idnits 2.17.1 draft-ietf-jose-jwk-thumbprint-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 3, 2015) is 3342 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 404 -- Looks like a reference, but probably isn't: '1' on line 404 ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) -- Possible downref: Non-RFC (?) normative reference: ref. 'SHS' -- Possible downref: Non-RFC (?) normative reference: ref. 'UNICODE' Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track N. Sakimura 5 Expires: September 4, 2015 NRI 6 March 3, 2015 8 JSON Web Key (JWK) Thumbprint 9 draft-ietf-jose-jwk-thumbprint-04 11 Abstract 13 This specification defines a means of computing a thumbprint value 14 (a.k.a. digest) of a key represented as a JSON Web Key (JWK). This 15 value can be used for identifying or selecting the key that is the 16 subject of the thumbprint. 18 Status of this Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on September 4, 2015. 35 Copyright Notice 37 Copyright (c) 2015 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3 54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3. JSON Web Key (JWK) Thumbprint . . . . . . . . . . . . . . . . 3 56 3.1. Example JWK Thumbprint Computation . . . . . . . . . . . . 4 57 3.2. JWK Members Used in the Thumbprint Computation . . . . . . 5 58 3.2.1. JWK Thumbprint of a Private Key . . . . . . . . . . . 6 59 3.2.2. Why Not Include Optional Members? . . . . . . . . . . 6 60 3.3. Order and Representation of Members in Hash Input . . . . 7 61 3.4. JWK Thumbprints of Keys Not in JWK Format . . . . . . . . 7 62 4. Practical JSON and Unicode Considerations . . . . . . . . . . 8 63 5. Relationship to Digests of X.509 Values . . . . . . . . . . . 9 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 65 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 66 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 67 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 68 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 69 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 70 Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 73 1. Introduction 75 This specification defines a means of computing a thumbprint value 76 (a.k.a. digest) of a key represented as a JSON Web Key (JWK). This 77 value can be used for identifying or selecting the key that is the 78 subject of the thumbprint, for instance, by using the base64url 79 encoded JWK Thumbprint value as a "kid" (key ID) value. 81 1.1. Notational Conventions 83 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 84 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 85 "OPTIONAL" in this document are to be interpreted as described in Key 86 words for use in RFCs to Indicate Requirement Levels [RFC2119]. 88 2. Terminology 90 This specification uses the same terminology as the JSON Web Key 91 (JWK) [JWK], JSON Web Signature (JWS) [JWS], and JSON Web Algorithms 92 (JWA) [JWA] specifications. 94 This term is defined by this specification: 96 JWK Thumbprint 97 The digest value for a key that is the subject of this 98 specification. 100 3. JSON Web Key (JWK) Thumbprint 102 The thumbprint of a JSON Web Key (JWK) is computed as follows: 104 1. Construct a JSON object [RFC7159] containing only the required 105 members of a JWK representing the key and with no white space or 106 line breaks before or after any syntactic elements and with the 107 required members ordered lexicographically by the Unicode 108 [UNICODE] code points of the member names. (This JSON object is 109 itself a legal JWK representation of the key.) 111 2. Hash the octets of the UTF-8 representation of this JSON object 112 with a cryptographic hash function H. For example, SHA-256 [SHS] 113 might be used as H. 115 The resulting value is the JWK Thumbprint with H of the JWK. The 116 details of this computation are further described in subsequent 117 sections. 119 3.1. Example JWK Thumbprint Computation 121 This section demonstrates the JWK Thumbprint computation for the JWK 122 below (with long lines broken for display purposes only): 124 { 125 "kty": "RSA", 126 "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAt 127 VT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6 128 4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FD 129 W2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n9 130 1CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINH 131 aQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", 132 "e": "AQAB", 133 "alg": "RS256", 134 "kid": "2011-04-29" 135 } 137 As defined in JSON Web Key (JWK) [JWK] and JSON Web Algorithms (JWA) 138 [JWA], the required members of an RSA public key are: 140 o "kty" 141 o "n" 142 o "e" 144 Therefore, these are the members used in the thumbprint computation. 146 Their lexicographic order (see more about this in Section 3.3) is: 148 o "e" 149 o "kty" 150 o "n" 152 Therefore the JSON object constructed as an intermediate step in the 153 computation is as follows (with long lines broken for display 154 purposes only): 156 {"e":"AQAB","kty":"RSA","n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2 157 aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCi 158 FV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65Y 159 GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n 160 91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_x 161 BniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"} 163 The octets of the UTF-8 representation of this JSON object are: 165 [123, 34, 101, 34, 58, 34, 65, 81, 65, 66, 34, 44, 34, 107, 116, 121, 166 34, 58, 34, 82, 83, 65, 34, 44, 34, 110, 34, 58, 34, 48, 118, 120, 167 55, 97, 103, 111, 101, 98, 71, 99, 81, 83, 117, 117, 80, 105, 76, 74, 168 88, 90, 112, 116, 78, 57, 110, 110, 100, 114, 81, 109, 98, 88, 69, 169 112, 115, 50, 97, 105, 65, 70, 98, 87, 104, 77, 55, 56, 76, 104, 87, 170 120, 52, 99, 98, 98, 102, 65, 65, 116, 86, 84, 56, 54, 122, 119, 117, 171 49, 82, 75, 55, 97, 80, 70, 70, 120, 117, 104, 68, 82, 49, 76, 54, 172 116, 83, 111, 99, 95, 66, 74, 69, 67, 80, 101, 98, 87, 75, 82, 88, 173 106, 66, 90, 67, 105, 70, 86, 52, 110, 51, 111, 107, 110, 106, 104, 174 77, 115, 116, 110, 54, 52, 116, 90, 95, 50, 87, 45, 53, 74, 115, 71, 175 89, 52, 72, 99, 53, 110, 57, 121, 66, 88, 65, 114, 119, 108, 57, 51, 176 108, 113, 116, 55, 95, 82, 78, 53, 119, 54, 67, 102, 48, 104, 52, 81, 177 121, 81, 53, 118, 45, 54, 53, 89, 71, 106, 81, 82, 48, 95, 70, 68, 178 87, 50, 81, 118, 122, 113, 89, 51, 54, 56, 81, 81, 77, 105, 99, 65, 179 116, 97, 83, 113, 122, 115, 56, 75, 74, 90, 103, 110, 89, 98, 57, 99, 180 55, 100, 48, 122, 103, 100, 65, 90, 72, 122, 117, 54, 113, 77, 81, 181 118, 82, 76, 53, 104, 97, 106, 114, 110, 49, 110, 57, 49, 67, 98, 79, 182 112, 98, 73, 83, 68, 48, 56, 113, 78, 76, 121, 114, 100, 107, 116, 183 45, 98, 70, 84, 87, 104, 65, 73, 52, 118, 77, 81, 70, 104, 54, 87, 184 101, 90, 117, 48, 102, 77, 52, 108, 70, 100, 50, 78, 99, 82, 119, 185 114, 51, 88, 80, 107, 115, 73, 78, 72, 97, 81, 45, 71, 95, 120, 66, 186 110, 105, 73, 113, 98, 119, 48, 76, 115, 49, 106, 70, 52, 52, 45, 99, 187 115, 70, 67, 117, 114, 45, 107, 69, 103, 85, 56, 97, 119, 97, 112, 188 74, 122, 75, 110, 113, 68, 75, 103, 119, 34, 125] 190 Using SHA-256 [SHS] as the hash function H, the JWK SHA-256 191 Thumbprint value is the SHA-256 hash of these octets, specifically: 193 [55, 54, 203, 177, 120, 124, 184, 48, 156, 119, 238, 140, 55, 5, 197, 194 225, 111, 251, 158, 133, 151, 21, 144, 31, 30, 76, 89, 177, 17, 130, 195 245, 123] 197 The base64url encoding [JWS] of this JWK SHA-256 Thumbprint value 198 (which might, for instance, be used as a "kid" (key ID) value) is: 200 NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs 202 3.2. JWK Members Used in the Thumbprint Computation 204 Only the required members of a key's representation are used when 205 computing its JWK Thumbprint value. As defined in JSON Web Key (JWK) 206 [JWK] and JSON Web Algorithms (JWA) [JWA], the required members of an 207 elliptic curve public key for the curves specified in Section 6.2.1.1 208 of [JWK], in lexicographic order, are: 210 o "crv" 211 o "kty" 212 o "x" 213 o "y" 215 the required members of an RSA public key, in lexicographic order, 216 are: 218 o "e" 219 o "kty" 220 o "n" 222 and the required members of a symmetric key, in lexicographic order, 223 are: 225 o "k" 226 o "kty" 228 As other key type values are defined, the specifications defining 229 them should be similarly consulted to determine which members, in 230 addition to "kty", are required. 232 3.2.1. JWK Thumbprint of a Private Key 234 The JWK Thumbprint of a private key is computed as the JWK Thumbprint 235 of the corresponding public key. This has the intentional benefit 236 that the same JWK Thumbprint value can be computed both by parties 237 using either the public or private key. The JWK Thumbprint can then 238 be used to refer to both keys of the key pair. Application context 239 can be used to determine whether the public or the private key is the 240 one being referred to by the JWK Thumbprint. 242 This specification defines the method of computing JWK Thumbprints of 243 private keys for interoperability reasons -- so that different 244 implementations computing JWK Thumbprints of private keys will 245 produce the same result. 247 3.2.2. Why Not Include Optional Members? 249 Optional members of JWKs are intentionally not included in the JWK 250 Thumbprint computation so that their absence or presence in the JWK 251 does not alter the resulting value. The JWK Thumbprint value is a 252 digest of the key value itself -- not of additional data that may 253 also accompany the key. 255 Optional members are not included so that the JWK Thumbprint refers 256 to a key -- not a key with an associated set of key attributes. This 257 has the benefit that while in different application contexts 258 different subsets of attributes about the key might or might not be 259 included in the JWK, the JWK Thumbprint of the key remains the same 260 regardless of which optional attributes are present. Different kinds 261 of thumbprints could be defined by other specifications that might 262 include some or all additional JWK members, should use cases arise 263 where such different kinds of thumbprints would be useful. See 264 Section 9.1 of [JWK] for notes on some ways to cryptographically bind 265 attributes to a key. 267 3.3. Order and Representation of Members in Hash Input 269 The required members in the input to the hash function are ordered 270 lexicographically by the Unicode code points of the member names. 272 Characters in member names and member values MUST be represented 273 without being escaped. This means that thumbprints of JWKs that 274 require such characters are not defined by this specification. (This 275 is not expected to limit the applicability of this specification, in 276 practice, as the members of JWK representations are not expected to 277 use any of these characters.) The characters specified as requiring 278 escaping by Section 7 of [RFC7159] are quotation mark, reverse 279 solidus (a.k.a. backslash), and the control characters U+0000 through 280 U+001F. 282 If the JWK key type uses members whose values are themselves JSON 283 objects (as of the time of this writing, none are defined that do), 284 the members of those objects MUST likewise be lexicographically 285 ordered. 287 If the JWK key type uses members whose values are JSON numbers (as of 288 the time of this writing, none are defined that do), if the numbers 289 are integers, they MUST be represented as a JSON number as defined in 290 Section 6 of [RFC7159] without including a fraction part or exponent 291 part. For instance, the value "1.024e3" MUST be represented as 292 "1024". This means that thumbprints of JWKs that use numbers that 293 are not integers are not defined by this specification. Also, as 294 noted in The I-JSON Message Format [I-D.ietf-json-i-json], 295 implementations cannot expect an integer whose absolute value is 296 greater than 9007199254740991 (i.e., that is outside the range 297 [-(2**53)+1, (2**53)-1]) to be treated as an exact value. 299 See Section 4 for a discussion of further practical considerations 300 pertaining to the representation of the hash input. 302 3.4. JWK Thumbprints of Keys Not in JWK Format 304 Note that a key need not be in JWK format to create a JWK Thumbprint 305 of it. The only prerequisites are that the JWK representation of the 306 key be defined and the party creating the JWK Thumbprint is in 307 possession of the necessary key material. These are sufficient to 308 create the hash input from the JWK representation of the key, as 309 described in Section 3.3. 311 4. Practical JSON and Unicode Considerations 313 Implementations will almost certainly use functionality provided by 314 the platform's JSON support when parsing the JWK and emitting the 315 JSON object used as the hash input. As a practical consideration, 316 future JWK member names should be avoided for which different 317 platforms or libraries might emit different representations. As of 318 the time of this writing, currently all defined JWK member names use 319 only printable ASCII characters, which should not exhibit this 320 problem. Note however, that JSON.stringify() cannot be counted on to 321 lexicographically sort the members of JSON objects, so while it may 322 be able to be used to emit some kinds of member values, different 323 code is likely to be needed to perform the sorting. 325 In particular, while the operation of lexicographically ordering 326 member names by their Unicode code points is well defined, different 327 platform sort functions may produce different results for non-ASCII 328 characters, in ways that may not be obvious to developers. If 329 writers of future specifications defining new JWK Key Type values 330 choose to restrict themselves to ASCII member names (which are for 331 machine and not human consumption anyway), some future 332 interoperability problems might be avoided. 334 However, if new JWK members are defined that use non-ASCII member 335 names, their definitions should specify the exact Unicode code point 336 sequences used to represent them, particularly in cases in which 337 Unicode normalization could result in the transformation of one set 338 of code points into another under any circumstances. 340 Use of escaped characters in JWKs for which JWK Thumbprints will be 341 computed should be avoided. (Use of escaped characters in the hash 342 input JWKs derived from these original JWKs is prohibited.) 344 While there is a natural representation to use for numeric values 345 that are integers, this specification does not attempt to define a 346 standard representation for numbers that are not integers or that 347 contain an exponent component. This is not expected to be a problem 348 in practice, as the required members of JWK representations are not 349 expected to use numbers that are not integers. 351 Use of number representations containing fraction or exponent parts 352 in JWKs for which JWK Thumbprints will be computed should be avoided. 354 All of these practical considerations are really an instance of Jon 355 Postel's principle: "Be liberal in what you accept, and conservative 356 in what you send." 358 5. Relationship to Digests of X.509 Values 360 JWK Thumbprint values are computed on the members required to 361 represent a key, rather than all members of a JWK that the key is 362 represented in. Thus, they are more analogous to applications that 363 use digests of X.509 Subject Public Key Info (SPKI) values, which are 364 defined in Section 4.1.2.7 of [RFC5280], than to applications that 365 use digests of complete certificate values, as the "x5t" (X.509 366 Certificate SHA-1 Thumbprint) [JWS] value defined for X.509 367 certificate objects does. While logically equivalent to a digest of 368 the SPKI representation of the key, a JWK Thumbprint is computed over 369 a JSON representation of that key, rather than over an ASN.1 370 representation of it. 372 6. IANA Considerations 374 This specification makes no requests of IANA. 376 7. Security Considerations 378 The JSON Security Considerations and Unicode Comparison Security 379 Considerations described in Sections 10.2 and 10.3 of JSON Web 380 Signature (JWS) [JWS] also apply to this specification. 382 Also, as described in Section 4, some implementations may produce 383 incorrect results if esoteric or escaped characters are used in the 384 member names. The security implications of this appear to be limited 385 for JWK Thumbprints of public keys, since while it may result in 386 implementations failing to identify the intended key, it should not 387 leak information, since the information in a public key is already 388 public in nature, by definition. 390 A hash of a symmetric key has the potential to leak information about 391 the key value. Thus, the JWK Thumbprint of a symmetric key should be 392 typically be concealed from parties not in possession of the 393 symmetric key, unless in the application context, the cryptographic 394 hash used, such as SHA-256, is known to provide sufficient protection 395 against disclosure of the key value. 397 A JWK Thumbprint will only uniquely identify a particular key if a 398 single unambiguous JWK representation for that key is defined and 399 used when computing the JWK Thumbprint. (Such representations are 400 defined for all the key types defined in JSON Web Algorithms (JWA) 402 [JWA].) For example, if an RSA key were to use "e":"AAEAAQ" 403 (representing [0, 1, 0, 1]) rather than the specified correct 404 representation of "e":"AQAB" (representing [1, 0, 1]), a different 405 thumbprint value would be produced for what could be effectively the 406 same key, at least for implementations that are lax in validating the 407 JWK values that they accept. Thus, JWK Thumbprint values can only be 408 relied upon to be unique for a given key if the implementation also 409 validates that the correct representation of the key is used. 411 Even more insidious is that an attacker may supply a key that is a 412 transformation of a legal key in order to have it appear to be a 413 different key. For instance, if a legitimate RSA key uses a modulus 414 value N and an attacker supplies a key with modulus 3*N, the modified 415 key would still work about 1/3 of the time, but would appear to be a 416 different key. Thus, while thumbprint values are valuable for 417 identifying legitimate keys, comparing thumbprint values is not a 418 reliable means of excluding (blacklisting) the use of particular keys 419 (or transformations thereof). 421 8. References 423 8.1. Normative References 425 [JWA] Jones, M., "JSON Web Algorithms (JWA)", 426 draft-ietf-jose-json-web-algorithms (work in progress), 427 January 2015. 429 [JWK] Jones, M., "JSON Web Key (JWK)", 430 draft-ietf-jose-json-web-key (work in progress), 431 January 2015. 433 [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 434 Signature (JWS)", draft-ietf-jose-json-web-signature (work 435 in progress), January 2015. 437 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 438 Requirement Levels", BCP 14, RFC 2119, March 1997. 440 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 441 Interchange Format", RFC 7159, March 2014. 443 [SHS] National Institute of Standards and Technology, "Secure 444 Hash Standard (SHS)", FIPS PUB 180-4, March 2012. 446 [UNICODE] The Unicode Consortium, "The Unicode Standard", 1991-, 447 . 449 8.2. Informative References 451 [I-D.ietf-json-i-json] 452 Bray, T., "The I-JSON Message Format", 453 draft-ietf-json-i-json-06 (work in progress), 454 January 2015. 456 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 457 Housley, R., and W. Polk, "Internet X.509 Public Key 458 Infrastructure Certificate and Certificate Revocation List 459 (CRL) Profile", RFC 5280, May 2008. 461 Appendix A. Acknowledgements 463 James Manger and John Bradley participated in discussions that led to 464 the creation of this specification. Jim Schaad also contributed to 465 this specification. 467 Appendix B. Document History 469 [[ to be removed by the RFC editor before publication as an RFC ]] 471 -04 473 o Addressed additional review comments by Jim Schaad, which resulted 474 in several clarifications and some corrections to the case of RFC 475 2119 keywords. 477 -03 479 o Addressed review comments by James Manger and Jim Schaad, 480 including adding a section on the relationship to digests of X.509 481 values. 483 -02 485 o No longer register the new JSON Web Signature (JWS) and JSON Web 486 Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) 487 member name "jkt" (JWK SHA-256 Thumbprint) for holding these 488 values. 490 o Added security considerations about the measures needed to ensure 491 that a unique JWK Thumbprint value is produced for a key. 493 o Added text saying that the base64url encoded JWK Thumbprint value 494 could be used as a "kid" (key ID) value. 496 o Broke a sentence up that used to be way too long. 498 -01 500 o Addressed issues pointed out by Jim Schaad, including defining the 501 JWK Thumbprint computation in a manner that allows different hash 502 functions to be used over time. 504 o Added Nat Sakimura as an editor. 506 -00 508 o Created draft-ietf-jose-jwk-thumbprint-00 from 509 draft-jones-jose-jwk-thumbprint-01 with no normative changes. 511 Authors' Addresses 513 Michael B. Jones 514 Microsoft 516 Email: mbj@microsoft.com 517 URI: http://self-issued.info/ 519 Nat Sakimura 520 Nomura Research Institute 522 Email: n-sakimura@nri.co.jp 523 URI: http://nat.sakimura.org/