Re: [jose] JOSE and JWT specs incorporating working group decisions since IETF 84
Mike Jones <Michael.Jones@microsoft.com> Tue, 16 October 2012 16:10 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E891721F89E3 for <jose@ietfa.amsl.com>; Tue, 16 Oct 2012 09:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.279
X-Spam-Level:
X-Spam-Status: No, score=-3.279 tagged_above=-999 required=5 tests=[AWL=-0.280, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhAp12-immdF for <jose@ietfa.amsl.com>; Tue, 16 Oct 2012 09:10:35 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id 2779321F8A0B for <jose@ietf.org>; Tue, 16 Oct 2012 09:10:34 -0700 (PDT)
Received: from mail94-ch1-R.bigfish.com (10.43.68.252) by CH1EHSOBE016.bigfish.com (10.43.70.66) with Microsoft SMTP Server id 14.1.225.23; Tue, 16 Oct 2012 16:10:33 +0000
Received: from mail94-ch1 (localhost [127.0.0.1]) by mail94-ch1-R.bigfish.com (Postfix) with ESMTP id D1A16201EE; Tue, 16 Oct 2012 16:10:33 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -25
X-BigFish: VS-25(zz9371Ic89bh542Mzz1202h1d1ah1d2ahzz1033IL17326ah8275eh8275bh8275dha1495iz2fh2a8h668h839h93fhd25hf0ah107ah1288h12a5h12a9h12bdh137ah13b6h1441h1155h)
Received-SPF: pass (mail94-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail94-ch1 (localhost.localdomain [127.0.0.1]) by mail94-ch1 (MessageSwitch) id 1350403831985813_21552; Tue, 16 Oct 2012 16:10:31 +0000 (UTC)
Received: from CH1EHSMHS018.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.244]) by mail94-ch1.bigfish.com (Postfix) with ESMTP id EC21640094; Tue, 16 Oct 2012 16:10:31 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS018.bigfish.com (10.43.70.18) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 16 Oct 2012 16:10:27 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.33]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0318.003; Tue, 16 Oct 2012 16:10:18 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Vladimir Dzhuvinov / NimbusDS <vladimir@nimbusds.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] JOSE and JWT specs incorporating working group decisions since IETF 84
Thread-Index: AQHNq5DdDtelvfepRBCO1gAjjbxxsZe8GkdA
Date: Tue, 16 Oct 2012 16:10:17 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366854172@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <20121016042455.cc40c4f3d92d2001859047cd8cabb9ab.6d065f381d.wbe@email07.europe.secureserver.net>
In-Reply-To: <20121016042455.cc40c4f3d92d2001859047cd8cabb9ab.6d065f381d.wbe@email07.europe.secureserver.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [jose] JOSE and JWT specs incorporating working group decisions since IETF 84
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2012 16:10:40 -0000
Thanks - good feedback! -----Original Message----- From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Vladimir Dzhuvinov / NimbusDS Sent: Tuesday, October 16, 2012 4:25 AM To: jose@ietf.org Subject: Re: [jose] JOSE and JWT specs incorporating working group decisions since IETF 84 I just incorporated the -06 spec changes into the Nimbus JOSE+JWT library. Not only tokens are shorter now, but the core library code was reduced too! Excellent work! Cheers, Vladimir PS: I'm looking for contributors to port the missing JWE algs: https://bitbucket.org/nimbusds/nimbus-jose-jwt -- Vladimir Dzhuvinov : www.NimbusDS.com : vladimir@nimbusds.com -------- Original Message -------- Subject: [jose] JOSE and JWT specs incorporating working group decisions since IETF 84 From: Mike Jones <Michael.Jones@microsoft.com> Date: Tue, October 16, 2012 7:59 am To: "jose@ietf.org" <jose@ietf.org> New versions of the JSON WEB {Signature,Encryption,Key,Algorithms,Token} (JWS, JWE, JWK, JWA, JWT) specifications have been released. These versions incorporate the decisions made by the JOSE working group during and since IETF 84. The primary change was revising the JWE format to always use AEAD encryption algorithms. The companion change was defining two new composite AEAD algorithms “A128CBC+HS256” and “A256CBC+HS512” that use AES CBC to perform encryption and matching HMAC SHA-2 algorithms to perform an integrity check on the ciphertext and the parameters used to create it. Other than that, all changes were local in scope, with no changes to JWS – other than changing the format of the “x5c” (X.509 Certificate Chain) from a string containing a list of certificate values to an array of strings containing certificate values. Likewise, the only changes to JWT were to track changes made in the specs that it uses. Having addressed all the open issues with resolutions with apparent working group consensus, it’s my hope that the working group will decide to send these specifications to working group last call at IETF 85. The companion JWS JSON Serialization and JWE JSON Serialization specs were also updated. The working group specifications are available at: · http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-06 · http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06 · http://tools.ietf.org/html/draft-ietf-jose-json-web-key-06 · http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-06 · http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-04 The individual submission specifications are available at: · http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-02 · http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-02 The document history entries (also in the specifications) are as follows: http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-06 Changed x5c (X.509 Certificate Chain) representation from being a single string to being an array of strings, each containing a single base64 encoded DER certificate value, representing elements of the certificate chain. Applied changes made by the RFC Editor to RFC 6749's registry language to this specification. http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06 Removed the int and kdf parameters and defined the new composite AEAD algorithms A128CBC+HS256 and A256CBC+HS512 to replace the former uses of AES CBC, which required the use of separate integrity and key derivation functions. Included additional values in the Concat KDF calculation -- the desired output size and the algorithm value, and optionally PartyUInfo and PartyVInfo values. Added the optional header parameters apu (agreement PartyUInfo), apv (agreement PartyVInfo), epu (encryption PartyUInfo), and epv (encryption PartyVInfo). Updated the KDF examples accordingly. Promoted Initialization Vector from being a header parameter to being a top-level JWE element. This saves approximately 16 bytes in the compact serialization, which is a significant savings for some use cases. Promoting the Initialization Vector out of the header also avoids repeating this shared value in the JSON serialization. Changed x5c (X.509 Certificate Chain) representation from being a single string to being an array of strings, each containing a single base64 encoded DER certificate value, representing elements of the certificate chain. Added an AES Key Wrap example. Reordered the encryption steps so CMK creation is first, when required. Correct statements in examples about which algorithms produce reproducible results. http://tools.ietf.org/html/draft-ietf-jose-json-web-key-06 Changed the name of the JWK RSA exponent parameter from exp to xpo so as to allow the potential use of the name exp for a future extension that might define an expiration parameter for keys. (The exp name is already used for this purpose in the JWT specification.) Clarify that the alg (algorithm family) member is REQUIRED. Correct an instance of "JWK" that should have been "JWK Set". Applied changes made by the RFC Editor to RFC 6749's registry language to this specification. http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-06 Removed the int and kdf parameters and defined the new composite AEAD algorithms A128CBC+HS256 and A256CBC+HS512 to replace the former uses of AES CBC, which required the use of separate integrity and key derivation functions. Included additional values in the Concat KDF calculation -- the desired output size and the algorithm value, and optionally PartyUInfo and PartyVInfo values. Added the optional header parameters apu (agreement PartyUInfo), apv (agreement PartyVInfo), epu (encryption PartyUInfo), and epv (encryption PartyVInfo). Changed the name of the JWK RSA exponent parameter from exp to xpo so as to allow the potential use of the name exp for a future extension that might define an expiration parameter for keys. (The exp name is already used for this purpose in the JWT specification.) Applied changes made by the RFC Editor to RFC 6749's registry language to this specification. http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-04 Promoted Initialization Vector from being a header parameter to being a top-level JWE element. This saves approximately 16 bytes in the compact serialization, which is a significant savings for some use cases. Promoting the Initialization Vector out of the header also avoids repeating this shared value in the JSON serialization. Applied changes made by the RFC Editor to RFC 6749's registry language to this specification. Reference RFC 6755 -- An IETF URN Sub-Namespace for OAuth. http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-02 Changed to use an array of structures for per-recipient values, rather than a set of parallel arrays. http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-02 Changed to use an array of structures for per-recipient values, rather than a set of parallel arrays. Promoted Initialization Vector from being a header parameter to being a top-level JWE element. This saves approximately 16 bytes in the compact serialization, which is a significant savings for some use cases. Promoting the Initialization Vector out of the header also avoids repeating this shared value in the JSON serialization. HTML formatted versions are available at: · http://self-issued.info/docs/draft-ietf-jose-json-web-signature-06.html · http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-06.html · http://self-issued.info/docs/draft-ietf-jose-json-web-key-06.html · http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-06.html · http://self-issued.info/docs/draft-ietf-oauth-json-web-token-04.html · http://self-issued.info/docs/draft-jones-jose-jws-json-serialization-02.html · http://self-issued.info/docs/draft-jones-jose-jwe-json-serialization-02.html -- Mike _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] JOSE and JWT specs incorporating working g… Mike Jones
- Re: [jose] JOSE and JWT specs incorporating worki… Vladimir Dzhuvinov / NimbusDS
- Re: [jose] JOSE and JWT specs incorporating worki… Mike Jones
- [jose] xpo Manger, James H
- Re: [jose] xpo Richard Barnes
- [jose] AEAD-only Manger, James H
- Re: [jose] xpo Sean Turner
- Re: [jose] xpo Nat Sakimura
- Re: [jose] xpo Matt Miller (mamille2)