| < draft-ietf-jose-json-web-key-34.txt | draft-ietf-jose-json-web-key-35.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track October 14, 2014 | Intended status: Standards Track October 17, 2014 | |||
| Expires: April 17, 2015 | Expires: April 20, 2015 | |||
| JSON Web Key (JWK) | JSON Web Key (JWK) | |||
| draft-ietf-jose-json-web-key-34 | draft-ietf-jose-json-web-key-35 | |||
| Abstract | Abstract | |||
| A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data | A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data | |||
| structure that represents a cryptographic key. This specification | structure that represents a cryptographic key. This specification | |||
| also defines a JSON Web Key Set (JWK Set) JSON data structure that | also defines a JSON Web Key Set (JWK Set) JSON data structure that | |||
| represents a set of JWKs. Cryptographic algorithms and identifiers | represents a set of JWKs. Cryptographic algorithms and identifiers | |||
| for use with this specification are described in the separate JSON | for use with this specification are described in the separate JSON | |||
| Web Algorithms (JWA) specification and IANA registries defined by | Web Algorithms (JWA) specification and IANA registries defined by | |||
| that specification. | that specification. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 17, 2015. | This Internet-Draft will expire on April 20, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 23 ¶ | skipping to change at page 2, line 23 ¶ | |||
| 4. JSON Web Key (JWK) Format . . . . . . . . . . . . . . . . . . 5 | 4. JSON Web Key (JWK) Format . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. "kty" (Key Type) Parameter . . . . . . . . . . . . . . . . 6 | 4.1. "kty" (Key Type) Parameter . . . . . . . . . . . . . . . . 6 | |||
| 4.2. "use" (Public Key Use) Parameter . . . . . . . . . . . . . 6 | 4.2. "use" (Public Key Use) Parameter . . . . . . . . . . . . . 6 | |||
| 4.3. "key_ops" (Key Operations) Parameter . . . . . . . . . . . 7 | 4.3. "key_ops" (Key Operations) Parameter . . . . . . . . . . . 7 | |||
| 4.4. "alg" (Algorithm) Parameter . . . . . . . . . . . . . . . 8 | 4.4. "alg" (Algorithm) Parameter . . . . . . . . . . . . . . . 8 | |||
| 4.5. "kid" (Key ID) Parameter . . . . . . . . . . . . . . . . . 8 | 4.5. "kid" (Key ID) Parameter . . . . . . . . . . . . . . . . . 8 | |||
| 4.6. "x5u" (X.509 URL) Parameter . . . . . . . . . . . . . . . 8 | 4.6. "x5u" (X.509 URL) Parameter . . . . . . . . . . . . . . . 8 | |||
| 4.7. "x5c" (X.509 Certificate Chain) Parameter . . . . . . . . 9 | 4.7. "x5c" (X.509 Certificate Chain) Parameter . . . . . . . . 9 | |||
| 4.8. "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter . . . 9 | 4.8. "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter . . . 9 | |||
| 4.9. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) | 4.9. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) | |||
| Parameter . . . . . . . . . . . . . . . . . . . . . . . . 9 | Parameter . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. JSON Web Key Set (JWK Set) Format . . . . . . . . . . . . . . 10 | 5. JSON Web Key Set (JWK Set) Format . . . . . . . . . . . . . . 10 | |||
| 5.1. "keys" Parameter . . . . . . . . . . . . . . . . . . . . . 10 | 5.1. "keys" Parameter . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. String Comparison Rules . . . . . . . . . . . . . . . . . . . 10 | 6. String Comparison Rules . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. Encrypted JWK and Encrypted JWK Set Formats . . . . . . . . . 11 | 7. Encrypted JWK and Encrypted JWK Set Formats . . . . . . . . . 11 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. JSON Web Key Parameters Registry . . . . . . . . . . . . . 12 | 8.1. JSON Web Key Parameters Registry . . . . . . . . . . . . . 13 | |||
| 8.1.1. Registration Template . . . . . . . . . . . . . . . . 13 | 8.1.1. Registration Template . . . . . . . . . . . . . . . . 13 | |||
| 8.1.2. Initial Registry Contents . . . . . . . . . . . . . . 14 | 8.1.2. Initial Registry Contents . . . . . . . . . . . . . . 14 | |||
| 8.2. JSON Web Key Use Registry . . . . . . . . . . . . . . . . 15 | 8.2. JSON Web Key Use Registry . . . . . . . . . . . . . . . . 15 | |||
| 8.2.1. Registration Template . . . . . . . . . . . . . . . . 15 | 8.2.1. Registration Template . . . . . . . . . . . . . . . . 15 | |||
| 8.2.2. Initial Registry Contents . . . . . . . . . . . . . . 16 | 8.2.2. Initial Registry Contents . . . . . . . . . . . . . . 16 | |||
| 8.3. JSON Web Key Operations Registry . . . . . . . . . . . . . 16 | 8.3. JSON Web Key Operations Registry . . . . . . . . . . . . . 16 | |||
| 8.3.1. Registration Template . . . . . . . . . . . . . . . . 16 | 8.3.1. Registration Template . . . . . . . . . . . . . . . . 16 | |||
| 8.3.2. Initial Registry Contents . . . . . . . . . . . . . . 17 | 8.3.2. Initial Registry Contents . . . . . . . . . . . . . . 17 | |||
| 8.4. JSON Web Key Set Parameters Registry . . . . . . . . . . . 18 | 8.4. JSON Web Key Set Parameters Registry . . . . . . . . . . . 18 | |||
| 8.4.1. Registration Template . . . . . . . . . . . . . . . . 18 | 8.4.1. Registration Template . . . . . . . . . . . . . . . . 18 | |||
| skipping to change at page 3, line 23 ¶ | skipping to change at page 3, line 23 ¶ | |||
| C.2. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . 31 | C.2. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| C.3. Content Encryption Key (CEK) . . . . . . . . . . . . . . . 31 | C.3. Content Encryption Key (CEK) . . . . . . . . . . . . . . . 31 | |||
| C.4. Key Derivation . . . . . . . . . . . . . . . . . . . . . . 32 | C.4. Key Derivation . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| C.5. Key Encryption . . . . . . . . . . . . . . . . . . . . . . 32 | C.5. Key Encryption . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| C.6. Initialization Vector . . . . . . . . . . . . . . . . . . 32 | C.6. Initialization Vector . . . . . . . . . . . . . . . . . . 32 | |||
| C.7. Additional Authenticated Data . . . . . . . . . . . . . . 33 | C.7. Additional Authenticated Data . . . . . . . . . . . . . . 33 | |||
| C.8. Content Encryption . . . . . . . . . . . . . . . . . . . . 33 | C.8. Content Encryption . . . . . . . . . . . . . . . . . . . . 33 | |||
| C.9. Complete Representation . . . . . . . . . . . . . . . . . 36 | C.9. Complete Representation . . . . . . . . . . . . . . . . . 36 | |||
| Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 37 | Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 37 | |||
| Appendix E. Document History . . . . . . . . . . . . . . . . . . 38 | Appendix E. Document History . . . . . . . . . . . . . . . . . . 38 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 44 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 1. Introduction | 1. Introduction | |||
| A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) [RFC7159] | A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) [RFC7159] | |||
| data structure that represents a cryptographic key. This | data structure that represents a cryptographic key. This | |||
| specification also defines a JSON Web Key Set (JWK Set) JSON data | specification also defines a JSON Web Key Set (JWK Set) JSON data | |||
| structure that represents a set of JWKs. Cryptographic algorithms | structure that represents a set of JWKs. Cryptographic algorithms | |||
| and identifiers for use with this specification are described in the | and identifiers for use with this specification are described in the | |||
| separate JSON Web Algorithms (JWA) [JWA] specification and IANA | separate JSON Web Algorithms (JWA) [JWA] specification and IANA | |||
| registries defined by that specification. | registries defined by that specification. | |||
| skipping to change at page 4, line 40 ¶ | skipping to change at page 4, line 40 ¶ | |||
| words for use in RFCs to Indicate Requirement Levels [RFC2119]. If | words for use in RFCs to Indicate Requirement Levels [RFC2119]. If | |||
| these words are used without being spelled in uppercase then they are | these words are used without being spelled in uppercase then they are | |||
| to be interpreted with their normal natural language meanings. | to be interpreted with their normal natural language meanings. | |||
| BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per | BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per | |||
| Section 2 of [JWS]. | Section 2 of [JWS]. | |||
| UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation | UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation | |||
| of STRING. | of STRING. | |||
| ASCII(STRING) denotes the octets of the ASCII [USASCII] | ASCII(STRING) denotes the octets of the ASCII [RFC20] representation | |||
| representation of STRING. | of STRING. | |||
| The concatenation of two values A and B is denoted as A || B. | The concatenation of two values A and B is denoted as A || B. | |||
| 2. Terminology | 2. Terminology | |||
| These terms defined by the JSON Web Signature (JWS) [JWS] | These terms defined by the JSON Web Signature (JWS) [JWS] | |||
| specification are incorporated into this specification: "Base64url | specification are incorporated into this specification: "Base64url | |||
| Encoding", "Collision-Resistant Name", "Header Parameter", and "JOSE | Encoding", "Collision-Resistant Name", "Header Parameter", and "JOSE | |||
| Header". | Header". | |||
| These terms defined by the Internet Security Glossary, Version 2 | ||||
| [RFC4949] are incorporated into this specification: "Ciphertext", | ||||
| "Digital Signature", "Message Authentication Code (MAC)", and | ||||
| "Plaintext". | ||||
| These terms are defined by this specification: | These terms are defined by this specification: | |||
| JSON Web Key (JWK) | JSON Web Key (JWK) | |||
| A JSON object that represents a cryptographic key. The members of | A JSON object that represents a cryptographic key. The members of | |||
| the object represent properties of the key, including its value. | the object represent properties of the key, including its value. | |||
| JSON Web Key Set (JWK Set) | JSON Web Key Set (JWK Set) | |||
| A JSON object that represents a set of JWKs. The JSON object MUST | A JSON object that represents a set of JWKs. The JSON object MUST | |||
| have a "keys" member, which is an array of JWK objects. | have a "keys" member, which is an array of JWK objects. | |||
| skipping to change at page 7, line 24 ¶ | skipping to change at page 7, line 28 ¶ | |||
| 4.3. "key_ops" (Key Operations) Parameter | 4.3. "key_ops" (Key Operations) Parameter | |||
| The "key_ops" (key operations) member identifies the operation(s) | The "key_ops" (key operations) member identifies the operation(s) | |||
| that the key is intended to be used for. The "key_ops" parameter is | that the key is intended to be used for. The "key_ops" parameter is | |||
| intended for use cases in which public, private, or symmetric keys | intended for use cases in which public, private, or symmetric keys | |||
| may be present. | may be present. | |||
| Its value is an array of key operation values. Values defined by | Its value is an array of key operation values. Values defined by | |||
| this specification are: | this specification are: | |||
| o "sign" (compute signature or MAC) | o "sign" (compute digital signature or MAC) | |||
| o "verify" (verify signature or MAC) | o "verify" (verify digital signature or MAC) | |||
| o "encrypt" (encrypt content) | o "encrypt" (encrypt content) | |||
| o "decrypt" (decrypt content and validate decryption, if applicable) | o "decrypt" (decrypt content and validate decryption, if applicable) | |||
| o "wrapKey" (encrypt key) | o "wrapKey" (encrypt key) | |||
| o "unwrapKey" (decrypt key and validate decryption, if applicable) | o "unwrapKey" (decrypt key and validate decryption, if applicable) | |||
| o "deriveKey" (derive key) | o "deriveKey" (derive key) | |||
| o "deriveBits" (derive bits not to be used as a key) | o "deriveBits" (derive bits not to be used as a key) | |||
| (Note that the "key_ops" values intentionally match the "KeyUsage" | (Note that the "key_ops" values intentionally match the "KeyUsage" | |||
| values defined in the Web Cryptography API [WebCrypto] | values defined in the Web Cryptography API [WebCrypto] | |||
| specification.) | specification.) | |||
| skipping to change at page 13, line 17 ¶ | skipping to change at page 13, line 24 ¶ | |||
| specification registers the parameter names defined in Section 4. | specification registers the parameter names defined in Section 4. | |||
| The same JWK parameter name may be registered multiple times, | The same JWK parameter name may be registered multiple times, | |||
| provided that duplicate parameter registrations are only for key type | provided that duplicate parameter registrations are only for key type | |||
| specific JWK parameters; in this case, the meaning of the duplicate | specific JWK parameters; in this case, the meaning of the duplicate | |||
| parameter name is disambiguated by the "kty" value of the JWK | parameter name is disambiguated by the "kty" value of the JWK | |||
| containing it. | containing it. | |||
| 8.1.1. Registration Template | 8.1.1. Registration Template | |||
| Parameter Name: | Parameter Name: | |||
| The name requested (e.g., "example"). Because a core goal of this | The name requested (e.g., "kid"). Because a core goal of this | |||
| specification is for the resulting representations to be compact, | specification is for the resulting representations to be compact, | |||
| it is RECOMMENDED that the name be short -- not to exceed 8 | it is RECOMMENDED that the name be short -- not to exceed 8 | |||
| characters without a compelling reason to do so. This name is | characters without a compelling reason to do so. This name is | |||
| case-sensitive. Names may not match other registered names in a | case-sensitive. Names may not match other registered names in a | |||
| case-insensitive manner unless the Designated Expert(s) state that | case-insensitive manner unless the Designated Expert(s) state that | |||
| there is a compelling reason to allow an exception in this | there is a compelling reason to allow an exception in this | |||
| particular case. However, matching names may be registered, | particular case. However, matching names may be registered, | |||
| provided that the accompanying sets of "kty" values that the | provided that the accompanying sets of "kty" values that the | |||
| Parameter Name is used with are disjoint; for the purposes of | Parameter Name is used with are disjoint; for the purposes of | |||
| matching "kty" values, "*" matches all values. | matching "kty" values, "*" matches all values. | |||
| Parameter Description: | Parameter Description: | |||
| Brief description of the parameter (e.g., "Example description"). | Brief description of the parameter (e.g., "Key ID"). | |||
| Used with "kty" Value(s): | Used with "kty" Value(s): | |||
| The key type parameter value(s) that the parameter name is to be | The key type parameter value(s) that the parameter name is to be | |||
| used with, or the value "*" if the parameter value is used with | used with, or the value "*" if the parameter value is used with | |||
| all key types. Values may not match other registered "kty" values | all key types. Values may not match other registered "kty" values | |||
| in a case-insensitive manner when the registered Parameter Name is | in a case-insensitive manner when the registered Parameter Name is | |||
| the same (including when the Parameter Name matches in a case- | the same (including when the Parameter Name matches in a case- | |||
| insensitive manner) unless the Designated Expert(s) state that | insensitive manner) unless the Designated Expert(s) state that | |||
| there is a compelling reason to allow an exception in this | there is a compelling reason to allow an exception in this | |||
| particular case. | particular case. | |||
| skipping to change at page 15, line 40 ¶ | skipping to change at page 15, line 45 ¶ | |||
| This specification establishes the IANA JSON Web Key Use registry for | This specification establishes the IANA JSON Web Key Use registry for | |||
| JWK "use" (public key use) member values. The registry records the | JWK "use" (public key use) member values. The registry records the | |||
| public key use value and a reference to the specification that | public key use value and a reference to the specification that | |||
| defines it. This specification registers the parameter names defined | defines it. This specification registers the parameter names defined | |||
| in Section 4.2. | in Section 4.2. | |||
| 8.2.1. Registration Template | 8.2.1. Registration Template | |||
| Use Member Value: | Use Member Value: | |||
| The name requested (e.g., "example"). Because a core goal of this | The name requested (e.g., "sig"). Because a core goal of this | |||
| specification is for the resulting representations to be compact, | specification is for the resulting representations to be compact, | |||
| it is RECOMMENDED that the name be short -- not to exceed 8 | it is RECOMMENDED that the name be short -- not to exceed 8 | |||
| characters without a compelling reason to do so. This name is | characters without a compelling reason to do so. This name is | |||
| case-sensitive. Names may not match other registered names in a | case-sensitive. Names may not match other registered names in a | |||
| case-insensitive manner unless the Designated Expert(s) state that | case-insensitive manner unless the Designated Expert(s) state that | |||
| there is a compelling reason to allow an exception in this | there is a compelling reason to allow an exception in this | |||
| particular case. | particular case. | |||
| Use Description: | Use Description: | |||
| Brief description of the use (e.g., "Example description"). | Brief description of the use (e.g., "Digital Signature or MAC"). | |||
| Change Controller: | Change Controller: | |||
| For Standards Track RFCs, state "IESG". For others, give the name | For Standards Track RFCs, state "IESG". For others, give the name | |||
| of the responsible party. Other details (e.g., postal address, | of the responsible party. Other details (e.g., postal address, | |||
| email address, home page URI) may also be included. | email address, home page URI) may also be included. | |||
| Specification Document(s): | Specification Document(s): | |||
| Reference to the document(s) that specify the parameter, | Reference to the document(s) that specify the parameter, | |||
| preferably including URI(s) that can be used to retrieve copies of | preferably including URI(s) that can be used to retrieve copies of | |||
| the document(s). An indication of the relevant sections may also | the document(s). An indication of the relevant sections may also | |||
| be included but is not required. | be included but is not required. | |||
| 8.2.2. Initial Registry Contents | 8.2.2. Initial Registry Contents | |||
| o Use Member Value: "sig" | o Use Member Value: "sig" | |||
| o Use Description: Signature or MAC | o Use Description: Digital Signature or MAC | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.2 of [[ this document ]] | o Specification Document(s): Section 4.2 of [[ this document ]] | |||
| o Use Member Value: "enc" | o Use Member Value: "enc" | |||
| o Use Description: Encryption | o Use Description: Encryption | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.2 of [[ this document ]] | o Specification Document(s): Section 4.2 of [[ this document ]] | |||
| 8.3. JSON Web Key Operations Registry | 8.3. JSON Web Key Operations Registry | |||
| This specification establishes the IANA JSON Web Key Operations | This specification establishes the IANA JSON Web Key Operations | |||
| registry for values of JWK "key_ops" array elements. The registry | registry for values of JWK "key_ops" array elements. The registry | |||
| records the key operation value and a reference to the specification | records the key operation value and a reference to the specification | |||
| that defines it. This specification registers the parameter names | that defines it. This specification registers the parameter names | |||
| defined in Section 4.3. | defined in Section 4.3. | |||
| 8.3.1. Registration Template | 8.3.1. Registration Template | |||
| Key Operation Value: | Key Operation Value: | |||
| The name requested (e.g., "example"). Because a core goal of this | The name requested (e.g., "sign"). Because a core goal of this | |||
| specification is for the resulting representations to be compact, | specification is for the resulting representations to be compact, | |||
| it is RECOMMENDED that the name be short -- not to exceed 8 | it is RECOMMENDED that the name be short -- not to exceed 8 | |||
| characters without a compelling reason to do so. This name is | characters without a compelling reason to do so. This name is | |||
| case-sensitive. Names may not match other registered names in a | case-sensitive. Names may not match other registered names in a | |||
| case-insensitive manner unless the Designated Expert(s) state that | case-insensitive manner unless the Designated Expert(s) state that | |||
| there is a compelling reason to allow an exception in this | there is a compelling reason to allow an exception in this | |||
| particular case. | particular case. | |||
| Key Operation Description: | Key Operation Description: | |||
| Brief description of the key operation (e.g., "Example | Brief description of the key operation (e.g., "Compute digital | |||
| description"). | signature or MAC"). | |||
| Change Controller: | Change Controller: | |||
| For Standards Track RFCs, state "IESG". For others, give the name | For Standards Track RFCs, state "IESG". For others, give the name | |||
| of the responsible party. Other details (e.g., postal address, | of the responsible party. Other details (e.g., postal address, | |||
| email address, home page URI) may also be included. | email address, home page URI) may also be included. | |||
| Specification Document(s): | Specification Document(s): | |||
| Reference to the document(s) that specify the parameter, | Reference to the document(s) that specify the parameter, | |||
| preferably including URI(s) that can be used to retrieve copies of | preferably including URI(s) that can be used to retrieve copies of | |||
| the document(s). An indication of the relevant sections may also | the document(s). An indication of the relevant sections may also | |||
| be included but is not required. | be included but is not required. | |||
| 8.3.2. Initial Registry Contents | 8.3.2. Initial Registry Contents | |||
| o Key Operation Value: "sign" | o Key Operation Value: "sign" | |||
| o Key Operation Description: Compute signature or MAC | o Key Operation Description: Compute digital signature or MAC | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.3 of [[ this document ]] | o Specification Document(s): Section 4.3 of [[ this document ]] | |||
| o Key Operation Value: "verify" | o Key Operation Value: "verify" | |||
| o Key Operation Description: Verify signature or MAC | o Key Operation Description: Verify digital signature or MAC | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.3 of [[ this document ]] | o Specification Document(s): Section 4.3 of [[ this document ]] | |||
| o Key Operation Value: "encrypt" | o Key Operation Value: "encrypt" | |||
| o Key Operation Description: Encrypt content | o Key Operation Description: Encrypt content | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.3 of [[ this document ]] | o Specification Document(s): Section 4.3 of [[ this document ]] | |||
| o Key Operation Value: "decrypt" | o Key Operation Value: "decrypt" | |||
| o Key Operation Description: Decrypt content and validate | o Key Operation Description: Decrypt content and validate | |||
| skipping to change at page 18, line 29 ¶ | skipping to change at page 18, line 29 ¶ | |||
| This specification establishes the IANA JSON Web Key Set Parameters | This specification establishes the IANA JSON Web Key Set Parameters | |||
| registry for JWK Set parameter names. The registry records the | registry for JWK Set parameter names. The registry records the | |||
| parameter name and a reference to the specification that defines it. | parameter name and a reference to the specification that defines it. | |||
| This specification registers the parameter names defined in | This specification registers the parameter names defined in | |||
| Section 5. | Section 5. | |||
| 8.4.1. Registration Template | 8.4.1. Registration Template | |||
| Parameter Name: | Parameter Name: | |||
| The name requested (e.g., "example"). Because a core goal of this | The name requested (e.g., "keys"). Because a core goal of this | |||
| specification is for the resulting representations to be compact, | specification is for the resulting representations to be compact, | |||
| it is RECOMMENDED that the name be short -- not to exceed 8 | it is RECOMMENDED that the name be short -- not to exceed 8 | |||
| characters without a compelling reason to do so. This name is | characters without a compelling reason to do so. This name is | |||
| case-sensitive. Names may not match other registered names in a | case-sensitive. Names may not match other registered names in a | |||
| case-insensitive manner unless the Designated Expert(s) state that | case-insensitive manner unless the Designated Expert(s) state that | |||
| there is a compelling reason to allow an exception in this | there is a compelling reason to allow an exception in this | |||
| particular case. | particular case. | |||
| Parameter Description: | Parameter Description: | |||
| Brief description of the parameter (e.g., "Example description"). | Brief description of the parameter (e.g., "Array of JWK values"). | |||
| Change Controller: | Change Controller: | |||
| For Standards Track RFCs, state "IESG". For others, give the name | For Standards Track RFCs, state "IESG". For others, give the name | |||
| of the responsible party. Other details (e.g., postal address, | of the responsible party. Other details (e.g., postal address, | |||
| email address, home page URI) may also be included. | email address, home page URI) may also be included. | |||
| Specification Document(s): | Specification Document(s): | |||
| Reference to the document(s) that specify the parameter, | Reference to the document(s) that specify the parameter, | |||
| preferably including URI(s) that can be used to retrieve copies of | preferably including URI(s) that can be used to retrieve copies of | |||
| the document(s). An indication of the relevant sections may also | the document(s). An indication of the relevant sections may also | |||
| skipping to change at page 20, line 39 ¶ | skipping to change at page 20, line 39 ¶ | |||
| 9.1. Key Provenance and Trust | 9.1. Key Provenance and Trust | |||
| One should place no more trust in the data cryptographically secured | One should place no more trust in the data cryptographically secured | |||
| by a key than in the method by which it was obtained and in the | by a key than in the method by which it was obtained and in the | |||
| trustworthiness of the entity asserting an association with the key. | trustworthiness of the entity asserting an association with the key. | |||
| Any data associated with a key that is obtained in an untrusted | Any data associated with a key that is obtained in an untrusted | |||
| manner should be treated with skepticism. See Section 10.3 of [JWS] | manner should be treated with skepticism. See Section 10.3 of [JWS] | |||
| for security considerations on key origin authentication. | for security considerations on key origin authentication. | |||
| The security considerations in Section 12.3 of XML DSIG 2.0 | The security considerations in Section 12.3 of XML DSIG 2.0 | |||
| [W3C.NOTE-xmldsig-core2-20130411] about the strength of a signature | [W3C.NOTE-xmldsig-core2-20130411] about the strength of a digital | |||
| depending upon all the links in the security chain also apply to this | signature depending upon all the links in the security chain also | |||
| specification. | apply to this specification. | |||
| The TLS Requirements in Section 8 of [JWS] also apply to this | The TLS Requirements in Section 8 of [JWS] also apply to this | |||
| specification. | specification. | |||
| 9.2. Preventing Disclosure of Non-Public Key Information | 9.2. Preventing Disclosure of Non-Public Key Information | |||
| Private and symmetric keys MUST be protected from disclosure to | Private and symmetric keys MUST be protected from disclosure to | |||
| unintended parties. One recommended means of doing so is to encrypt | unintended parties. One recommended means of doing so is to encrypt | |||
| JWKs or JWK Sets containing them by using the JWK or JWK Set value as | JWKs or JWK Sets containing them by using the JWK or JWK Set value as | |||
| the plaintext of a JWE. Of course, this requires that there be a | the plaintext of a JWE. Of course, this requires that there be a | |||
| skipping to change at page 22, line 17 ¶ | skipping to change at page 22, line 17 ¶ | |||
| October 2014. | October 2014. | |||
| [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | |||
| draft-ietf-jose-json-web-encryption (work in progress), | draft-ietf-jose-json-web-encryption (work in progress), | |||
| October 2014. | October 2014. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | Signature (JWS)", draft-ietf-jose-json-web-signature (work | |||
| in progress), October 2014. | in progress), October 2014. | |||
| [RFC20] Cerf, V., "ASCII format for Network Interchange", RFC 20, | ||||
| October 1969. | ||||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
| November 1996. | November 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| skipping to change at page 22, line 39 ¶ | skipping to change at page 22, line 42 ¶ | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| RFC 3986, January 2005. | RFC 3986, January 2005. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, October 2006. | Encodings", RFC 4648, October 2006. | |||
| [RFC4945] Korver, B., "The Internet IP Security PKI Profile of | [RFC4945] Korver, B., "The Internet IP Security PKI Profile of | |||
| IKEv1/ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007. | IKEv1/ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007. | |||
| [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | ||||
| RFC 4949, August 2007. | ||||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | |||
| Verification of Domain-Based Application Service Identity | Verification of Domain-Based Application Service Identity | |||
| within Internet Public Key Infrastructure Using X.509 | within Internet Public Key Infrastructure Using X.509 | |||
| (PKIX) Certificates in the Context of Transport Layer | (PKIX) Certificates in the Context of Transport Layer | |||
| Security (TLS)", RFC 6125, March 2011. | Security (TLS)", RFC 6125, March 2011. | |||
| [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", RFC 7159, March 2014. | Interchange Format", RFC 7159, March 2014. | |||
| [USASCII] American National Standards Institute, "Coded Character | ||||
| Set -- 7-bit American Standard Code for Information | ||||
| Interchange", ANSI X3.4, 1986. | ||||
| 10.2. Informative References | 10.2. Informative References | |||
| [DSS] National Institute of Standards and Technology, "Digital | [DSS] National Institute of Standards and Technology, "Digital | |||
| Signature Standard (DSS)", FIPS PUB 186-4, July 2013. | Signature Standard (DSS)", FIPS PUB 186-4, July 2013. | |||
| [HAC] Menezes, A., van Oorschot, P., and S. Vanstone, "Handbook | [HAC] Menezes, A., van Oorschot, P., and S. Vanstone, "Handbook | |||
| of Applied Cryptography", CRC Press, 1996, | of Applied Cryptography", CRC Press, 1996, | |||
| <http://cacr.uwaterloo.ca/hac/about/chap8.pdf>. | <http://cacr.uwaterloo.ca/hac/about/chap8.pdf>. | |||
| [Kocher] Kocher, P., "Timing Attacks on Implementations of Diffe- | [Kocher] Kocher, P., "Timing Attacks on Implementations of Diffe- | |||
| skipping to change at page 38, line 30 ¶ | skipping to change at page 38, line 30 ¶ | |||
| Hannes Tschofenig, and Sean Turner. | Hannes Tschofenig, and Sean Turner. | |||
| Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | Jim Schaad and Karen O'Donoghue chaired the JOSE working group and | |||
| Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | Sean Turner, Stephen Farrell, and Kathleen Moriarty served as | |||
| Security area directors during the creation of this specification. | Security area directors during the creation of this specification. | |||
| Appendix E. Document History | Appendix E. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -35 | ||||
| o Used real values for examples in the IANA Registration Templates. | ||||
| -34 | -34 | |||
| o Addressed IESG review comments by Pete Resnick, Stephen Farrell, | o Addressed IESG review comments by Pete Resnick, Stephen Farrell, | |||
| and Richard Barnes. | and Richard Barnes. | |||
| o Referenced RFC 4945 for PEM certificate delimiter syntax. | o Referenced RFC 4945 for PEM certificate delimiter syntax. | |||
| -33 | -33 | |||
| o Addressed secdir review comments by Stephen Kent for which | o Addressed secdir review comments by Stephen Kent for which | |||
| End of changes. 26 change blocks. | ||||
| 31 lines changed or deleted | 42 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||