| < draft-jones-jose-jws-json-serialization-00.txt | draft-jones-jose-jws-json-serialization-01.txt > | |||
|---|---|---|---|---|
| JOSE Working Group M. Jones | JOSE Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track J. Bradley | Intended status: Standards Track J. Bradley | |||
| Expires: January 10, 2013 independent | Expires: January 17, 2013 independent | |||
| N. Sakimura | N. Sakimura | |||
| Nomura Research Institute | Nomura Research Institute | |||
| July 9, 2012 | July 16, 2012 | |||
| JSON Web Signature JSON Serialization (JWS-JS) | JSON Web Signature JSON Serialization (JWS-JS) | |||
| draft-jones-jose-jws-json-serialization-00 | draft-jones-jose-jws-json-serialization-01 | |||
| Abstract | Abstract | |||
| The JSON Web Signature JSON Serialization (JWS-JS) is a means of | The JSON Web Signature JSON Serialization (JWS-JS) is a means of | |||
| representing content secured with digital signatures or Hash-based | representing content secured with digital signatures or Message | |||
| Message Authentication Codes (HMACs) using JavaScript Object Notation | Authentication Codes (MACs) using JavaScript Object Notation (JSON) | |||
| (JSON) data structures. This specification describes a means of | data structures. This specification describes a means of | |||
| representing secured content as a JSON data object (as opposed to the | representing secured content as a JSON data object (as opposed to the | |||
| JWS specification, which uses a compact serialization with a URL-safe | JWS specification, which uses a compact serialization with a URL-safe | |||
| representation). It enables multiple digital signatures and/or HMACs | representation). It enables multiple digital signatures and/or MACs | |||
| to be applied to the same content (unlike JWS). Cryptographic | to be applied to the same content (unlike JWS). Cryptographic | |||
| algorithms and identifiers used with this specification are described | algorithms and identifiers used with this specification are described | |||
| in the separate JSON Web Algorithms (JWA) specification. The JSON | in the separate JSON Web Algorithms (JWA) specification. The JSON | |||
| Serialization for related encryption functionality is described in | Serialization for related encryption functionality is described in | |||
| the separate JSON Web Encryption JSON Serialization (JWE-JS) | the separate JSON Web Encryption JSON Serialization (JWE-JS) | |||
| specification. | specification. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 45 ¶ | skipping to change at page 1, line 45 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 10, 2013. | This Internet-Draft will expire on January 17, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 8 ¶ | skipping to change at page 3, line 8 ¶ | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 5 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 5 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 6 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 6 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 6 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 6 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . . 6 | Appendix B. Document History . . . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| The JSON Web Signature JSON Serialization (JWS-JS) is a format for | The JSON Web Signature JSON Serialization (JWS-JS) is a format for | |||
| representing content secured with digital signatures or Hash-based | representing content secured with digital signatures or Message | |||
| Message Authentication Codes (HMACs) as a JavaScript Object Notation | Authentication Codes (MACs) as a JavaScript Object Notation (JSON) | |||
| (JSON) [RFC4627] object. It enables multiple digital signatures | [RFC4627] object. It enables multiple digital signatures and/or MACs | |||
| and/or HMACs to be applied to the same content (unlike JWS [JWS]). | to be applied to the same content (unlike JWS [JWS]). The digital | |||
| The digital signature and HMAC mechanisms used are independent of the | signature and MAC mechanisms used are independent of the type of | |||
| type of content being secured, allowing arbitrary content to be | content being secured, allowing arbitrary content to be secured. | |||
| secured. Cryptographic algorithms and identifiers used with this | Cryptographic algorithms and identifiers used with this specification | |||
| specification are described in the separate JSON Web Algorithms (JWA) | are described in the separate JSON Web Algorithms (JWA) [JWA] | |||
| [JWA] specification. The JSON Serialization for related encryption | specification. The JSON Serialization for related encryption | |||
| functionality is described in the separate JSON Web Encryption JSON | functionality is described in the separate JSON Web Encryption JSON | |||
| Serialization (JWE-JS) [JWE-JS] specification. | Serialization (JWE-JS) [JWE-JS] specification. | |||
| 1.1. Notational Conventions | 1.1. Notational Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in Key words for use in | document are to be interpreted as described in Key words for use in | |||
| RFCs to Indicate Requirement Levels [RFC2119]. | RFCs to Indicate Requirement Levels [RFC2119]. | |||
| skipping to change at page 3, line 44 ¶ | skipping to change at page 3, line 44 ¶ | |||
| The JSON Serialization represents secured content as a JSON object | The JSON Serialization represents secured content as a JSON object | |||
| with members for each of three constituent parts: a "headers" member | with members for each of three constituent parts: a "headers" member | |||
| whose value is a non-empty array of Encoded JWS Header values, a | whose value is a non-empty array of Encoded JWS Header values, a | |||
| "payload" member whose value is an Encoded JWS Payload value, and a | "payload" member whose value is an Encoded JWS Payload value, and a | |||
| "signatures" member whose value is a non-empty array of Encoded JWS | "signatures" member whose value is a non-empty array of Encoded JWS | |||
| Signature values, where the number of elements in both arrays is the | Signature values, where the number of elements in both arrays is the | |||
| same. | same. | |||
| Unlike the compact serialization used by JWSs, content using the JSON | Unlike the compact serialization used by JWSs, content using the JSON | |||
| Serialization MAY be secured with more than one digital signature | Serialization MAY be secured with more than one digital signature | |||
| and/or HMAC value. Each is represented as an Encoded JWS Signature | and/or MAC value. Each is represented as an Encoded JWS Signature in | |||
| in the "signatures" member array. For each, there is a corresponding | the "signatures" member array. For each, there is a corresponding | |||
| "headers" member array element that is an Encoded JWS Header | "headers" member array element that is an Encoded JWS Header | |||
| specifying the digital signature or HMAC applied to the Encoded JWS | specifying the digital signature or MAC applied to the Encoded JWS | |||
| Header value and the Encoded JWS Payload value to create the JWS | Header value and the Encoded JWS Payload value to create the JWS | |||
| Signature value. Therefore, the syntax is: | Signature value. Therefore, the syntax is: | |||
| {"headers":["<header 1 contents>",...,"<header N contents>"], | {"headers":["<header 1 contents>",...,"<header N contents>"], | |||
| "payload":"<payload contents>", | "payload":"<payload contents>", | |||
| "signatures":["<signature 1 contents>",...,"<signature N contents>"] | "signatures":["<signature 1 contents>",...,"<signature N contents>"] | |||
| } | } | |||
| The contents of the Encoded JWS Header, Encoded JWS Payload, and | The contents of the Encoded JWS Header, Encoded JWS Payload, and | |||
| Encoded JWS Signature values are exactly as specified in JSON Web | Encoded JWS Signature values are exactly as specified in JSON Web | |||
| skipping to change at page 4, line 29 ¶ | skipping to change at page 4, line 29 ¶ | |||
| period ('.') character, and the Encoded JWS Payload in the same | period ('.') character, and the Encoded JWS Payload in the same | |||
| manner described in the JWS specification. This has the desirable | manner described in the JWS specification. This has the desirable | |||
| result that each Encoded JWS signature value in the "signatures" | result that each Encoded JWS signature value in the "signatures" | |||
| array is identical to the value that would be used for the same | array is identical to the value that would be used for the same | |||
| header and payload in a JWS. | header and payload in a JWS. | |||
| 4. Example JWS-JS | 4. Example JWS-JS | |||
| This section contains an example using the JWS JSON Serialization. | This section contains an example using the JWS JSON Serialization. | |||
| This example demonstrates the capability for conveying multiple | This example demonstrates the capability for conveying multiple | |||
| digital signatures and/or HMACs for the same payload. | digital signatures and/or MACs for the same payload. | |||
| The Encoded JWS Payload used in this example is the same as used in | The Encoded JWS Payload used in this example is the same as used in | |||
| the examples in Appendix A of JWS (with line breaks for display | the examples in Appendix A of JWS (with line breaks for display | |||
| purposes only): | purposes only): | |||
| eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt | eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt | |||
| cGxlLmNvbS9pc19yb290Ijp0cnVlfQ | cGxlLmNvbS9pc19yb290Ijp0cnVlfQ | |||
| Two digital signatures are used in this example: an RSA SHA-256 | Two digital signatures are used in this example: an RSA SHA-256 | |||
| signature, for which the header and signature values are the same as | signature, for which the header and signature values are the same as | |||
| skipping to change at page 6, line 35 ¶ | skipping to change at page 6, line 35 ¶ | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| JSON serializations for secured content were previously explored by | JSON serializations for secured content were previously explored by | |||
| Magic Signatures [MagicSignatures] and JSON Simple Sign [JSS]. | Magic Signatures [MagicSignatures] and JSON Simple Sign [JSS]. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| -01 | ||||
| o Generalized language to refer to Message Authentication Codes | ||||
| (MACs) rather than Hash-based Message Authentication Codes | ||||
| (HMACs). | ||||
| -00 | -00 | |||
| o Renamed draft-jones-json-web-signature-json-serialization to | o Renamed draft-jones-json-web-signature-json-serialization to | |||
| draft-jones-jose-jws-json-serialization to have "jose" be in the | draft-jones-jose-jws-json-serialization to have "jose" be in the | |||
| document name so it can be included in the Related Documents list | document name so it can be included in the Related Documents list | |||
| at http://datatracker.ietf.org/wg/jose/. No normative changes. | at http://datatracker.ietf.org/wg/jose/. No normative changes. | |||
| draft-jones-json-web-signature-json-serialization-02 | draft-jones-json-web-signature-json-serialization-02 | |||
| o Tracked editorial changes made to the JWS spec. | o Tracked editorial changes made to the JWS spec. | |||
| draft-jones-json-web-signature-json-serialization-01 | draft-jones-json-web-signature-json-serialization-01 | |||
| o Corrected the Magic Signatures reference. | o Corrected the Magic Signatures reference. | |||
| draft-jones-json-web-signature-json-serialization-00 | draft-jones-json-web-signature-json-serialization-00 | |||
| o Created the initial version incorporating JOSE working group input | o Created the initial version incorporating JOSE working group input | |||
| and drawing from the JSON Serialization previously proposed in | and drawing from the JSON Serialization previously proposed in | |||
| draft-jones-json-web-token-01. | draft-jones-json-web-token-01. | |||
| Authors' Addresses | Authors' Addresses | |||
| Michael B. Jones | Michael B. Jones | |||
| Microsoft | Microsoft | |||
| Email: mbj@microsoft.com | Email: mbj@microsoft.com | |||
| End of changes. 13 change blocks. | ||||
| 22 lines changed or deleted | 28 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||