IETF Logo Mail Archive

Re: [jose] TTL for JWK

Mike Jones <Michael.Jones@microsoft.com> Wed, 20 February 2013 00:04 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE7621F8750 for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 16:04:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.582
X-Spam-Level:
X-Spam-Status: No, score=-2.582 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmrMMWkqEW4f for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 16:04:50 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.31]) by ietfa.amsl.com (Postfix) with ESMTP id 362DB21F87B1 for <jose@ietf.org>; Tue, 19 Feb 2013 16:04:50 -0800 (PST)
Received: from BY2FFO11FD012.protection.gbl (10.1.15.201) by BY2FFO11HUB012.protection.gbl (10.1.14.83) with Microsoft SMTP Server (TLS) id 15.0.620.12; Wed, 20 Feb 2013 00:04:41 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD012.mail.protection.outlook.com (10.1.14.130) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Wed, 20 Feb 2013 00:04:41 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.96]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0318.003; Wed, 20 Feb 2013 00:04:21 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] TTL for JWK
Thread-Index: AQHODvsEpzf6R30x1E+9+1vFYIdNkJiB3RDQ
Date: Wed, 20 Feb 2013 00:04:20 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394367477CB0@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CA+k3eCTZ4KeC7ZH41OWkjkLCp0RiRBkze=4NpFO7AG5zVq-bJQ@mail.gmail.com>
In-Reply-To: <CA+k3eCTZ4KeC7ZH41OWkjkLCp0RiRBkze=4NpFO7AG5zVq-bJQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.24]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394367477CB0TK5EX14MBXC284r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(199002)(377454001)(55846006)(63696002)(65816001)(79102001)(16297215001)(53806001)(51856001)(77982001)(46102001)(16406001)(512934001)(4396001)(47736001)(5343655001)(56776001)(5343635001)(49866001)(44976002)(47446002)(74502001)(76482001)(50986001)(15202345001)(59766001)(54316002)(31966008)(54356001)(74662001)(47976001)(80022001)(66066001)(56816002)(33656001)(16236675001)(20776003)(550254004); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB012; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07630F72AD
Subject: Re: [jose] TTL for JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 00:04:52 -0000

Is this a key expiration time parameter or is there a subtle distinction that I'm missing?  If it is an expiration time, I'd recommend that if we do this, that we reuse the name "exp" from the JWT spec.  (We actually stopped using this name as an RSA parameter name a few drafts ago exactly so we could use it for this purpose.)

                                                            -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Tuesday, February 19, 2013 3:43 PM
To: jose@ietf.org
Subject: [jose] TTL for JWK

I'd like to float the idea of introducing a time to live parameter to the base JWK document, which could probably fit in as a subsection of ยง4 that defines parameters common to all key types [1].

The motivation is that many uses of JWKs will involve caching of JWK data and a TTL parameter could be used to indicate how long a key could be safely cached and used without needing to recheck the JWK source. I don't want it to be a hard expiration date for the key but rather a hint to help facility efficient and error free caching.

OpenID Connect has a real use case for this where entities publish their keys via a JWK Set at an HTTPS URL. To support key rotation and encryption, there needs to be some way to indicate the TTL of a public key used to encrypt. Of course, this isn't the only way to skin that cat but it strikes me as a good way and one that might provide utility for JWK in other contexts.
JSON Web Token [2] defines a data type that is "A JSON numeric value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time" that seems like it could be co-opted to work well as the value for a "ttl" parameter.

[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-08#section-4

[2] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-2

v2.23.0 | Report a Bug | By Email