[jose] TTL for JWK

Brian Campbell <bcampbell@pingidentity.com> Tue, 19 February 2013 23:44 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DDF4321F882A for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 15:44:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.948
X-Spam-Status: No, score=-5.948 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id EUdVUG0jerjO for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 15:44:03 -0800 (PST)
Received: from na3sys009aog137.obsmtp.com (na3sys009aog137.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id 6B65D21F87F6 for <jose@ietf.org>; Tue, 19 Feb 2013 15:44:01 -0800 (PST)
Received: from mail-fa0-f69.google.com ([]) (using TLSv1) by na3sys009aob137.postini.com ([]) with SMTP ID DSNKUSQOQJjspioSzxxO1HtPIrPeuFHjHX+/@postini.com; Tue, 19 Feb 2013 15:44:01 PST
Received: by mail-fa0-f69.google.com with SMTP id v1so9212532fav.8 for <jose@ietf.org>; Tue, 19 Feb 2013 15:43:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:from:date:message-id:subject:to :content-type:x-gm-message-state; bh=sjbLB/5glj4CoNhBudKcKPmmeRKNp5U4RZGjBXGN+ZM=; b=E3zIUcENAa0pErjIo4axsrrAtynj4ToX4LQbBjbpprNG19Ca4e+IUJ/asN/11MQY5V LtMaw1V8rv30LgV2mso/k8Au60FmYFqYwQ2REkmcFUaKpQOmXpvacTc9nhPu3lg2JGRy 6SwPA7jeVV8cCAK/Ch/S++sEBxWYb2RSCsLVoyI6XaSlFdirspcC5Mk9LkugaIMdaY2K x4Vbw1bMzFfPx29pYb+OYEI/or0O453D3vxa3cHXx83Pxl8I0jqStvN69a38D7R9IAji AHKUSWfs16c6X4e6/l2RivAIiIi/ux/s2fWv+qpw9YgGh7zbU4wSpFzTC9h2sSjI6Cu3 mtoA==
X-Received: by with SMTP id u4mr61903068eeo.19.1361317439409; Tue, 19 Feb 2013 15:43:59 -0800 (PST)
X-Received: by with SMTP id u4mr61903056eeo.19.1361317439308; Tue, 19 Feb 2013 15:43:59 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 19 Feb 2013 15:43:29 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 19 Feb 2013 16:43:29 -0700
Message-ID: <CA+k3eCTZ4KeC7ZH41OWkjkLCp0RiRBkze=4NpFO7AG5zVq-bJQ@mail.gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary=047d7b621b1465839504d61c6a36
X-Gm-Message-State: ALoCoQkfLYuF/8y9tMcjG67keUrZxeUMLnFVg1jJdrXvmIgJIkngjt8LgvODpdkS6yMxyahxcr92N4Z25OhXj3MiLf8GVl6DD7I8rRqv5W5jsYGuntur+/K32ViUk3B4MeEyeB2ONz7x
Subject: [jose] TTL for JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2013 23:44:04 -0000

I'd like to float the idea of introducing a time to live parameter to the
base JWK document, which could probably fit in as a subsection of ยง4 that
defines parameters common to all key types [1].

The motivation is that many uses of JWKs will involve caching of JWK data
and a TTL parameter could be used to indicate how long a key could be
safely cached and used without needing to recheck the JWK source. I don't
want it to be a hard expiration date for the key but rather a hint to help
facility efficient and error free caching.

OpenID Connect has a real use case for this where entities publish their
keys via a JWK Set at an HTTPS URL. To support key rotation and encryption,
there needs to be some way to indicate the TTL of a public key used to
encrypt. Of course, this isn't the only way to skin that cat but it strikes
me as a good way and one that might provide utility for JWK in other
JSON Web Token [2] defines a data type that is "A JSON numeric value
representing the number of seconds from 1970-01-01T0:0:0Z UTC until the
specified UTC date/time" that seems like it could be co-opted to work well
as the value for a "ttl" parameter.

[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-08#section-4

[2] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-2