idnits 2.17.1 draft-chadwick-oauth-jwk-uri-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 9, 2022) is 778 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-ietf-oauth-jwk-thumbprint-uri-00 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 OAuth Working Group D.W.Chadwick 2 Internet Draft Crossword Cybersecurity 3 Intended status: Proposed Standard February 9, 2022 4 Expires: August 9, 2022 6 JWT URI 7 draft-chadwick-oauth-jwk-uri-00.txt 9 Status of This Memo 11 This is an Internet Standards Track document. 13 Internet-Drafts are working documents of the Internet Engineering 14 Task Force (IETF), its areas, and its working groups. 15 Note that other groups may also distribute 16 working documents as Internet-Drafts. 18 This Internet-Draft is submitted in full conformance with the provisions 19 of BCP 78 and BCP 79. 21 The list of current Internet-Drafts can be accessed at 22 https://www.ietf.org/1id-abstracts.html 24 The list of Internet-Draft Shadow Directories can be accessed at 25 https://www.ietf.org/shadow.html 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference material 30 or to cite them other than as "work in progress." 32 This Internet-Draft will expire on August 9, 2022. 34 Copyright Notice 36 Copyright (c) 2022 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal Provisions 40 Relating to IETF Documents (https://trustee.ietf.org/license-info) in 41 effect on the date of publication of this document. Please review these 42 documents carefully, as they describe your rights and restrictions with 43 respect to this document. 45 Internet-Draft JWT-URI 47 Abstract 49 This specification registers a kind of URI that represents a JSON 50 Web Key (JWK) value. This enables JWKs to be used, for instance, as 51 key identifiers in contexts requiring URIs. 53 Table of Contents 55 1. Introduction................................2 57 2. Requirements Notation and Conventions.......2 59 3. JWK URI.....................................3 61 4. Comparison of JWK URIs with JWK Thumbprint URIs...3 63 5. Security Considerations................4 65 6. IANA Considerations....................4 67 7. References..............................4 69 7.1. Normative References..................4 71 7.2. Informative References.................5 73 8. Acknowledgments..........................5 75 Appendix A. Document History................6 77 1. Introduction 79 A JSON Web Key (JWK) [RFC7517] is a JavaScript Object Notation (JSON) 80 data structure that represents a cryptographic key. 82 This specification defines a URI prefix indicating that the portion 83 of the URI following the prefix is a JWK. This enables JWKs to be 84 communicated in contexts requiring URIs, including in specific JSON 85 Web Token (JWT) [RFC7519] claims. 87 JWK URIs are proposed to be used in the [SIOPv2] specification as 88 one kind of subject identifier in a context requiring that the 89 identifier be a URI. In this case, the subject identifier is derived 90 from a public key represented as a JWK. Expressing the identifier as 91 a JWK URI enables this kind of identifier to be differentiated from 92 other kinds of identifiers that are also URIs, such as Decentralized 93 Identifiers (DIDs) [DID-Core]. 95 Internet-Draft JWT-URI 97 2. Requirements Notation and Conventions 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL 100 NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", 101 "MAY", and "OPTIONAL" in this document are to be interpreted as 102 described in BCP 14 [RFC2119] [RFC8174] when, and only when, they 103 appear in all capitals, as shown here. 105 3. JWK URI 107 The following URI prefix is defined to indicate that the portion of 108 the URI following the prefix is a JWK: 110 o "urn:ietf:params:oauth:jwk" 112 The prefix MUST be followed by a colon and a JWK value that is formed by 113 performing a base64 encoding of the JWK to form a URI representing a 114 JWK. 116 4. Comparison of JWK URIs with JWK Thumbprint URIs 118 To produce or validate a JWK Thumbprint, both the sender and the 119 receiver have to have the JWK available to them. Then they have to 120 canonicalise the JWK as described in [RFC7638], and finally hash the 121 octets of the UTF-8 representation of this JSON object with a pre- 122 agreed algorithm in order to both obtain the same hash value. The 123 way that the JWK Thumbprint URI is used in SIOPv2 [SIOPv2] is as 124 follows: 126 1. the SIOP creates an asymmetric key pair and encodes the public 127 key as a JWK 129 2. the SIOP creates the JWK Thumbprint as described in [RFC7638] and 130 converts it to a URI as described in [JONES] 132 3. the SIOP passes both the JWK and JWK Thumbprint URI to the RP in 133 the JWT 135 4. the RP extracts the JWK and JWK Thumbprint from the JWT 137 5. the RP re-computes the JWK Thumbprint from the JWK 139 6. the RP compares the computed JWK Thumbprint with the received JWK 140 Thumbprint to confirm that they are equal. 142 Internet-Draft JWT-URI 144 One can see that the use of JWK Thumbprint URIs is both inefficient 145 (in all cases) and a significant disadvantage (in some cases). If 146 the JWK URI (as described in this document) is transferred instead 147 of the JWK and JWK Thumbprint URI then: 149 a) The SIOP will never need to create the JWK Thumbprint URI. The RP 150 may only need to create the JWK Thumbprint if it needs this, for 151 example, as a unique subject identifier. Even in this case, there is 152 still an advantage to the RP in receiving the JWK URI instead of the 153 JWK Thumbprint URI, in that the RP no longer needs to pre-agree a 154 hashing algorithm with the SIOP. Thus the RP can independently 155 determine which hashing algorithm to use when creating its own JWK 156 Thumbprint. 157 (Note. If the SIOP were able to canonicalise the same 158 public key in a JWK in different ways and produce different 159 thumbprints from the same public key, then the canonicalisation 160 algorithm is broken, and the RP would never to able to 161 deterministically produce the same thumbprints each time.) 163 b) In those cases where the SIOP uses ephemeral key pairs and a 164 different public key each time it communicates with an RP, then 165 neither party needs to produce the JWK Thumbprint as it will never 166 be seen again. It is a significant disadvantage to have to use JWK 167 Thumbprints in this case. 169 One possible disadvantage of using JWK URIs instead of JWK 170 Thumbprint URIs is the resulting increase in size of the JWT. Base 171 64 encoding a JWK string increases its size by 33%. However this 172 increase in JWT size is offset by the decrease in size by not 173 needing to include the JWT thumbprint URI as well as the JWK. The 174 trade off is the processing of JWKs to produce thumbprints by the 175 sender and receiver versus the overhead of transferring larger JWTs. 177 5. Security Considerations 179 The security considerations of [RFC7638] will apply when the RP is 180 using [RFC7638] to produce thumbprints. 182 Internet-Draft JWT-URI 184 6. IANA Considerations 186 6.1. OAuth URI Registration 188 This specification proposes to register the following value in the 189 IANA "OAuth URI" registry [IANA.OAuth.Parameters] established by 190 [RFC6755]. 192 6.1.1. Registry Contents 194 o URN: urn:ietf:params:oauth:jwk 196 o Common Name: JWK URI 198 o Change controller: IESG 200 o Specification Document: [[ this specification ]] 202 7. References 204 7.1. Normative References 206 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 207 Requirement Levels", BCP 14, RFC 2119, March 1997. 209 [IANA.OAuth.Parameters] IANA, "OAuth Parameters", 210 . 212 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 213 Requirement Levels", BCP 14, RFC 2119, DOI 214 10.17487/RFC2119, March 1997, 215 . 217 [RFC7638] Jones, M. and N. Sakimura, "JSON Web Key (JWK) 218 Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September 219 2015, . 221 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 222 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 223 May 2017, . 225 Internet-Draft JWT-URI 227 7.2. Informative References 229 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 230 Requirement Levels", BCP 14, RFC 2119, March 1997. 232 [DID-Core] Sporny, M., Guy, A., Sabadello, M., and D. Reed, 233 "Decentralized Identifiers (DIDs) v1.0", Aug 2021, 234 . 236 [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace 237 for OAuth", RFC 6755, DOI 10.17487/RFC6755, October 2012, 238 . 240 [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 241 10.17487/RFC7517, May 2015, 242 . 244 [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 245 (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, 246 . 248 [SIOPv2] Yasuda, K. and M. B. Jones, "Self-Issued OpenID Provider 249 v2", December 2021, 250 . 252 [JONES] Yasuda, K., Jones, M., "JWK Thumbprint URK", Internet 253 Draft draft-ietf-oauth-jwk-thumbprint-uri-00 255 8. Acknowledgments 257 to be done. 259 Appendix A. Document History 261 [[ to be removed by the RFC Editor before publication as an 262 RFC ]] 264 -00 266 o Created initial draft. 268 Authors' Addresses 270 David W Chadwick 271 Crossword Cybersecurity 272 Email: david.chadwick@crosswordcybersecurity.com 273 URI: https://www.linkedin.com/in/davidwchadwick/