Re: [jose] TTL for JWK

Brian Campbell <bcampbell@pingidentity.com> Wed, 20 February 2013 15:20 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56DC921F8771 for <jose@ietfa.amsl.com>; Wed, 20 Feb 2013 07:20:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.951
X-Spam-Level:
X-Spam-Status: No, score=-5.951 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVsQYTtf5mkD for <jose@ietfa.amsl.com>; Wed, 20 Feb 2013 07:20:13 -0800 (PST)
Received: from na3sys009aog103.obsmtp.com (na3sys009aog103.obsmtp.com [74.125.149.71]) by ietfa.amsl.com (Postfix) with ESMTP id 7176621F8788 for <jose@ietf.org>; Wed, 20 Feb 2013 07:20:13 -0800 (PST)
Received: from mail-ie0-f197.google.com ([209.85.223.197]) (using TLSv1) by na3sys009aob103.postini.com ([74.125.148.12]) with SMTP ID DSNKUSTprIYJAry9TvrEnd4yFWFp7ELDFQsK@postini.com; Wed, 20 Feb 2013 07:20:13 PST
Received: by mail-ie0-f197.google.com with SMTP id k14so38211307iea.4 for <jose@ietf.org>; Wed, 20 Feb 2013 07:20:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=KflNv7CBButQE0R1cmFlk6wldLGxtqWlGrT0rp8KQFg=; b=aRCC0zcR02RIayHYJS91KUlqZZ1JFUJg1PkrjrcMF+D5EvylD/xro4R3408smb/svq FL6h3H7NhcDmLO13XUYsEOjPya4wlqzKw0GzLbB73KCpnc3ZG9HGfNWdGqyDMtgMAe+P yAYOoFacSyznpnyDjrBzjDns/eeziheWluGBO2JgTUgiymJ9s7qzk46ciLZPbQelDzZP phjRz8u6fTSi3SNno8RkFzSanCE0HquM+L6WvDjZtT1sm11cL4wZ5fOcws/6Io0fCGlG XwifLszQtBSeL6+9wSGD+oF2EKBzHBzVEB0fbLXdxCAVEMN9HIaG3Da5dCY8Us5PbnJF z1jQ==
X-Received: by 10.50.56.141 with SMTP id a13mr11025273igq.24.1361373612086; Wed, 20 Feb 2013 07:20:12 -0800 (PST)
X-Received: by 10.50.56.141 with SMTP id a13mr11025268igq.24.1361373611939; Wed, 20 Feb 2013 07:20:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.63.3 with HTTP; Wed, 20 Feb 2013 07:19:41 -0800 (PST)
In-Reply-To: <5124E39C.2030804@oracle.com>
References: <CA+k3eCTZ4KeC7ZH41OWkjkLCp0RiRBkze=4NpFO7AG5zVq-bJQ@mail.gmail.com> <5124E39C.2030804@oracle.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 20 Feb 2013 08:19:41 -0700
Message-ID: <CA+k3eCSGPfpUbeBkSCMTh+jAJgxMP8BWsgdLPt_CqsvkaXASCQ@mail.gmail.com>
To: Prateek Mishra <prateek.mishra@oracle.com>
Content-Type: multipart/alternative; boundary=f46d0401f53d8bd77a04d6297e09
X-Gm-Message-State: ALoCoQkSDjfZkKHQM81mjKtq1NS7aI2n7Izo1U32Ox2zyefjRiDFc5lS2drPeGZ3JOQOk6nOYAte2ZslnHfb49e0r9voPZhWQ+q2pp2vK76Wug2nIoZ3VfqKxVDDts1Iz8EminQYEXaF
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] TTL for JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 15:20:14 -0000

A fair question Prateek, but if you take that to it's logical end, it might
suggest that "use", "kid" and "alg" be removed from JWK as well.

But my resolve for this proposal is weakening so it's not worth arguing
about.


On Wed, Feb 20, 2013 at 7:54 AM, Prateek Mishra
<prateek.mishra@oracle.com>wrote;wrote:

>  Shouldn't this be a part of a key management layer distinct from JWK?
>
> I was under the impression that JWK was limited to
>
> [quote]
>
>
> JavaScript Object Notation (JSON) data
>    structure that represents a public key.  This specification also
>    defines a JSON Web Key Set (JWK Set) JSON data structure for
>    representing a set of JWKs.
>
> [\quote]
>
> - prateek
>
> I'd like to float the idea of introducing a time to live parameter to the
> base JWK document, which could probably fit in as a subsection of ยง4 that
> defines parameters common to all key types [1].
>
> The motivation is that many uses of JWKs will involve caching of JWK data
> and a TTL parameter could be used to indicate how long a key could be
> safely cached and used without needing to recheck the JWK source. I don't
> want it to be a hard expiration date for the key but rather a hint to help
> facility efficient and error free caching.
>
> OpenID Connect has a real use case for this where entities publish their
> keys via a JWK Set at an HTTPS URL. To support key rotation and encryption,
> there needs to be some way to indicate the TTL of a public key used to
> encrypt. Of course, this isn't the only way to skin that cat but it strikes
> me as a good way and one that might provide utility for JWK in other
> contexts.
> JSON Web Token [2] defines a data type that is "A JSON numeric value
> representing the number of seconds from 1970-01-01T0:0:0Z UTC until the
> specified UTC date/time" that seems like it could be co-opted to work well
> as the value for a "ttl" parameter.
>
> [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-08#section-4
>
> [2]
> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-2
>
>
> _______________________________________________
> jose mailing listjose@ietf.orghttps://www.ietf.org/mailman/listinfo/jose
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>