< draft-jones-jose-jws-json-serialization-01.txt   draft-jones-jose-jws-json-serialization-02.txt >
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: January 17, 2013 independent Expires: April 18, 2013 independent
N. Sakimura N. Sakimura
Nomura Research Institute Nomura Research Institute
July 16, 2012 October 15, 2012
JSON Web Signature JSON Serialization (JWS-JS) JSON Web Signature JSON Serialization (JWS-JS)
draft-jones-jose-jws-json-serialization-01 draft-jones-jose-jws-json-serialization-02
Abstract Abstract
The JSON Web Signature JSON Serialization (JWS-JS) is a means of The JSON Web Signature JSON Serialization (JWS-JS) is a means of
representing content secured with digital signatures or Message representing content secured with digital signatures or Message
Authentication Codes (MACs) using JavaScript Object Notation (JSON) Authentication Codes (MACs) using JavaScript Object Notation (JSON)
data structures. This specification describes a means of data structures. This specification describes a means of
representing secured content as a JSON data object (as opposed to the representing secured content as a JSON data object (as opposed to the
JWS specification, which uses a compact serialization with a URL-safe JWS specification, which uses a compact serialization with a URL-safe
representation). It enables multiple digital signatures and/or MACs representation). It enables multiple digital signatures and/or MACs
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 17, 2013. This Internet-Draft will expire on April 18, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. JSON Serialization . . . . . . . . . . . . . . . . . . . . . . 3 3. JSON Serialization . . . . . . . . . . . . . . . . . . . . . . 3
4. Example JWS-JS . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Example JWS-JS . . . . . . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
7. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7.1. Normative References . . . . . . . . . . . . . . . . . . . 5
8.1. Normative References . . . . . . . . . . . . . . . . . . . 5 7.2. Informative References . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . . 6
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 6 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 6
Appendix B. Document History . . . . . . . . . . . . . . . . . . . 6 Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . . 6
Appendix C. Document History . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
The JSON Web Signature JSON Serialization (JWS-JS) is a format for The JSON Web Signature JSON Serialization (JWS-JS) is a format for
representing content secured with digital signatures or Message representing content secured with digital signatures or Message
Authentication Codes (MACs) as a JavaScript Object Notation (JSON) Authentication Codes (MACs) as a JavaScript Object Notation (JSON)
[RFC4627] object. It enables multiple digital signatures and/or MACs [RFC4627] object. It enables multiple digital signatures and/or MACs
to be applied to the same content (unlike JWS [JWS]). The digital to be applied to the same content (unlike JWS [JWS]). The digital
signature and MAC mechanisms used are independent of the type of signature and MAC mechanisms used are independent of the type of
skipping to change at page 3, line 35 skipping to change at page 3, line 35
RFCs to Indicate Requirement Levels [RFC2119]. RFCs to Indicate Requirement Levels [RFC2119].
2. Terminology 2. Terminology
This specification uses the same terminology as the JSON Web This specification uses the same terminology as the JSON Web
Signature (JWS) [JWS] specification. Signature (JWS) [JWS] specification.
3. JSON Serialization 3. JSON Serialization
The JSON Serialization represents secured content as a JSON object The JSON Serialization represents secured content as a JSON object
with members for each of three constituent parts: a "headers" member with a "recipients" member containing an array of per-recipient
whose value is a non-empty array of Encoded JWS Header values, a information and a "payload" member containing a shared Encoded JWS
"payload" member whose value is an Encoded JWS Payload value, and a Payload value. Each member of the "recipients" array is a JSON
"signatures" member whose value is a non-empty array of Encoded JWS object with a "header" member containing an Encoded JWS Header value
Signature values, where the number of elements in both arrays is the and a "signature" member containing an Encoded JWS Signature value.
same.
Unlike the compact serialization used by JWSs, content using the JSON Unlike the compact serialization used by JWSs, content using the JSON
Serialization MAY be secured with more than one digital signature Serialization MAY be secured with more than one digital signature
and/or MAC value. Each is represented as an Encoded JWS Signature in and/or MAC value. Each is represented as an Encoded JWS Signature
the "signatures" member array. For each, there is a corresponding value in the "signature" member of an object in the "recipients"
"headers" member array element that is an Encoded JWS Header array. For each, there is an Encoded JWS Encoded Header value in the
specifying the digital signature or MAC applied to the Encoded JWS "header" member of the same object in the "recipients" array. This
Header value and the Encoded JWS Payload value to create the JWS specifies the digital signature or MAC applied to the Encoded JWS
Signature value. Therefore, the syntax is: Header value and the shared Encoded JWS Payload value to create the
JWS Signature value. Therefore, the syntax is:
{"headers":["<header 1 contents>",...,"<header N contents>"], {"recipients":[
"payload":"<payload contents>", {"header":"<header 1 contents>",
"signatures":["<signature 1 contents>",...,"<signature N contents>"] "signature":"<signature 1 contents>"},
} ...
{"header":"<header N contents>",
"signature":"<signature N contents>"}],
"payload":"<payload contents>"
}
The contents of the Encoded JWS Header, Encoded JWS Payload, and The contents of the Encoded JWS Header, Encoded JWS Payload, and
Encoded JWS Signature values are exactly as specified in JSON Web Encoded JWS Signature values are exactly as specified in JSON Web
Signature (JWS) [JWS]. They are interpreted and validated in the Signature (JWS) [JWS]. They are interpreted and validated in the
same manner, with each corresponding "headers" and "signatures" value same manner, with each corresponding "header" and "signature" value
being created or validated together. The arrays MUST have the same being created and validated together.
number of elements.
The i'th JWS Signature value is computed on the JWS Secured Input Each JWS Signature value is computed on the JWS Secured Input
corresponding to the concatenation of the i'th Encoded JWS Header, a corresponding to the concatenation of the Encoded JWS Header, a
period ('.') character, and the Encoded JWS Payload in the same period ('.') character, and the Encoded JWS Payload in the same
manner described in the JWS specification. This has the desirable manner described in the JWS specification. This has the desirable
result that each Encoded JWS signature value in the "signatures" result that each Encoded JWS signature value in the "recipients"
array is identical to the value that would be used for the same array is identical to the value that would be used for the same
header and payload in a JWS. parameters in a JWS.
4. Example JWS-JS 4. Example JWS-JS
This section contains an example using the JWS JSON Serialization. This section contains an example using the JWS JSON Serialization.
This example demonstrates the capability for conveying multiple This example demonstrates the capability for conveying multiple
digital signatures and/or MACs for the same payload. digital signatures and/or MACs for the same payload.
The Encoded JWS Payload used in this example is the same as used in The Encoded JWS Payload used in this example is the same as used in
the examples in Appendix A of JWS (with line breaks for display the examples in Appendix A of JWS (with line breaks for display
purposes only): purposes only):
skipping to change at page 5, line 9 skipping to change at page 5, line 12
{"alg":"ES256"} {"alg":"ES256"}
Since the computations of the JWS Header and JWS Signature values are Since the computations of the JWS Header and JWS Signature values are
the same as in Appendix A.2 and Appendix A.3 of JWS, they are not the same as in Appendix A.2 and Appendix A.3 of JWS, they are not
repeated here. repeated here.
The complete JSON Web Signature JSON Serialization (JWS-JS) for these The complete JSON Web Signature JSON Serialization (JWS-JS) for these
values is as follows (with line breaks for display purposes only): values is as follows (with line breaks for display purposes only):
{"headers":[ {"recipients":[
"eyJhbGciOiJSUzI1NiJ9", {"header":"eyJhbGciOiJSUzI1NiJ9",
"eyJhbGciOiJFUzI1NiJ9"], "signature":
"payload":"eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0 "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZ
dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ", mh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjb
"signatures":[ KBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHl
"cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZ b1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZES
mh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBY c6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AX
NX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Q LIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw"},
e7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noO {"header":"eyJhbGciOiJFUzI1NiJ9",
PqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmt "signature":
VrBp0igcN_IoypGlUPQGe77Rw", "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS
"DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q"}],
lSApmWQxfKTUJqPP3-Kg6NU1Q"] "payload":
"eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGF
tcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
} }
5. IANA Considerations 5. IANA Considerations
This specification makes no requests of IANA. This specification makes no requests of IANA.
6. Security Considerations 6. Security Considerations
The security considerations for this specification are the same as The security considerations for this specification are the same as
those for the JSON Web Signature (JWS) [JWS] specification. those for the JSON Web Signature (JWS) [JWS] specification.
7. Open Issues 7. References
[[ to be removed by the RFC editor before publication as an RFC ]]
The following items remain to be considered or done in this draft:
o Track changes that occur in the JWS spec.
8. References
8.1. Normative References 7.1. Normative References
[JWA] Jones, M., "JSON Web Algorithms (JWA)", July 2012. [JWA] Jones, M., "JSON Web Algorithms (JWA)", October 2012.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", July 2012. Signature (JWS)", October 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
8.2. Informative References 7.2. Informative References
[JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign",
September 2010. September 2010.
[JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization [JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization
(JWE-JS)", July 2012. (JWE-JS)", October 2012.
[MagicSignatures] [MagicSignatures]
Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic
Signatures", January 2011. Signatures", January 2011.
Appendix A. Acknowledgements Appendix A. Acknowledgements
JSON serializations for secured content were previously explored by JSON serializations for secured content were previously explored by
Magic Signatures [MagicSignatures] and JSON Simple Sign [JSS]. Magic Signatures [MagicSignatures] and JSON Simple Sign [JSS].
Appendix B. Document History Appendix B. Open Issues
[[ to be removed by the RFC editor before publication as an RFC ]]
The following items remain to be considered or done in this draft:
o Track changes that occur in the JWS spec.
Appendix C. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-02
o Changed to use an array of structures for per-recipient values,
rather than a set of parallel arrays.
-01 -01
o Generalized language to refer to Message Authentication Codes o Generalized language to refer to Message Authentication Codes
(MACs) rather than Hash-based Message Authentication Codes (MACs) rather than Hash-based Message Authentication Codes
(HMACs). (HMACs).
-00 -00
o Renamed draft-jones-json-web-signature-json-serialization to o Renamed draft-jones-json-web-signature-json-serialization to
draft-jones-jose-jws-json-serialization to have "jose" be in the draft-jones-jose-jws-json-serialization to have "jose" be in the
document name so it can be included in the Related Documents list document name so it can be included in the Related Documents list
at http://datatracker.ietf.org/wg/jose/. No normative changes. at http://datatracker.ietf.org/wg/jose/. No normative changes.
draft-jones-json-web-signature-json-serialization-02 draft-jones-json-web-signature-json-serialization-02
o Tracked editorial changes made to the JWS spec. o Tracked editorial changes made to the JWS spec.
draft-jones-json-web-signature-json-serialization-01 draft-jones-json-web-signature-json-serialization-01
o Corrected the Magic Signatures reference. o Corrected the Magic Signatures reference.
draft-jones-json-web-signature-json-serialization-00 draft-jones-json-web-signature-json-serialization-00
o Created the initial version incorporating JOSE working group input o Created the initial version incorporating JOSE working group input
and drawing from the JSON Serialization previously proposed in and drawing from the JSON Serialization previously proposed in
 End of changes. 24 change blocks. 
62 lines changed or deleted 72 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/