idnits 2.17.1 draft-ietf-jose-jwk-thumbprint-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 22, 2015) is 3375 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) -- Possible downref: Non-RFC (?) normative reference: ref. 'SHS' -- Possible downref: Non-RFC (?) normative reference: ref. 'UNICODE' == Outdated reference: A later version (-06) exists of draft-ietf-json-i-json-05 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track N. Sakimura 5 Expires: July 26, 2015 NRI 6 January 22, 2015 8 JSON Web Key (JWK) Thumbprint 9 draft-ietf-jose-jwk-thumbprint-01 11 Abstract 13 This specification defines a means of computing a thumbprint value 14 (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the "x5t" 15 (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 16 certificate objects. This specification also registers the new JSON 17 Web Signature (JWS) and JSON Web Encryption (JWE) Header Parameters 18 and the new JSON Web Key (JWK) member name "jkt" (JWK SHA-256 19 Thumbprint) for holding these values. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on July 26, 2015. 38 Copyright Notice 40 Copyright (c) 2015 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. JSON Web Key (JWK) Thumbprint . . . . . . . . . . . . . . . . 3 59 3.1. Example JWK Thumbprint Computation . . . . . . . . . . . . 4 60 3.2. JWK Members Used in the Thumbprint Computation . . . . . . 5 61 3.2.1. JWK Thumbprint of a Private Key . . . . . . . . . . . 6 62 3.2.2. Why Not Include Optional Members? . . . . . . . . . . 6 63 3.3. Order and Representation of Members in Hash Input . . . . 7 64 3.4. JWK Thumbprints of Keys Not in JWK Format . . . . . . . . 7 65 4. "jkt" Member Definitions . . . . . . . . . . . . . . . . . . . 8 66 4.1. "jkt" (JWK SHA-256 Thumbprint) JWS Header Parameter . . . 8 67 4.2. "jkt" (JWK SHA-256 Thumbprint) JWE Header Parameter . . . 8 68 4.3. "jkt" (JWK SHA-256 Thumbprint) JWK Parameter . . . . . . . 8 69 4.4. Possible Future Alternative Thumbprint Computations . . . 8 70 5. Practical JSON and Unicode Considerations . . . . . . . . . . 8 71 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 72 6.1. JWS and JWE Header Parameter Registration . . . . . . . . 9 73 6.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 10 74 6.2. JSON Web Key Parameters Registration . . . . . . . . . . . 10 75 6.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 10 76 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 77 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 78 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 79 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 80 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 81 Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 84 1. Introduction 86 This specification defines a means of computing a thumbprint value 87 (a.k.a. digest) of JSON Web Key (JWK) [JWK] objects analogous to the 88 "x5t" (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 89 certificate objects. This specification also registers the new JSON 90 Web Signature (JWS) [JWS] and JSON Web Encryption (JWE) [JWE] Header 91 Parameters and the new JSON Web Key (JWK) [JWK] member name "jkt" 92 (JWK SHA-256 Thumbprint) for holding these values. 94 1.1. Notational Conventions 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 98 "OPTIONAL" in this document are to be interpreted as described in Key 99 words for use in RFCs to Indicate Requirement Levels [RFC2119]. 101 2. Terminology 103 This specification uses the same terminology as the JSON Web Key 104 (JWK) [JWK], JSON Web Signature (JWS) [JWS], JSON Web Encryption 105 (JWE) [JWE], and JSON Web Algorithms (JWA) [JWA] specifications. 107 This term is defined by this specification: 109 JWK Thumbprint 110 The digest value for a key that is the subject of this 111 specification. 113 3. JSON Web Key (JWK) Thumbprint 115 This specification defines the thumbprint of a JSON Web Key (JWK) as 116 being a function of the REQUIRED members of the key's JWK 117 representation and a hash function. Specifically, for a hash 118 function H, this function is the hash with H of the octets of the 119 UTF-8 representation of a JSON object [RFC7159] constructed 120 containing only the REQUIRED members of a JWK representing the key 121 and with no white space or line breaks before or after any syntactic 122 elements and with the REQUIRED members ordered lexicographically by 123 the Unicode [UNICODE] code points of the member names. This JSON 124 object is itself a legal JWK representation of the key. The details 125 of this computation are further described in subsequent sections. 127 3.1. Example JWK Thumbprint Computation 129 This section demonstrates the JWK Thumbprint computation for the JWK 130 below (with long lines broken for display purposes only): 132 { 133 "kty": "RSA", 134 "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAt 135 VT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6 136 4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FD 137 W2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n9 138 1CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINH 139 aQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", 140 "e": "AQAB", 141 "alg": "RS256", 142 "kid": "2011-04-29" 143 } 145 As defined in JSON Web Key (JWK) [JWK] and JSON Web Algorithms (JWA) 146 [JWA], the REQUIRED members of an RSA public key are: 148 o "kty" 149 o "n" 150 o "e" 152 Therefore, these are the members used in the thumbprint computation. 154 Their lexicographic order (see more about this in Section 3.3) is: 156 o "e" 157 o "kty" 158 o "n" 160 Therefore the JSON object constructed as an intermediate step in the 161 computation is as follows (with long lines broken for display 162 purposes only): 164 {"e":"AQAB","kty":"RSA","n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2 165 aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCi 166 FV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65Y 167 GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n 168 91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_x 169 BniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"} 171 The octets of the UTF-8 representation of this JSON object are: 173 [123, 34, 101, 34, 58, 34, 65, 81, 65, 66, 34, 44, 34, 107, 116, 121, 174 34, 58, 34, 82, 83, 65, 34, 44, 34, 110, 34, 58, 34, 48, 118, 120, 175 55, 97, 103, 111, 101, 98, 71, 99, 81, 83, 117, 117, 80, 105, 76, 74, 176 88, 90, 112, 116, 78, 57, 110, 110, 100, 114, 81, 109, 98, 88, 69, 177 112, 115, 50, 97, 105, 65, 70, 98, 87, 104, 77, 55, 56, 76, 104, 87, 178 120, 52, 99, 98, 98, 102, 65, 65, 116, 86, 84, 56, 54, 122, 119, 117, 179 49, 82, 75, 55, 97, 80, 70, 70, 120, 117, 104, 68, 82, 49, 76, 54, 180 116, 83, 111, 99, 95, 66, 74, 69, 67, 80, 101, 98, 87, 75, 82, 88, 181 106, 66, 90, 67, 105, 70, 86, 52, 110, 51, 111, 107, 110, 106, 104, 182 77, 115, 116, 110, 54, 52, 116, 90, 95, 50, 87, 45, 53, 74, 115, 71, 183 89, 52, 72, 99, 53, 110, 57, 121, 66, 88, 65, 114, 119, 108, 57, 51, 184 108, 113, 116, 55, 95, 82, 78, 53, 119, 54, 67, 102, 48, 104, 52, 81, 185 121, 81, 53, 118, 45, 54, 53, 89, 71, 106, 81, 82, 48, 95, 70, 68, 186 87, 50, 81, 118, 122, 113, 89, 51, 54, 56, 81, 81, 77, 105, 99, 65, 187 116, 97, 83, 113, 122, 115, 56, 75, 74, 90, 103, 110, 89, 98, 57, 99, 188 55, 100, 48, 122, 103, 100, 65, 90, 72, 122, 117, 54, 113, 77, 81, 189 118, 82, 76, 53, 104, 97, 106, 114, 110, 49, 110, 57, 49, 67, 98, 79, 190 112, 98, 73, 83, 68, 48, 56, 113, 78, 76, 121, 114, 100, 107, 116, 191 45, 98, 70, 84, 87, 104, 65, 73, 52, 118, 77, 81, 70, 104, 54, 87, 192 101, 90, 117, 48, 102, 77, 52, 108, 70, 100, 50, 78, 99, 82, 119, 193 114, 51, 88, 80, 107, 115, 73, 78, 72, 97, 81, 45, 71, 95, 120, 66, 194 110, 105, 73, 113, 98, 119, 48, 76, 115, 49, 106, 70, 52, 52, 45, 99, 195 115, 70, 67, 117, 114, 45, 107, 69, 103, 85, 56, 97, 119, 97, 112, 196 74, 122, 75, 110, 113, 68, 75, 103, 119, 34, 125] 198 Using SHA-256 [SHS] as the hash function H, the JWK SHA-256 199 Thumbprint value is the SHA-256 hash of these octets, specifically: 201 [55, 54, 203, 177, 120, 124, 184, 48, 156, 119, 238, 140, 55, 5, 197, 202 225, 111, 251, 158, 133, 151, 21, 144, 31, 30, 76, 89, 177, 17, 130, 203 245, 123] 205 The base64url encoding [JWS] of this JWK SHA-256 Thumbprint value 206 (which would be used in the "jkt" members registered below) is: 208 NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs 210 3.2. JWK Members Used in the Thumbprint Computation 212 Only the REQUIRED members of a key's representation are used when 213 computing its JWK Thumbprint value. As defined in JSON Web Key (JWK) 214 [JWK] and JSON Web Algorithms (JWA) [JWA], the REQUIRED members of an 215 elliptic curve public key for the curves specified in Section 6.2.1.1 216 of [JWK], in lexicographic order, are: 218 o "crv" 219 o "kty" 220 o "x" 221 o "y" 223 the REQUIRED members of an RSA public key, in lexicographic order, 224 are: 226 o "e" 227 o "kty" 228 o "n" 230 and the REQUIRED members of a symmetric key, in lexicographic order, 231 are: 233 o "k" 234 o "kty" 236 As other key type values are defined, the specifications defining 237 them should be similarly consulted to determine which members, in 238 addition to "kty", are REQUIRED. 240 3.2.1. JWK Thumbprint of a Private Key 242 The JWK Thumbprint of a private key is computed as the JWK Thumbprint 243 of the corresponding public key. This has the intentional benefit 244 that the same JWK Thumbprint value can be computed both by parties 245 using either the public or private key. The JWK Thumbprint can then 246 be used to refer to both keys of the key pair. Application context 247 can be used to determine whether the public or the private key is the 248 one being referred to by the JWK Thumbprint. 250 This specification defines the method of computing JWK Thumbprints of 251 private keys for interoperability reasons -- so that different 252 implementations computing JWK Thumbprints of private keys will 253 produce the same result. 255 3.2.2. Why Not Include Optional Members? 257 OPTIONAL members of JWKs are intentionally not included in the JWK 258 Thumbprint computation so that their absence or presence in the JWK 259 doesn't alter the resulting value. The JWK Thumbprint value is a 260 digest of the key value itself -- not of additional data that may 261 also accompany the key. 263 OPTIONAL members are not included so that the JWK Thumbprint refers 264 to a key -- not a key with an associated set of key attributes. This 265 has the benefit that while in different application contexts 266 different subsets of attributes about the key might or might not be 267 included in the JWK, the JWK Thumbprint of the key remains the same 268 regardless of which optional attributes are present. Different kinds 269 of thumbprints could be defined by other specifications that might 270 include some or all additional JWK members, should use cases arise 271 where such different kinds of thumbprints would be useful. See 272 Section 9.1 of [JWK] for notes on some ways to cryptographically bind 273 attributes to a key. 275 3.3. Order and Representation of Members in Hash Input 277 The REQUIRED members in the input to the hash function are ordered 278 lexicographically by the Unicode code points of the member names. 280 Characters in member names and member values MUST be represented 281 without being escaped. This means that thumbprints of JWKs that 282 require such characters are not defined by this specification. (This 283 is not expected to limit the applicability of this specification, in 284 practice, as the REQUIRED members of JWK representations are not 285 expected to use any of these characters.) The characters specified 286 as requiring escaping by Section 7 of [RFC7159] are quotation mark, 287 reverse solidus (a.k.a. backslash), and the control characters U+0000 288 through U+001F. 290 If the JWK key type uses members whose values are themselves JSON 291 objects (as of the time of this writing, none are defined that do), 292 the members of those objects must likewise be lexicographically 293 ordered. 295 If the JWK key type uses members whose values are JSON numbers (as of 296 the time of this writing, none are defined that do), if the numbers 297 are integers, they MUST be represented as a JSON number as defined in 298 Section 6 of [RFC7159] without including a fraction part or exponent 299 part. For instance, the value "1.024e3" MUST be represented as 300 "1024". This means that thumbprints of JWKs that use numbers that 301 are not integers are not defined by this specification. Also, as 302 noted in The I-JSON Message Format [I-D.ietf-json-i-json], 303 implementations cannot expect an integer whose absolute value is 304 greater than 9007199254740991 (i.e., that is outside the range 305 [-(2**53)+1, (2**53)-1]) to be treated as an exact value. 307 See Section 5 for a discussion of further practical considerations 308 pertaining to the representation of the hash input. 310 3.4. JWK Thumbprints of Keys Not in JWK Format 312 Note that a key need not be in JWK format to create a JWK Thumbprint 313 of it. The only prerequisites are that the JWK representation of the 314 key be defined and the party creating the JWK Thumbprint is in 315 possession of the necessary key material. These are sufficient to 316 create the hash input from the JWK representation of the key, as 317 described in Section 3.3. 319 4. "jkt" Member Definitions 321 This section defines "jkt" (JWK SHA-256 Thumbprint) members used for 322 holding base64url encoded JWK Thumbprint values in JWK, JWS, and JWE 323 objects. 325 4.1. "jkt" (JWK SHA-256 Thumbprint) JWS Header Parameter 327 The "jkt" (JWK SHA-256 Thumbprint) JWS Header Parameter is a 328 base64url encoded JWK Thumbprint (a.k.a. digest) of the public key 329 that corresponds to the key used to digitally sign the JWS. Use of 330 this JWS Header Parameter is OPTIONAL. 332 4.2. "jkt" (JWK SHA-256 Thumbprint) JWE Header Parameter 334 This parameter has the same meaning, syntax, and processing rules as 335 the "jkt" JWS Header Parameter defined in Section 4.1, except that 336 the JWK Thumbprint references the public key to which the JWE was 337 encrypted; this can be used to determine the private key needed to 338 decrypt the JWE. 340 4.3. "jkt" (JWK SHA-256 Thumbprint) JWK Parameter 342 The "jkt" (JWK SHA-256 Thumbprint) JWK parameter is a base64url 343 encoded JWK Thumbprint (a.k.a. digest) of the JWK. If present, the 344 JWK Thumbprint value represented MUST have been computed from the 345 other members of the JWK as described in Section 3. Use of this 346 member is OPTIONAL. 348 4.4. Possible Future Alternative Thumbprint Computations 350 If, in the future, JWK Thumbprints need to be computed using hash 351 functions other than SHA-256, it is suggested that additional related 352 JWK, JWS, and JWE parameters be defined for that purpose. For 353 example, it is suggested that a new "jkt#S3-256" (JWK SHA-3-256 354 Thumbprint) JWK parameter could be defined by registering it in the 355 IANA JSON Web Key Parameters registry and the IANA JSON Web Signature 356 and Encryption Header Parameters registry. 358 5. Practical JSON and Unicode Considerations 360 Implementations will almost certainly use functionality provided by 361 the platform's JSON support, such as the JavaScript JSON.parse() 362 JSON.stringify() functions, when parsing the JWK and emitting the 363 JSON object used as the hash input. As a practical consideration, 364 future JWK member names should be avoided for which different 365 platforms or libraries might emit different representations. As of 366 the time of this writing, currently all defined JWK member names use 367 only printable ASCII characters, which should not exhibit this 368 problem. Note however, that JSON.stringify() cannot be counted on to 369 lexicographically sort the members of JSON objects, so while it may 370 be able to be used to emit some kinds of member values, different 371 code is likely to be needed to perform the sorting. 373 In particular, while the operation of lexicographically ordering 374 member names by their Unicode code points is well defined, different 375 platform sort functions may produce different results for non-ASCII 376 characters, in ways that may not be obvious to developers. If 377 writers of future specifications defining new JWK Key Type values 378 choose to restrict themselves to ASCII member names (which are for 379 machine and not human consumption anyway), some future 380 interoperability problems might be avoided. 382 Use of escaped characters in the input JWK representation should be 383 avoided. 385 While there is a natural representation to use for numeric values 386 that are integers, this specification doesn't attempt to define a 387 standard representation for numbers that are not integers or that 388 contain an exponent component. This is not expected to be a problem 389 in practice, as the REQUIRED members of JWK representations are not 390 expected to use numbers that are not integers. 392 Use of number representations containing fraction or exponent parts 393 in the input JWK representation should be avoided. 395 All of these practical considerations are really an instance of Jon 396 Postel's principle: "Be liberal in what you accept, and conservative 397 in what you send." 399 6. IANA Considerations 401 6.1. JWS and JWE Header Parameter Registration 403 This specification registers the "jkt" Header Parameters defined in 404 Sections 4.1 and 4.2 in the IANA JSON Web Signature and Encryption 405 Header Parameters registry defined in [JWS]. 407 6.1.1. Registry Contents 409 o Header Parameter Name: "jkt" 410 o Header Parameter Description: JWS JWK Thumbprint 411 o Header Parameter Usage Location(s): JWS 412 o Change Controller: IETF 413 o Specification Document(s): Section 4.1 of [[ this document ]] 415 o Header Parameter Name: "jkt" 416 o Header Parameter Description: JWE JWK Thumbprint 417 o Header Parameter Usage Location(s): JWE 418 o Change Controller: IETF 419 o Specification Document(s): Section 4.2 of [[ this document ]] 421 6.2. JSON Web Key Parameters Registration 423 This specification registers the "jkt" JWK member defined in 424 Section 4.3 in the IANA JSON Web Key Parameters registry defined in 425 [JWK]. 427 6.2.1. Registry Contents 429 o Parameter Name: "jkt" 430 o Parameter Description: JWK Thumbprint 431 o Used with "kty" Value(s): * 432 o Parameter Information Class: Public 433 o Change Controller: IESG 434 o Specification Document(s): Section 4.3 of [[ this document ]] 436 7. Security Considerations 438 The JSON Security Considerations and Unicode Comparison Security 439 Considerations described in Sections 10.2 and 10.3 of JSON Web 440 Signature (JWS) [JWS] also apply to this specification. 442 Also, as described in Section 5, some implementations may produce 443 incorrect results if esoteric or escaped characters are used in the 444 member names. The security implications of this appear to be limited 445 for JWK Thumbprints of public keys, since while it may result in 446 implementations failing to identify the intended key, it should not 447 leak information, since the information in a public key is already 448 public in nature, by definition. 450 A hash of a symmetric key has the potential to leak information about 451 the key value. Thus, the JWK Thumbprint of a symmetric key should be 452 typically be concealed from parties not in possession of the 453 symmetric key, unless in the application context, the cryptographic 454 hash used, such as SHA-256, is known to provide sufficient protection 455 against disclosure of the key value. 457 8. References 459 8.1. Normative References 461 [JWA] Jones, M., "JSON Web Algorithms (JWA)", 462 draft-ietf-jose-json-web-algorithms (work in progress), 463 January 2015. 465 [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", 466 draft-ietf-jose-json-web-encryption (work in progress), 467 January 2015. 469 [JWK] Jones, M., "JSON Web Key (JWK)", 470 draft-ietf-jose-json-web-key (work in progress), 471 January 2015. 473 [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 474 Signature (JWS)", draft-ietf-jose-json-web-signature (work 475 in progress), January 2015. 477 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 478 Requirement Levels", BCP 14, RFC 2119, March 1997. 480 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 481 Interchange Format", RFC 7159, March 2014. 483 [SHS] National Institute of Standards and Technology, "Secure 484 Hash Standard (SHS)", FIPS PUB 180-4, March 2012. 486 [UNICODE] The Unicode Consortium, "The Unicode Standard", 1991-, 487 . 489 8.2. Informative References 491 [I-D.ietf-json-i-json] 492 Bray, T., "The I-JSON Message Format", 493 draft-ietf-json-i-json-05 (work in progress), 494 December 2014. 496 Appendix A. Acknowledgements 498 James Manger and John Bradley participated in discussions that led to 499 the creation of this specification. Jim Schaad also contributed to 500 this specification. 502 Appendix B. Document History 504 [[ to be removed by the RFC editor before publication as an RFC ]] 506 -01 508 o Addressed issues pointed out by Jim Schaad, including defining the 509 JWK Thumbprint computation in a manner that allows different hash 510 functions to be used over time. 512 o Added Nat Sakimura as an editor. 514 -00 516 o Created draft-ietf-jose-jwk-thumbprint-00 from 517 draft-jones-jose-jwk-thumbprint-01 with no normative changes. 519 Authors' Addresses 521 Michael B. Jones 522 Microsoft 524 Email: mbj@microsoft.com 525 URI: http://self-issued.info/ 527 Nat Sakimura 528 Nomura Research Institute 530 Email: n-sakimura@nri.co.jp 531 URI: http://nat.sakimura.org/