| < draft-ietf-jose-json-web-key-23.txt | draft-ietf-jose-json-web-key-24.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track March 3, 2014 | Intended status: Standards Track March 18, 2014 | |||
| Expires: September 4, 2014 | Expires: September 19, 2014 | |||
| JSON Web Key (JWK) | JSON Web Key (JWK) | |||
| draft-ietf-jose-json-web-key-23 | draft-ietf-jose-json-web-key-24 | |||
| Abstract | Abstract | |||
| A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data | A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data | |||
| structure that represents a cryptographic key. This specification | structure that represents a cryptographic key. This specification | |||
| also defines a JSON Web Key Set (JWK Set) JSON data structure for | also defines a JSON Web Key Set (JWK Set) JSON data structure for | |||
| representing a set of JWKs. Cryptographic algorithms and identifiers | representing a set of JWKs. Cryptographic algorithms and identifiers | |||
| for use with this specification are described in the separate JSON | for use with this specification are described in the separate JSON | |||
| Web Algorithms (JWA) specification and IANA registries defined by | Web Algorithms (JWA) specification and IANA registries defined by | |||
| that specification. | that specification. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 4, 2014. | This Internet-Draft will expire on September 19, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 4, line 7 ¶ | skipping to change at page 4, line 7 ¶ | |||
| C.6. Initialization Vector . . . . . . . . . . . . . . . . . . 30 | C.6. Initialization Vector . . . . . . . . . . . . . . . . . . 30 | |||
| C.7. Additional Authenticated Data . . . . . . . . . . . . . . 31 | C.7. Additional Authenticated Data . . . . . . . . . . . . . . 31 | |||
| C.8. Content Encryption . . . . . . . . . . . . . . . . . . . . 31 | C.8. Content Encryption . . . . . . . . . . . . . . . . . . . . 31 | |||
| C.9. Complete Representation . . . . . . . . . . . . . . . . . 34 | C.9. Complete Representation . . . . . . . . . . . . . . . . . 34 | |||
| Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 35 | Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 35 | |||
| Appendix E. Document History . . . . . . . . . . . . . . . . . . 36 | Appendix E. Document History . . . . . . . . . . . . . . . . . . 36 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 41 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 41 | |||
| 1. Introduction | 1. Introduction | |||
| A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) [RFC7158] | A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) [RFC7159] | |||
| data structure that represents a cryptographic key. This | data structure that represents a cryptographic key. This | |||
| specification also defines a JSON Web Key Set (JWK Set) JSON data | specification also defines a JSON Web Key Set (JWK Set) JSON data | |||
| structure for representing a set of JWKs. Cryptographic algorithms | structure for representing a set of JWKs. Cryptographic algorithms | |||
| and identifiers for use with this specification are described in the | and identifiers for use with this specification are described in the | |||
| separate JSON Web Algorithms (JWA) [JWA] specification and IANA | separate JSON Web Algorithms (JWA) [JWA] specification and IANA | |||
| registries defined by that specification. | registries defined by that specification. | |||
| Goals for this specification do not include representing certificate | Goals for this specification do not include representing certificate | |||
| chains, representing certified keys, and replacing X.509 | chains, representing certified keys, and replacing X.509 | |||
| certificates. | certificates. | |||
| skipping to change at page 20, line 6 ¶ | skipping to change at page 20, line 6 ¶ | |||
| International Telecommunications Union, "Information | International Telecommunications Union, "Information | |||
| Technology - ASN.1 encoding rules: Specification of Basic | Technology - ASN.1 encoding rules: Specification of Basic | |||
| Encoding Rules (BER), Canonical Encoding Rules (CER) and | Encoding Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER)", ITU-T Recommendation | Distinguished Encoding Rules (DER)", ITU-T Recommendation | |||
| X.690, 1994. | X.690, 1994. | |||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", | [JWA] Jones, M., "JSON Web Algorithms (JWA)", | |||
| draft-ietf-jose-json-web-algorithms (work in progress), | draft-ietf-jose-json-web-algorithms (work in progress), | |||
| March 2014. | March 2014. | |||
| [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web | [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | |||
| Encryption (JWE)", draft-ietf-jose-json-web-encryption | draft-ietf-jose-json-web-encryption (work in progress), | |||
| (work in progress), March 2014. | March 2014. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | Signature (JWS)", draft-ietf-jose-json-web-signature (work | |||
| in progress), March 2014. | in progress), March 2014. | |||
| [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic | [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic | |||
| Mail: Part I: Message Encryption and Authentication | Mail: Part I: Message Encryption and Authentication | |||
| Procedures", RFC 1421, February 1993. | Procedures", RFC 1421, February 1993. | |||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| skipping to change at page 20, line 45 ¶ | skipping to change at page 20, line 45 ¶ | |||
| Encodings", RFC 4648, October 2006. | Encodings", RFC 4648, October 2006. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC7158] Bray, T., "The JavaScript Object Notation (JSON) Data | [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", RFC 7158, March 2014. | Interchange Format", RFC 7159, March 2014. | |||
| [USASCII] American National Standards Institute, "Coded Character | [USASCII] American National Standards Institute, "Coded Character | |||
| Set -- 7-bit American Standard Code for Information | Set -- 7-bit American Standard Code for Information | |||
| Interchange", ANSI X3.4, 1986. | Interchange", ANSI X3.4, 1986. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [MagicSignatures] | [MagicSignatures] | |||
| Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic | Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic | |||
| Signatures", January 2011. | Signatures", January 2011. | |||
| skipping to change at page 33, line 46 ¶ | skipping to change at page 33, line 46 ¶ | |||
| 56, 183, 165, 17, 85, 76, 238, 140, 211, 168, 53, 223, 194, 4, 97, | 56, 183, 165, 17, 85, 76, 238, 140, 211, 168, 53, 223, 194, 4, 97, | |||
| 149, 156, 120, 137, 76, 33, 229, 243, 194, 208, 198, 202, 139, 28, | 149, 156, 120, 137, 76, 33, 229, 243, 194, 208, 198, 202, 139, 28, | |||
| 114, 46, 224, 92, 254, 83, 100, 134, 158, 92, 70, 78, 61, 62, 138, | 114, 46, 224, 92, 254, 83, 100, 134, 158, 92, 70, 78, 61, 62, 138, | |||
| 24, 173, 216, 66, 198, 70, 254, 47, 59, 193, 53, 6, 139, 19, 153, | 24, 173, 216, 66, 198, 70, 254, 47, 59, 193, 53, 6, 139, 19, 153, | |||
| 253, 28, 199, 122, 160, 27, 67, 234, 209, 227, 139, 4, 50, 7, 178, | 253, 28, 199, 122, 160, 27, 67, 234, 209, 227, 139, 4, 50, 7, 178, | |||
| 183, 89, 252, 32, 128, 137, 55, 52, 29, 89, 12, 111, 42, 181, 51, | 183, 89, 252, 32, 128, 137, 55, 52, 29, 89, 12, 111, 42, 181, 51, | |||
| 170, 132, 132, 207, 170, 228, 254, 178, 213, 0, 136, 175, 8 ] | 170, 132, 132, 207, 170, 228, 254, 178, 213, 0, 136, 175, 8 ] | |||
| The resulting Authentication Tag value is: | The resulting Authentication Tag value is: | |||
| [ 125, 249, 143, 191, 240, 4, 204, 132, 62, 241, 113, 178, 91, 88, | [ 208, 113, 102, 132, 236, 236, 67, 223, 39, 53, 98, 99, 32, 121, 17, | |||
| 254, 19 ] | 236 ] | |||
| Encoding this JWE Ciphertext as BASE64URL(JWE Ciphertext) gives this | Encoding this JWE Ciphertext as BASE64URL(JWE Ciphertext) gives this | |||
| value: | value: | |||
| AwhB8lxrlKjFn02LGWEqg27H4Tg9fyZAbFv3p5ZicHpj64QyHC44qqlZ3JEmnZTgQo | AwhB8lxrlKjFn02LGWEqg27H4Tg9fyZAbFv3p5ZicHpj64QyHC44qqlZ3JEmnZTgQo | |||
| wIqZJ13jbyHB8LgePiqUJ1hf6M2HPLgzw8L-mEeQ0jvDUTrE07NtOerBk8bwBQyZ6g | wIqZJ13jbyHB8LgePiqUJ1hf6M2HPLgzw8L-mEeQ0jvDUTrE07NtOerBk8bwBQyZ6g | |||
| 0kQ3DEOIglfYxV8-FJvNBYwbqN1Bck6d_i7OtjSHV-8DIrp-3JcRIe05YKy3Oi34Z_ | 0kQ3DEOIglfYxV8-FJvNBYwbqN1Bck6d_i7OtjSHV-8DIrp-3JcRIe05YKy3Oi34Z_ | |||
| GOiAc1EK21B11c_AE11PII_wvvtRiUiG8YofQXakWd1_O98Kap-UgmyWPfreUJ3lJP | GOiAc1EK21B11c_AE11PII_wvvtRiUiG8YofQXakWd1_O98Kap-UgmyWPfreUJ3lJP | |||
| nbD4Ve95owEfMGLOPflo2MnjaTDCwQokoJ_xplQ2vNPz8iguLcHBoKllyQFJL2mOWB | nbD4Ve95owEfMGLOPflo2MnjaTDCwQokoJ_xplQ2vNPz8iguLcHBoKllyQFJL2mOWB | |||
| wqhBo9Oj-O800as5mmLsvQMTflIrIEbbTMzHMBZ8EFW9fWwwFu0DWQJGkMNhmBZQ-3 | wqhBo9Oj-O800as5mmLsvQMTflIrIEbbTMzHMBZ8EFW9fWwwFu0DWQJGkMNhmBZQ-3 | |||
| skipping to change at page 34, line 43 ¶ | skipping to change at page 34, line 43 ¶ | |||
| H00BV_Er7zd6VtIw0MxwkFCTatsv_R-GsBCH218RgVPsfYhwVuT8R4HarpzsDBufC4 | H00BV_Er7zd6VtIw0MxwkFCTatsv_R-GsBCH218RgVPsfYhwVuT8R4HarpzsDBufC4 | |||
| r8_c8fc9Z278sQ081jFjOja6L2x0N_ImzFNXU6xwO-Ska-QeuvYZ3X_L31ZOX4Llp- | r8_c8fc9Z278sQ081jFjOja6L2x0N_ImzFNXU6xwO-Ska-QeuvYZ3X_L31ZOX4Llp- | |||
| 7QSfgDoHnOxFv1Xws-D5mDHD3zxOup2b2TppdKTZb9eW2vxUVviM8OI9atBfPKMGAO | 7QSfgDoHnOxFv1Xws-D5mDHD3zxOup2b2TppdKTZb9eW2vxUVviM8OI9atBfPKMGAO | |||
| v9omA-6vv5IxUH0-lWMiHLQ_g8vnswp-Jav0c4t6URVUzujNOoNd_CBGGVnHiJTCHl | v9omA-6vv5IxUH0-lWMiHLQ_g8vnswp-Jav0c4t6URVUzujNOoNd_CBGGVnHiJTCHl | |||
| 88LQxsqLHHIu4Fz-U2SGnlxGTj0-ihit2ELGRv4vO8E1BosTmf0cx3qgG0Pq0eOLBD | 88LQxsqLHHIu4Fz-U2SGnlxGTj0-ihit2ELGRv4vO8E1BosTmf0cx3qgG0Pq0eOLBD | |||
| IHsrdZ_CCAiTc0HVkMbyq1M6qEhM-q5P6y1QCIrwg | IHsrdZ_CCAiTc0HVkMbyq1M6qEhM-q5P6y1QCIrwg | |||
| Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication | Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication | |||
| Tag) gives this value: | Tag) gives this value: | |||
| ffmPv_AEzIQ-8XGyW1j-Ew | 0HFmhOzsQ98nNWJjIHkR7A | |||
| C.9. Complete Representation | C.9. Complete Representation | |||
| Assemble the final representation: The Compact Serialization of this | Assemble the final representation: The Compact Serialization of this | |||
| result is the string BASE64URL(UTF8(JWE Protected Header)) || '.' || | result is the string BASE64URL(UTF8(JWE Protected Header)) || '.' || | |||
| BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization | BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization | |||
| Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE | Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE | |||
| Authentication Tag). | Authentication Tag). | |||
| The final result in this example is: | The final result in this example is: | |||
| skipping to change at page 35, line 46 ¶ | skipping to change at page 35, line 46 ¶ | |||
| Cz-Ww1MGhvIpGGnMBT_ADp9xSIyAM9dQ1yeVXk-AIgWBUlN5uyWSGyCxp0cJwx7HxM | Cz-Ww1MGhvIpGGnMBT_ADp9xSIyAM9dQ1yeVXk-AIgWBUlN5uyWSGyCxp0cJwx7HxM | |||
| 38z0UIeBu-MytL-eqndM7LxytsVzCbjOTSVRmhYEMIzUAnS1gs7uMQAGRdgRIElTJE | 38z0UIeBu-MytL-eqndM7LxytsVzCbjOTSVRmhYEMIzUAnS1gs7uMQAGRdgRIElTJE | |||
| SGMjb_4bZq9s6Ve1LKkSi0_QDsrABaLe55UY0zF4ZSfOV5PMyPtocwV_dcNPlxLgNA | SGMjb_4bZq9s6Ve1LKkSi0_QDsrABaLe55UY0zF4ZSfOV5PMyPtocwV_dcNPlxLgNA | |||
| D1BFX_Z9kAdMZQW6fAmsfFle0zAoMe4l9pMESH0JB4sJGdCKtQXj1cXNydDYozF7l8 | D1BFX_Z9kAdMZQW6fAmsfFle0zAoMe4l9pMESH0JB4sJGdCKtQXj1cXNydDYozF7l8 | |||
| H00BV_Er7zd6VtIw0MxwkFCTatsv_R-GsBCH218RgVPsfYhwVuT8R4HarpzsDBufC4 | H00BV_Er7zd6VtIw0MxwkFCTatsv_R-GsBCH218RgVPsfYhwVuT8R4HarpzsDBufC4 | |||
| r8_c8fc9Z278sQ081jFjOja6L2x0N_ImzFNXU6xwO-Ska-QeuvYZ3X_L31ZOX4Llp- | r8_c8fc9Z278sQ081jFjOja6L2x0N_ImzFNXU6xwO-Ska-QeuvYZ3X_L31ZOX4Llp- | |||
| 7QSfgDoHnOxFv1Xws-D5mDHD3zxOup2b2TppdKTZb9eW2vxUVviM8OI9atBfPKMGAO | 7QSfgDoHnOxFv1Xws-D5mDHD3zxOup2b2TppdKTZb9eW2vxUVviM8OI9atBfPKMGAO | |||
| v9omA-6vv5IxUH0-lWMiHLQ_g8vnswp-Jav0c4t6URVUzujNOoNd_CBGGVnHiJTCHl | v9omA-6vv5IxUH0-lWMiHLQ_g8vnswp-Jav0c4t6URVUzujNOoNd_CBGGVnHiJTCHl | |||
| 88LQxsqLHHIu4Fz-U2SGnlxGTj0-ihit2ELGRv4vO8E1BosTmf0cx3qgG0Pq0eOLBD | 88LQxsqLHHIu4Fz-U2SGnlxGTj0-ihit2ELGRv4vO8E1BosTmf0cx3qgG0Pq0eOLBD | |||
| IHsrdZ_CCAiTc0HVkMbyq1M6qEhM-q5P6y1QCIrwg. | IHsrdZ_CCAiTc0HVkMbyq1M6qEhM-q5P6y1QCIrwg. | |||
| ffmPv_AEzIQ-8XGyW1j-Ew | 0HFmhOzsQ98nNWJjIHkR7A | |||
| Appendix D. Acknowledgements | Appendix D. Acknowledgements | |||
| A JSON representation for RSA public keys was previously introduced | A JSON representation for RSA public keys was previously introduced | |||
| by John Panzer, Ben Laurie, and Dirk Balfanz in Magic Signatures | by John Panzer, Ben Laurie, and Dirk Balfanz in Magic Signatures | |||
| [MagicSignatures]. | [MagicSignatures]. | |||
| Thanks to Matt Miller for creating the encrypted key example and to | ||||
| Edmund Jay and Brian Campbell for validating the example. | ||||
| This specification is the work of the JOSE Working Group, which | This specification is the work of the JOSE Working Group, which | |||
| includes dozens of active and dedicated participants. In particular, | includes dozens of active and dedicated participants. In particular, | |||
| the following individuals contributed ideas, feedback, and wording | the following individuals contributed ideas, feedback, and wording | |||
| that influenced this specification: | that influenced this specification: | |||
| Dirk Balfanz, Richard Barnes, John Bradley, Brian Campbell, Breno de | Dirk Balfanz, Richard Barnes, John Bradley, Brian Campbell, Breno de | |||
| Medeiros, Joe Hildebrand, Edmund Jay, Ben Laurie, James Manger, Matt | Medeiros, Joe Hildebrand, Edmund Jay, Ben Laurie, James Manger, Matt | |||
| Miller, Tony Nadalin, Axel Nennker, John Panzer, Eric Rescorla, Nat | Miller, Tony Nadalin, Axel Nennker, John Panzer, Eric Rescorla, Nat | |||
| Sakimura, Jim Schaad, Paul Tarjan, Hannes Tschofenig, and Sean | Sakimura, Jim Schaad, Paul Tarjan, Hannes Tschofenig, and Sean | |||
| Turner. | Turner. | |||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner and Stephen Farrell served as Security area directors | Sean Turner and Stephen Farrell served as Security area directors | |||
| during the creation of this specification. | during the creation of this specification. | |||
| Appendix E. Document History | Appendix E. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -24 | ||||
| o Corrected the authentication tag value in the encrypted key | ||||
| example. | ||||
| o Updated the JSON reference to RFC 7159. | ||||
| -23 | -23 | |||
| o No changes were made, other than to the version number and date. | o No changes were made, other than to the version number and date. | |||
| -22 | -22 | |||
| o Corrected RFC 2119 terminology usage. | o Corrected RFC 2119 terminology usage. | |||
| o Replaced references to draft-ietf-json-rfc4627bis with RFC 7158. | o Replaced references to draft-ietf-json-rfc4627bis with RFC 7158. | |||
| End of changes. 11 change blocks. | ||||
| 14 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||