idnits 2.17.1 draft-jones-json-web-signature-json-serialization-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 5, 2012) is 4434 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'JWA' -- Possible downref: Non-RFC (?) normative reference: ref. 'JWS' ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track J. Bradley 5 Expires: September 6, 2012 independent 6 N. Sakimura 7 Nomura Research Institute 8 March 5, 2012 10 JSON Web Signature JSON Serialization (JWS-JS) 11 draft-jones-json-web-signature-json-serialization-00 13 Abstract 15 The JSON Web Signature JSON Serialization (JWS-JS) is a means of 16 representing content secured with digital signatures or Hash-based 17 Message Authentication Codes (HMACs) using JSON data structures. 18 This specification describes a means of representing secured content 19 as a JSON data object (as opposed to the JWS specification, which 20 uses a compact serialization with a URL-safe representation). It 21 enables multiple digital signatures and/or HMACs to be applied to the 22 same content (unlike JWS). Cryptographic algorithms and identifiers 23 used with this specification are enumerated in the separate JSON Web 24 Algorithms (JWA) specification. The JSON Serialization for related 25 encryption functionality is described in the separate JSON Web 26 Encryption JSON Serialization (JWE-JS) specification. 28 Requirements Language 30 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 31 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 32 document are to be interpreted as described in RFC 2119 [RFC2119]. 34 Status of this Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on September 6, 2012. 50 Copyright Notice 52 Copyright (c) 2012 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 3. JSON Serialization . . . . . . . . . . . . . . . . . . . . . . 4 70 4. Example JWS-JS . . . . . . . . . . . . . . . . . . . . . . . . 5 71 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 72 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 73 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 74 7.1. Normative References . . . . . . . . . . . . . . . . . . . 6 75 7.2. Informative References . . . . . . . . . . . . . . . . . . 6 76 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 7 77 Appendix B. Document History . . . . . . . . . . . . . . . . . . . 7 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 80 1. Introduction 82 The JSON Web Signature JSON Serialization (JWS-JS) is a format for 83 representing content secured with digital signatures or Hash-based 84 Message Authentication Codes (HMACs) as a JSON [RFC4627] object. It 85 enables multiple digital signatures and/or HMACs to be applied to the 86 same content (unlike JWS [JWS]). The digital signature and HMAC 87 mechanisms used are independent of the type of content being secured, 88 allowing arbitrary content to be secured. Cryptographic algorithms 89 and identifiers used with this specification are enumerated in the 90 separate JSON Web Algorithms (JWA) [JWA] specification. The JSON 91 Serialization for related encryption functionality is described in 92 the separate JSON Web Encryption JSON Serialization [JWE-JS] 93 specification. 95 2. Terminology 97 This specification uses the same terminology as the JSON Web 98 Signature (JWS) [JWS] specification. 100 3. JSON Serialization 102 The JSON Serialization represents secured content as a JSON object 103 with members for each of three constituent parts: a "headers" member 104 whose value is a non-empty array of Encoded JWS Header values, a 105 "payload" member whose value is an Encoded JWS Payload value, and a 106 "signatures" member whose value is a non-empty array of Encoded JWS 107 Signature values, where the number of elements in both arrays is the 108 same. 110 Unlike the compact serialization used by JWSs, content using the JSON 111 Serialization MAY be secured with more than one digital signature 112 and/or HMAC value. Each is represented as an Encoded JWS Signature 113 in the "signatures" member array. For each, there is a corresponding 114 "headers" member array element that is an Encoded JWS Header 115 specifying the digital signature or HMAC applied to the Encoded JWS 116 Header value and the Encoded JWS Payload value to create the JWS 117 Signature value. Therefore, the syntax is: 118 {"headers":["
",...,"
"], 119 "payload":"", 120 "signatures":["",...,""] 121 } 123 The contents of the Encoded JWS Header, Encoded JWS Payload, and 124 Encoded JWS Signature values are exactly as specified in JSON Web 125 Signature (JWS) [JWS]. They are interpreted and validated in the 126 same manner, with each corresponding "headers" and "signatures" value 127 being created or validated together. The arrays MUST have the same 128 number of elements. 130 The i'th JWS Signature value is computed on the JWS Secured Input 131 corresponding to the concatenation of the i'th Encoded JWS Header, a 132 period ('.') character, and the Encoded JWS Payload in the same 133 manner described in the JWS specification. This has the desirable 134 result that each Encoded JWS signature value in the "signatures" 135 array is identical to the value that would be used for the same 136 header and payload in a JWS. 138 4. Example JWS-JS 140 This section contains an example using the JWS JSON Serialization. 141 This example demonstrates the capability for conveying multiple 142 digital signatures and/or HMACs for the same payload. 144 The Encoded JWS Payload used in this example is the same as used in 145 the examples in Appendix A of JWS (with line breaks for display 146 purposes only): 147 eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt 148 cGxlLmNvbS9pc19yb290Ijp0cnVlfQ 150 Two digital signatures are used in this example: an RSA SHA-256 151 signature, for which the header and signature values are the same as 152 in Appendix A.2 of JWS, and an ECDSA P-256 SHA-256 signature, for 153 which the header and signature values are the same as in Appendix A.3 154 of JWS. The two Decoded JWS Header Segments used are: 155 {"alg":"RS256"} 157 and: 158 {"alg":"ES256"} 160 Since the computations of the JWS Header and JWS Signature values are 161 the same as in Appendix A.2 and Appendix A.3 of JWS, they are not 162 repeated here. 164 The complete JSON Web Signature JSON Serialization (JWS-JS) for these 165 values is as follows (with line breaks for display purposes only): 167 {"headers":[ 168 "eyJhbGciOiJSUzI1NiJ9", 169 "eyJhbGciOiJFUzI1NiJ9"], 170 "payload":"eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0 171 dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ", 172 "signatures":[ 173 "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZ 174 mh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBY 175 NX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Q 176 e7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noO 177 PqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmt 178 VrBp0igcN_IoypGlUPQGe77Rw", 179 "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS 180 lSApmWQxfKTUJqPP3-Kg6NU1Q"] 181 } 183 5. IANA Considerations 185 This specification makes no requests of IANA. 187 6. Security Considerations 189 The security considerations for this specification are the same as 190 those for the JSON Web Signature (JWS) [JWS] specification. 192 7. References 194 7.1. Normative References 196 [JWA] Jones, M., "JSON Web Algorithms (JWA)", January 2012. 198 [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 199 Signature (JWS)", January 2012. 201 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 202 Requirement Levels", BCP 14, RFC 2119, March 1997. 204 [RFC4627] Crockford, D., "The application/json Media Type for 205 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 207 7.2. Informative References 209 [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", 210 September 2010. 212 [JWE-JS] Jones, M., "JSON Web Encryption JSON Serialization 213 (JWE-JS)", March 2012. 215 [MagicSignatures] 216 Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic 217 Signatures", August 2010. 219 Appendix A. Acknowledgements 221 JSON serializations for secured content were previously explored by 222 Magic Signatures [MagicSignatures] and JSON Simple Sign [JSS]. 224 Appendix B. Document History 226 -00 228 o Created the initial version incorporating JOSE working group input 229 and drawing from the JSON Serialization previously proposed in 230 draft-jones-json-web-token-01. 232 Authors' Addresses 234 Michael B. Jones 235 Microsoft 237 Email: mbj@microsoft.com 238 URI: http://self-issued.info/ 240 John Bradley 241 independent 243 Email: ve7jtb@ve7jtb.com 245 Nat Sakimura 246 Nomura Research Institute 248 Email: n-sakimura@nri.co.jp