that | the reserved parameter name and a reference to the specification that | |||
| defines it. This specification registers the parameter names defined | defines it. This specification registers the parameter names defined | |||
| in Section 5. | in Section 5. | |||
| 6.2.1. Registration Template | 7.2.1. Registration Template | |||
| Parameter Name: | Parameter Name: | |||
| The name requested (e.g., "example"). This name is case | The name requested (e.g., "example"). This name is case | |||
| sensitive. Names that match other registered names in a case | sensitive. Names that match other registered names in a case | |||
| insensitive manner SHOULD NOT be accepted. | insensitive manner SHOULD NOT be accepted. | |||
| Change Controller: | Change Controller: | |||
| For Standards Track RFCs, state "IETF". For others, give the name | For Standards Track RFCs, state "IETF". For others, give the name | |||
| of the responsible party. Other details (e.g., postal address, | of the responsible party. Other details (e.g., postal address, | |||
| email address, home page URI) may also be included. | email address, home page URI) may also be included. | |||
| Specification Document(s): | Specification Document(s): | |||
| Reference to the document(s) that specify the parameter, | Reference to the document(s) that specify the parameter, | |||
| preferably including URI(s) that can be used to retrieve copies of | preferably including URI(s) that can be used to retrieve copies of | |||
| the document(s). An indication of the relevant sections may also | the document(s). An indication of the relevant sections may also | |||
| be included but is not required. | be included but is not required. | |||
| 6.2.2. Initial Registry Contents | 7.2.2. Initial Registry Contents | |||
| o Parameter Name: "keys" | o Parameter Name: "keys" | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Specification Document(s): Section 5.1 of [[ this document ]] | o Specification Document(s): Section 5.1 of [[ this document ]] | |||
| 7. Security Considerations | 8. Security Considerations | |||
| All of the security issues faced by any cryptographic application | All of the security issues faced by any cryptographic application | |||
| must be faced by a JWS/JWE/JWK agent. Among these issues are | must be faced by a JWS/JWE/JWK agent. Among these issues are | |||
| protecting the user's private key, preventing various attacks, and | protecting the user's private and symmetric keys, preventing various | |||
| helping the user avoid mistakes such as inadvertently encrypting a | attacks, and helping the user avoid mistakes such as inadvertently | |||
| message for the wrong recipient. The entire list of security | encrypting a message for the wrong recipient. The entire list of | |||
| considerations is beyond the scope of this document, but some | security considerations is beyond the scope of this document. | |||
| significant concerns are listed here. | ||||
| A key is no more trustworthy than the method by which it was | A key is no more trustworthy than the method by which it was | |||
| received. | received. | |||
| Per Section 4.3, applications should not assume that "kid" values are | Per Section 4.4, applications should not assume that "kid" values are | |||
| unique within a JWK Set. | unique within a JWK Set. | |||
| The security considerations in XML DSIG 2.0 | The security considerations in XML DSIG 2.0 | |||
| [W3C.CR-xmldsig-core2-20120124], about public key representations | [W3C.CR-xmldsig-core2-20120124], about public key representations | |||
| also apply to this specification, other than those that are XML | also apply to this specification, other than those that are XML | |||
| specific. | specific. | |||
| 8. References | 9. References | |||
| 9.1. Normative References | ||||
| 8.1. Normative References | [JWA] Jones, M., "JSON Web Algorithms (JWA)", | |||
| draft-ietf-jose-json-web-algorithms (work in progress), | ||||
| December 2012. | ||||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", November 2012. | [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web | |||
| Encryption (JWE)", draft-ietf-jose-json-web-encryption | ||||
| (work in progress), December 2012. | ||||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | ||||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | ||||
| in progress), December 2012. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4627] Crockford, D., "The application/json Media Type for | [RFC4627] Crockford, D., "The application/json Media Type for | |||
| JavaScript Object Notation (JSON)", RFC 4627, July 2006. | JavaScript Object Notation (JSON)", RFC 4627, July 2006. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, October 2006. | Encodings", RFC 4648, October 2006. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| May 2008. | May 2008. | |||
| [W3C.CR-xmldsig-core2-20120124] | [W3C.CR-xmldsig-core2-20120124] | |||
| Reagle, J., Solo, D., Datta, P., Hirsch, F., Eastlake, D., | Yiu, K., Solo, D., Eastlake, D., Datta, P., Hirsch, F., | |||
| Cantor, S., Roessler, T., and K. Yiu, "XML Signature | Reagle, J., Cantor, S., and T. Roessler, "XML Signature | |||
| Syntax and Processing Version 2.0", World Wide Web | Syntax and Processing Version 2.0", World Wide Web | |||
| Consortium CR CR-xmldsig-core2-20120124, January 2012, | Consortium CR CR-xmldsig-core2-20120124, January 2012, | |||
| <http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>. | <http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>. | |||
| 8.2. Informative References | 9.2. Informative References | |||
| [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web | ||||
| Encryption (JWE)", November 2012. | ||||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JPSK] Jones, M., "JSON Private and Symmetric Key", | |||
| Signature (JWS)", November 2012. | draft-ietf-jose-json-private-and-symmetric-key (work in | |||
| progress), December 2012. | ||||
| [MagicSignatures] | [MagicSignatures] | |||
| Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic | Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic | |||
| Signatures", January 2011. | Signatures", January 2011. | |||
| [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | |||
| Unique IDentifier (UUID) URN Namespace", RFC 4122, | Unique IDentifier (UUID) URN Namespace", RFC 4122, | |||
| July 2005. | July 2005. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| A JSON representation for RSA public keys was previously introduced | A JSON representation for RSA public keys was previously introduced | |||
| by John Panzer, Ben Laurie, and Dirk Balfanz in Magic Signatures | by John Panzer, Ben Laurie, and Dirk Balfanz in Magic Signatures | |||
| [MagicSignatures]. | [MagicSignatures]. | |||
| This specification is the work of the JOSE Working Group, which | ||||
| includes dozens of active and dedicated participants. In particular, | ||||
| the following individuals contributed ideas, feedback, and wording | ||||
| that influenced this specification: | ||||
| Dirk Balfanz, Richard Barnes, John Bradley, Brian Campbell, Breno de | ||||
| Medeiros, Joe Hildebrand, Edmund Jay, Ben Laurie, James Manger, Tony | ||||
| Nadalin, Axel Nennker, John Panzer, Eric Rescorla, Nat Sakimura, Jim | ||||
| Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner. | ||||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner and Stephen Farrell served as Security area directors | Sean Turner and Stephen Farrell served as Security area directors | |||
| during the creation of this specification. | during the creation of this specification. | |||
| Appendix B. Open Issues | Appendix B. Open Issues | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| The following items remain to be considered or done in this draft: | The following items remain to be considered or done in this draft: | |||
| o No known open issues. | o No known open issues. | |||
| Appendix C. Document History | Appendix C. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| -07 | -08 | |||
| o Changed the name of the JWK key type parameter from "alg" to "kty" | ||||
| to enable use of "alg" to indicate the particular algorithm that | ||||
| the key is intended to be used with. | ||||
| o Clarified statements of the form "This member is OPTIONAL" to "Use | ||||
| of this member is OPTIONAL". | ||||
| o Referenced String Comparison Rules in JWS. | ||||
| o Added seriesInfo information to Internet Draft references. | ||||
| -07 | ||||
| o Changed the name of the JWK RSA modulus parameter from "mod" to | o Changed the name of the JWK RSA modulus parameter from "mod" to | |||
| "n" and the name of the JWK RSA exponent parameter from "xpo" to | "n" and the name of the JWK RSA exponent parameter from "xpo" to | |||
| "e", so that the identifiers are the same as those used in RFC | "e", so that the identifiers are the same as those used in RFC | |||
| 3447. | 3447. | |||
| -06 | -06 | |||
| o Changed the name of the JWK RSA exponent parameter from "exp" to | o Changed the name of the JWK RSA exponent parameter from "exp" to | |||
| "xpo" so as to allow the potential use of the name "exp" for a | "xpo" so as to allow the potential use of the name "exp" for a | |||
| future extension that might define an expiration parameter for | future extension that might define an expiration parameter for | |||
| End of changes. 47 change blocks. | ||||
| 80 lines changed or deleted | 139 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||