Re: [jose] 'aud' and 'iss' in JWE header
"Matt Miller (mamille2)" <mamille2@cisco.com> Tue, 26 March 2013 18:12 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA0021F8895 for <jose@ietfa.amsl.com>; Tue, 26 Mar 2013 11:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yH7C0zxLgJ-6 for <jose@ietfa.amsl.com>; Tue, 26 Mar 2013 11:12:07 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 43F4421F877B for <jose@ietf.org>; Tue, 26 Mar 2013 11:12:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7310; q=dns/txt; s=iport; t=1364321527; x=1365531127; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ObpR9TbxNFg4ZT+1BvxbZNL6wHWqrf6EyJTgKVzuEpM=; b=gLXkxiiMo9I/6WtAEGbhyfGTlzTmi8E/V7drOLh6iGRnWCapr9++A1+X mu/Q5jn0bQpgU6ePM2cYgLsrVh/lfalRMiRSb2YO3is9oEvkeIfDFttHH uG7wgZKcgcsLP++QEgNoXE5xYGVupR9ro2U1QJMW925lZjx9O+MgMrXHe w=;
X-Files: smime.p7s : 2283
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAHjjUVGtJXHB/2dsb2JhbABDxAWBBhaBKoIfAQEBAwEBAQFrCwULAgEIGAokAh8GCyUCBA4FCAaHdAMJBgyxDYYPDYlXBIxHghoxB4JfYQOPQ4EohByNTIUbgwqCKA
X-IronPort-AV: E=Sophos; i="4.84,913,1355097600"; d="p7s'?scan'208"; a="191686233"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-7.cisco.com with ESMTP; 26 Mar 2013 18:12:06 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r2QIC6fk001482 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 26 Mar 2013 18:12:06 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.203]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0318.004; Tue, 26 Mar 2013 13:12:06 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [jose] 'aud' and 'iss' in JWE header
Thread-Index: AQHOKauYGOdFznwqs0eXm3AIm8+stpi3WieAgAABzICAAALzAIAAAheAgAE2YwCAAAPygA==
Date: Tue, 26 Mar 2013 18:12:05 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED9411518B28C@xmb-aln-x11.cisco.com>
References: <57A4986E-4AA7-4E96-8EE6-53F3CE2D73EA@gmail.com> <BD041F81-FDEE-4917-86C9-A67B1A62D19F@ve7jtb.com> <AFBB0F6B-FB11-4F01-8F68-218EB211230F@gmail.com> <942E1B2E-1469-4472-83A4-3884CF21F5EB@ve7jtb.com> <A7EC3B59-824E-4413-914E-8298036CC0CD@gmail.com> <EAA32C99-3498-407C-80FC-DF63EA40963A@gmail.com>
In-Reply-To: <EAA32C99-3498-407C-80FC-DF63EA40963A@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.129.24.61]
Content-Type: multipart/signed; boundary="Apple-Mail=_90517C15-DC6E-4285-BE56-E01475343EC2"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: John Bradley <ve7jtb@ve7jtb.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] 'aud' and 'iss' in JWE header
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 18:12:08 -0000
On Mar 26, 2013, at 11:57 AM, Dick Hardt <dick.hardt@gmail.com> wrote: > My other option would be to hack the 'kid' value to include both the 'iss' value and the 'aud' value so that a recipient would be able to determine if they are the audience and who the issuer is by cracking the 'kid' => but that seems like such a hack given that I have the ability to put the 'aud' and 'iss' in the header. > > Am I the only one that sees the value in having the 'aud' and 'iss' in the header for JWE? > In my case (XMPP E2E), I have addressing information that exists completely separate from the protected. Including 'aud' and 'iss' is of no benefit to me. That doesn't mean it causes me harm, provided I can ignore them. - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. > -- Dick > > On Mar 25, 2013, at 4:27 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > >> 'iss' and 'aud' are not reserved header parameter names, so if I used them, then they would be private names subject to collision. >> >> Unless there is a reason why they should not be allowed, I'd like them to be reserved header parameter names so that their meaning is clear to an implementation or library. I would like to write my libraries to look at the header for those parameters if they are there. >> >> On Mar 25, 2013, at 4:19 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: >> >>> That will be compliant. The spec won't call out those particular properties from JWT. >>> >>> If you think that they should be called out as optional parameters that could be considered. However that is not a open issue at this point. >>> >>> John B. >>> On 2013-03-25, at 8:09 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >>> >>>> Will that be compliant though? I would like to spec to say that I can optionally include those properties in the header of a JWE. >>>> >>>> >>>> On Mar 25, 2013, at 4:02 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: >>>> >>>>> Once the change to ignore additional elements in the header there is nothing to stop you from doing that. >>>>> >>>>> You make a good point about scoping the 'kid' to the 'iss'. >>>>> >>>>> John B. >>>>> >>>>> On 2013-03-25, at 7:53 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >>>>> >>>>>> Hello everyone >>>>>> >>>>>> As I am implementing JOSE JWE, I would like to know who the 'iss' and 'aud' is. I am using symmetric, shared keys and the 'aud' party would like to know they really are the intended 'aud' and who the 'isa' is. Otherwise the 'iss' is inferred from the 'kid', and there is no guarantee that two 'iss' won't have the same 'kid' for different keys from different 'iss'. >>>>>> >>>>>> I don't see an issue with disclosure of who 'iss' and 'aud' are as any party able to intercept the token will have a pretty good idea of where it is coming from and where it is going to. Knowing the 'iss' and 'aud' allows the 'aud' to return an error before doing any crypto if the 'aud' does not match or if there is no 'kid' for the 'iss'. >>>>>> >>>>>> Is there a reason why I cannot have 'iss' and 'aud' in the header? >>>>>> >>>>>> This is not an issue with JWS since the payload is clear and the 'aud' can evaluate the 'iss' and 'aud' properties before doing crypto. >>>>>> >>>>>> -- Dick >>>>>> _______________________________________________ >>>>>> jose mailing list >>>>>> jose@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>> >>>> >>> >> > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Richard Barnes
- Re: [jose] 'aud' and 'iss' in JWE header Matt Miller (mamille2)
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt