Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserved Header Parameter Names
John Bradley <ve7jtb@ve7jtb.com> Thu, 04 April 2013 18:53 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9951B21F93CC for <jose@ietfa.amsl.com>; Thu, 4 Apr 2013 11:53:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.627
X-Spam-Level:
X-Spam-Status: No, score=-2.627 tagged_above=-999 required=5 tests=[AWL=0.972, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8P6mQ2gYsO9T for <jose@ietfa.amsl.com>; Thu, 4 Apr 2013 11:53:06 -0700 (PDT)
Received: from mail-qe0-f48.google.com (mail-qe0-f48.google.com [209.85.128.48]) by ietfa.amsl.com (Postfix) with ESMTP id AD99621F93DC for <jose@ietf.org>; Thu, 4 Apr 2013 11:53:06 -0700 (PDT)
Received: by mail-qe0-f48.google.com with SMTP id 2so1614917qea.21 for <jose@ietf.org>; Thu, 04 Apr 2013 11:53:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=GaOmBYV8Ysu3b8BL5+gsYMRiP83/Mg8vTQrCzIIuNkI=; b=DmBdXNvxuRMuLl8L4r9gdrMgbs7eh/gVxzL+n9GzWRR7laZBu5sWCuHm/eAHLMl7cb FJmUqcI5uV+J0iG0TYolJaRUjjZkNA4srUE4GsLOzXHW2OWr6KDoBuHSOmcsS/bUzd03 l2HnAFi1b9R6lof1gForqxR2YlAYpeabE6TZVbatRGijx3sr0nQpv+Rn0jeKggl2WURS ZUemkDzwp77NJzhojAjpoHgyYNImW3ZJAF1Fqj8zMl0VEdm5uc4cTLpW2Mz+rY59PGc7 ZDNk/NpcrzLiddKj7sdt20ad64YfM8MJttLeMee8FXUnme5ceIkgWylXkQRuY1BdHfqV SrZQ==
X-Received: by 10.49.62.35 with SMTP id v3mr6422364qer.8.1365101586004; Thu, 04 Apr 2013 11:53:06 -0700 (PDT)
Received: from [192.168.1.210] (190-20-54-248.baf.movistar.cl. [190.20.54.248]) by mx.google.com with ESMTPS id fr4sm11733535qab.3.2013.04.04.11.53.02 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Apr 2013 11:53:04 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_EC182935-FABF-42D8-993E-E339462822C8"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943675B4F79@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 04 Apr 2013 15:52:15 -0300
Message-Id: <5447C845-C9B7-4A43-8AFC-69E503B0F908@ve7jtb.com>
References: <059.28920e1fc6703f74a91ab3b3829a8a57@trac.tools.ietf.org> <074.45573b920fde1863b2b824557b6bbbe8@trac.tools.ietf.org> <70DD0047-E4B5-4A00-A74D-B4B3CC67D68E@gmail.com> <4E1F6AAD24975D4BA5B1680429673943675B4F79@TK5EX14MBXC283.redmond.corp.microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQn3SQBCmdTdOq89O5igMrpghMnSDht0/gmXZdOYZUFLACzUo/yHJZ3ln+YiUJ1wsCK4EccP
Cc: "rlb@ipv.sx" <rlb@ipv.sx>, "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserved Header Parameter Names
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 18:53:07 -0000
I am not against having them as JWE header elements, I have raised the point in several discussions. However given that the decryption key is generally already in the hands of the RP it is hard to make the argument that a kid, thumbprint or jwk object are not enough for the recipient to identify what decryption key to use. I can see a use in a case like Matt Millers XMPP encryption example where the sender doesn't know the public key of the recipient only its name in that case the recipient won't have the decryption key and needs to know in the unencrypted part of the message who to go and ask for the key. I think in the XMPP case the recipient sends its public key and the received "kid" back to the issuer and asks for the decryption key to be encrypted by its public key and sent back. This is perhaps the sort of thing where having the iss in the unencrypted envelope is a requirement. "aud" is also arguably useful if you have a multi hop situation where the client needs to make a forwarding decision without creating yet another level of wrapping for the token. So I do see uses for them. I do agree with Mike that it may be best to use the definitions in JWT and have the processing rule about what happens if you get the claim in the header and in the body or if it is only in the header laid out there. The thing that is important in a JWE context is if those claims are going to be integrity protected. There is continued debate about removing the envelope from the integrity protection. That is a JWE issue. I also think if they are in JWT as being allowed in the JWE header referencing that from JWE is not a bad thing. John B. On 2013-04-04, at 1:32 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Responding to your "unsettled" remark, I suspect most people are fine with having the "aud" and "iss" be claims in the JWT where they normally are. Yes, you have to decrypt the token to get these claim values, but if you're going to use the token, you'll have to do that anyway. > > I don't think it's clear to most people what problem is being solved by potentially these fields to be present in a different location. Without a compelling use case, this just seems like more to implement without a clear benefit of doing so. > > -- Mike > > -----Original Message----- > From: Dick Hardt [mailto:dick.hardt@gmail.com] > Sent: Wednesday, April 03, 2013 9:29 PM > To: jose issue tracker > Cc: draft-ietf-jose-json-web-encryption@tools.ietf.org; Mike Jones; rlb@ipv.sx; jose@ietf.org > Subject: Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserved Header Parameter Names > > Actually, Mike was suggesting that the issue be moved to the JWT WG. > > I'll settle with the JWE spec pointing to an IANA registry. Speaking as an implementer, if there is a list of reserved names in the spec, I'm likely to think that is all of them. > > I'm a little unsettled that no one else has had any feedback on having 'aud' and 'iss' in the JWE header. Is my implementation the only that has that requirement? > > -- Dick > > On Apr 3, 2013, at 8:57 PM, "jose issue tracker" <trac+jose@trac.tools.ietf.org> wrote: > >> #17: add 'aud' and 'iss' to 4.1 Reserved Header Parameter Names >> >> >> Comment (by rlb@ipv.sx): >> >> I agree with Mike that these don't really belong in the core JWE/JWS >> specs. >> >> I would suggest we address this issue more generally, by creating an >> IANA registry of reserved parameter names, with a fairly liberal >> inclusion policy. That registry could have a field to indicate >> whether JOSE implementations are REQUIRED to support a given parameter >> (MTI parameters). (Note that this is different from whether a JOSE >> object is REQUIRED to contain a parameter.) Perhaps we could have >> optional parameters under a fairly liberal policy (e.g., Specification >> Required), with a higher bar for MTI parameters (e.g., Standards Action). >> >> If we set up the registry in this way, then Dick could write a short >> Informational document that would register these fields. >> >> -- >> -------------------------+-------------------------------------------- >> -------------------------+----- >> Reporter: | Owner: draft-ietf-jose-json-web- >> dick.hardt@gmail.com | encryption@tools.ietf.org >> Type: enhancement | Status: new >> Priority: major | Milestone: >> Component: json-web- | Version: >> encryption | Resolution: >> Severity: - | >> Keywords: | >> -------------------------+-------------------------------------------- >> -------------------------+----- >> >> Ticket URL: >> <http://trac.tools.ietf.org/wg/jose/trac/ticket/17#comment:2> >> jose <http://tools.ietf.org/jose/> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] #17: add 'aud' and 'iss' to 4.1 Reserved H… jose issue tracker
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… jose issue tracker
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Dick Hardt
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… jose issue tracker
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Dick Hardt
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Mike Jones
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Mike Jones
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… John Bradley
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Dick Hardt
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Dick Hardt
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Dick Hardt
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Mike Jones
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Dick Hardt
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Jim Schaad
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Mike Jones
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… Matt Miller (mamille2)
- Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserv… jose issue tracker