Re: [jose] 'aud' and 'iss' in JWE header
Dick Hardt <dick.hardt@gmail.com> Mon, 25 March 2013 23:09 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BD2221F8804 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 16:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.143
X-Spam-Level:
X-Spam-Status: No, score=-3.143 tagged_above=-999 required=5 tests=[AWL=0.456, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DrnBNK-1G7yy for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 16:09:07 -0700 (PDT)
Received: from mail-pb0-f45.google.com (mail-pb0-f45.google.com [209.85.160.45]) by ietfa.amsl.com (Postfix) with ESMTP id 9694E21F87B6 for <jose@ietf.org>; Mon, 25 Mar 2013 16:09:07 -0700 (PDT)
Received: by mail-pb0-f45.google.com with SMTP id ro8so4414444pbb.18 for <jose@ietf.org>; Mon, 25 Mar 2013 16:09:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=WAFl/nNbSPivpQBSY6DS6rZVh7xCSwQGoSAdvKPJeqM=; b=MHlA4MPXQnYLanyZ0ztyWI53yrQu88NR/HsOhLN7c45zil12tpmx5AKtyGhoHLwKtj /1olpknVWn4dlHylelZCPADt0Xq5LNXh7Jx9AiycFfzKiGQFr+WN5Cuo3R33MUtODkcG Zi3yoygbTIxH8xy4A+eXoHHezndyXwJleti7B4t/GzsPFPlFeMf9A9P8g7RgZId8Wvn2 VM+CMdyA7zRBx55Rb9pBuyYe2Jq3DAn6DbihX4tJ+AW4MizHmp3i0Mkmg9SZ1wI+knD2 npgX8m2rKiPOGJtUSEhzC7VHd9BVRQi8JO65BRDn2cf4aeggywxnxEFrlL/qfLCNlGvW 78Vg==
X-Received: by 10.66.252.162 with SMTP id zt2mr21010288pac.1.1364252947429; Mon, 25 Mar 2013 16:09:07 -0700 (PDT)
Received: from [10.0.0.89] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id rl3sm14951676pbb.28.2013.03.25.16.09.02 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Mar 2013 16:09:03 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <BD041F81-FDEE-4917-86C9-A67B1A62D19F@ve7jtb.com>
Date: Mon, 25 Mar 2013 16:09:01 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <AFBB0F6B-FB11-4F01-8F68-218EB211230F@gmail.com>
References: <57A4986E-4AA7-4E96-8EE6-53F3CE2D73EA@gmail.com> <BD041F81-FDEE-4917-86C9-A67B1A62D19F@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1503)
Cc: jose@ietf.org
Subject: Re: [jose] 'aud' and 'iss' in JWE header
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 23:09:08 -0000
Will that be compliant though? I would like to spec to say that I can optionally include those properties in the header of a JWE. On Mar 25, 2013, at 4:02 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > Once the change to ignore additional elements in the header there is nothing to stop you from doing that. > > You make a good point about scoping the 'kid' to the 'iss'. > > John B. > > On 2013-03-25, at 7:53 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > >> Hello everyone >> >> As I am implementing JOSE JWE, I would like to know who the 'iss' and 'aud' is. I am using symmetric, shared keys and the 'aud' party would like to know they really are the intended 'aud' and who the 'isa' is. Otherwise the 'iss' is inferred from the 'kid', and there is no guarantee that two 'iss' won't have the same 'kid' for different keys from different 'iss'. >> >> I don't see an issue with disclosure of who 'iss' and 'aud' are as any party able to intercept the token will have a pretty good idea of where it is coming from and where it is going to. Knowing the 'iss' and 'aud' allows the 'aud' to return an error before doing any crypto if the 'aud' does not match or if there is no 'kid' for the 'iss'. >> >> Is there a reason why I cannot have 'iss' and 'aud' in the header? >> >> This is not an issue with JWS since the payload is clear and the 'aud' can evaluate the 'iss' and 'aud' properties before doing crypto. >> >> -- Dick >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >
- [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Richard Barnes
- Re: [jose] 'aud' and 'iss' in JWE header Matt Miller (mamille2)
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt