IETF Logo Mail Archive

[jose] Updated versions of JOSE and JWT specifications

Mike Jones <Michael.Jones@microsoft.com> Fri, 06 July 2012 17:26 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 417CB21F8656 for <jose@ietfa.amsl.com>; Fri, 6 Jul 2012 10:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.774
X-Spam-Level:
X-Spam-Status: No, score=-3.774 tagged_above=-999 required=5 tests=[AWL=-0.176, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrT0MgXZLY0q for <jose@ietfa.amsl.com>; Fri, 6 Jul 2012 10:26:26 -0700 (PDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe003.messaging.microsoft.com [213.199.154.141]) by ietfa.amsl.com (Postfix) with ESMTP id 2238D21F8658 for <jose@ietf.org>; Fri, 6 Jul 2012 10:26:25 -0700 (PDT)
Received: from mail87-db3-R.bigfish.com (10.3.81.246) by DB3EHSOBE006.bigfish.com (10.3.84.26) with Microsoft SMTP Server id 14.1.225.23; Fri, 6 Jul 2012 17:24:33 +0000
Received: from mail87-db3 (localhost [127.0.0.1]) by mail87-db3-R.bigfish.com (Postfix) with ESMTP id A8C63260595 for <jose@ietf.org>; Fri, 6 Jul 2012 17:24:32 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -20
X-BigFish: VS-20(zzc85fhzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah)
Received-SPF: pass (mail87-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail87-db3 (localhost.localdomain [127.0.0.1]) by mail87-db3 (MessageSwitch) id 1341595470911932_3619; Fri, 6 Jul 2012 17:24:30 +0000 (UTC)
Received: from DB3EHSMHS011.bigfish.com (unknown [10.3.81.239]) by mail87-db3.bigfish.com (Postfix) with ESMTP id D2BC52A0019 for <jose@ietf.org>; Fri, 6 Jul 2012 17:24:30 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS011.bigfish.com (10.3.87.111) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 6 Jul 2012 17:24:30 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0309.003; Fri, 6 Jul 2012 17:26:21 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Updated versions of JOSE and JWT specifications
Thread-Index: Ac1bnHVXNgbMo6FzRA29BOMAiVSszA==
Date: Fri, 06 Jul 2012 17:26:20 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366579EA5@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394366579EA5TK5EX14MBXC283r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: [jose] Updated versions of JOSE and JWT specifications
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 17:26:32 -0000

New versions of the JSON WEB {Signature,Encryption,Key,Algorithms,Token} (JWS, JWE, JWK, JWA, JWT) specifications have been released.  These versions incorporate numerous suggestions from working group members and developers that clarify the intent of the specifications and make them easier to read and implement.  In particular, the JWE spec now includes encryption and key derivation examples for a number of algorithms that have been verified in multiple independent implementations.

I've worked to close out all the former "TBD" items in the specs, bringing them up to an editorially complete state, in preparation for working group last call.  As with previous releases, see the "Open Issues" sections for a small number of discussion points that I believe merit working group attention.

I also applied the changes made to the JOSE specs to the related individual submission JWS JSON Serialization and JWE JSON Serialization specs, which enable multiple recipients.

The working group specifications are available at:

*        http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-03

*        http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-03

*        http://tools.ietf.org/html/draft-ietf-jose-json-web-key-03

*        http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-03

*        http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-01

The individual submission specifications are available at:

*        http://tools.ietf.org/html/draft-jones-json-web-signature-json-serialization-02

*        http://tools.ietf.org/html/draft-jones-json-web-encryption-json-serialization-02

The document history entries (also in the specifications) are as follows:

http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-03

  *   Added the cty (content type) header parameter for declaring type information about the secured content, as opposed to the typ (type) header parameter, which declares type information about this object.
  *   Added "Collision Resistant Namespace" to the terminology section.
  *   Reference ITU.X690.1994 for DER encoding.
  *   Added an example JWS using ECDSA P-521 SHA-512. This has particular illustrative value because of the use of the 521 bit integers in the key and signature values. This is also an example in which the payload is not a base64url encoded JSON object.
  *   Added an example x5c value.
  *   No longer say "the UTF-8 representation of the JWS Secured Input (which is the same as the ASCII representation)". Just call it "the ASCII representation of the JWS Secured Input".
  *   Added Registration Template sections for defined registries.
  *   Added Registry Contents sections to populate registry values.
  *   Changed name of the JSON Web Signature and Encryption "typ" Values registry to be the JSON Web Signature and Encryption Type Values registry, since it is used for more than just values of the typ parameter.
  *   Moved registries JSON Web Signature and Encryption Header Parameters and JSON Web Signature and Encryption Type Values to the JWS specification.
  *   Numerous editorial improvements.

http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-03

  *   Added the kdf (key derivation function) header parameter to provide crypto agility for key derivation. The default KDF remains the Concat KDF with the SHA-256 digest function.
  *   Reordered encryption steps so that the Encoded JWE Header is always created before it is needed as an input to the AEAD "additional authenticated data" parameter.
  *   Added the cty (content type) header parameter for declaring type information about the secured content, as opposed to the typ (type) header parameter, which declares type information about this object.
  *   Moved description of how to determine whether a header is for a JWS or a JWE from the JWT spec to the JWE spec.
  *   Added complete encryption examples for both AEAD and non-AEAD algorithms.
  *   Added complete key derivation examples.
  *   Added "Collision Resistant Namespace" to the terminology section.
  *   Reference ITU.X690.1994 for DER encoding.
  *   Added Registry Contents sections to populate registry values.
  *   Numerous editorial improvements.

http://tools.ietf.org/html/draft-ietf-jose-json-web-key-03

  *   Clarified that kid values need not be unique within a JWK Set.
  *   Moved JSON Web Key Parameters registry to the JWK specification.
  *   Added "Collision Resistant Namespace" to the terminology section.
  *   Changed registration requirements from RFC Required to Specification Required with Expert Review.
  *   Added Registration Template sections for defined registries.
  *   Added Registry Contents sections to populate registry values.
  *   Numerous editorial improvements.

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-03

  *   Always use a 128 bit "authentication tag" size for AES GCM, regardless of the key size.
  *   Specified that use of a 128 bit IV is REQUIRED with AES CBC. It was previously RECOMMENDED.
  *   Removed key size language for ECDSA algorithms, since the key size is implied by the algorithm being used.
  *   Stated that the int key size must be the same as the hash output size (and not larger, as was previously allowed) so that its size is defined for key generation purposes.
  *   Added the kdf (key derivation function) header parameter to provide crypto agility for key derivation. The default KDF remains the Concat KDF with the SHA-256 digest function.
  *   Clarified that the mod and exp values are unsigned.
  *   Added Implementation Requirements columns to algorithm tables and Implementation Requirements entries to algorithm registries.
  *   Changed AES Key Wrap to RECOMMENDED.
  *   Moved registries JSON Web Signature and Encryption Header Parameters and JSON Web Signature and Encryption Type Values to the JWS specification.
  *   Moved JSON Web Key Parameters registry to the JWK specification.
  *   Changed registration requirements from RFC Required to Specification Required with Expert Review.
  *   Added Registration Template sections for defined registries.
  *   Added Registry Contents sections to populate registry values.
  *   No longer say "the UTF-8 representation of the JWS Secured Input (which is the same as the ASCII representation)". Just call it "the ASCII representation of the JWS Secured Input".
  *   Added "Collision Resistant Namespace" to the terminology section.
  *   Numerous editorial improvements.

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-01

  *   Added the cty (content type) header parameter for declaring type information about the secured content, as opposed to the typ (type) header parameter, which declares type information about this object. This significantly simplified nested JWTs.
  *   Moved description of how to determine whether a header is for a JWS or a JWE from the JWT spec to the JWE spec.
  *   Changed registration requirements from RFC Required to Specification Required with Expert Review.
  *   Added Registration Template sections for defined registries.
  *   Added Registry Contents sections to populate registry values.
  *   Added "Collision Resistant Namespace" to the terminology section.
  *   Numerous editorial improvements.

http://tools.ietf.org/html/draft-jones-json-web-signature-json-serialization-02

  *   Tracked editorial changes made to the JWS spec.

http://tools.ietf.org/html/draft-jones-json-web-encryption-json-serialization-02

  *   Updated examples to track updated algorithm properties in the JWA spec.
  *   Tracked editorial changes made to the JWE spec.

Special thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund Jay for validating the JWE examples!

                                                            -- Mike

v2.23.0 | Report a Bug | By Email