Re: [jose] 'aud' and 'iss' in JWE header
Richard Barnes <rlb@ipv.sx> Tue, 26 March 2013 18:01 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806B921F8512 for <jose@ietfa.amsl.com>; Tue, 26 Mar 2013 11:01:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.166
X-Spam-Level:
X-Spam-Status: No, score=-1.166 tagged_above=-999 required=5 tests=[AWL=-0.741, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KcRa5+QSrHZN for <jose@ietfa.amsl.com>; Tue, 26 Mar 2013 11:01:28 -0700 (PDT)
Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 9664221F8510 for <jose@ietf.org>; Tue, 26 Mar 2013 11:01:28 -0700 (PDT)
Received: by mail-ob0-f180.google.com with SMTP id wo10so4987493obc.39 for <jose@ietf.org>; Tue, 26 Mar 2013 11:01:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=smUC7CluPulKAJiIzRQwyUIMSiWEq96fTzeKXTmRWhg=; b=i//2PYHeg8wBAUokjmdKFGBpaIbqeJQ/zQgz5Vb7J9FO8MHEyrCZ4haJKJDmjWi4+k hm2ZEZJ2vb3Se/9Py+PP+4imJu0tCKsPNGlkr5fBTBOopfuFuOdK9qkJ2BfAmtkftqTh 5xbLNUKpq61LKBYqrA0S76SIxiJANsXo4eI4T+qgl4oDCwwHor3vmei8l9nEPynOlg1p bRq/ZxFLKwrrn+F6+CLHbt2sUhDf+Z7EjZ6gosQTWUPhWHUAGFVSvvJ0M0VKjdKnijhC FJ0qyhN3ai9r1g+GDNoXd96AX8fO7F6W0U7BmNrNKriCFDLzyOQAnTaq5WigBlFwtohy dAJg==
MIME-Version: 1.0
X-Received: by 10.60.171.50 with SMTP id ar18mr13602293oec.24.1364320888097; Tue, 26 Mar 2013 11:01:28 -0700 (PDT)
Received: by 10.60.172.146 with HTTP; Tue, 26 Mar 2013 11:01:28 -0700 (PDT)
X-Originating-IP: [192.1.255.184]
In-Reply-To: <EAA32C99-3498-407C-80FC-DF63EA40963A@gmail.com>
References: <57A4986E-4AA7-4E96-8EE6-53F3CE2D73EA@gmail.com> <BD041F81-FDEE-4917-86C9-A67B1A62D19F@ve7jtb.com> <AFBB0F6B-FB11-4F01-8F68-218EB211230F@gmail.com> <942E1B2E-1469-4472-83A4-3884CF21F5EB@ve7jtb.com> <A7EC3B59-824E-4413-914E-8298036CC0CD@gmail.com> <EAA32C99-3498-407C-80FC-DF63EA40963A@gmail.com>
Date: Tue, 26 Mar 2013 14:01:28 -0400
Message-ID: <CAL02cgTvP8o=zT8L4O1Ju2=sJFP4kG0J3LNmBjgPcuao=BC9HA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="bcaec550af3ae5787904d8d7b50e"
X-Gm-Message-State: ALoCoQlbqWnTsiOQn5t/VEqM8Ix3DzV0IlRV1Kolx3hVSlQwelxs/VLQtg89/fRwzaYAexq9+u09
Cc: John Bradley <ve7jtb@ve7jtb.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] 'aud' and 'iss' in JWE header
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 18:01:29 -0000
It doesn't seem harmful to me to have these parameters in there. It just seems like they won't be useful in a lot of cases. Is there any particular reason that these fields have to be in the header itself? John Bradley had proposed earlier defining a separate container for things that aren't necessarily of general use for JWE. Perhaps we should set up a registry for JWE/JWS header parameters, with a liberal inclusion policy (e.g., Specification Required), so that things like this could be added easily. --Richard On Tue, Mar 26, 2013 at 1:57 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > My other option would be to hack the 'kid' value to include both the 'iss' > value and the 'aud' value so that a recipient would be able to determine if > they are the audience and who the issuer is by cracking the 'kid' => but > that seems like such a hack given that I have the ability to put the 'aud' > and 'iss' in the header. > > Am I the only one that sees the value in having the 'aud' and 'iss' in the > header for JWE? > > -- Dick > > On Mar 25, 2013, at 4:27 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > > 'iss' and 'aud' are not reserved header parameter names, so if I used > them, then they would be private names subject to collision. > > > > Unless there is a reason why they should not be allowed, I'd like them > to be reserved header parameter names so that their meaning is clear to an > implementation or library. I would like to write my libraries to look at > the header for those parameters if they are there. > > > > On Mar 25, 2013, at 4:19 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > > >> That will be compliant. The spec won't call out those particular > properties from JWT. > >> > >> If you think that they should be called out as optional parameters that > could be considered. However that is not a open issue at this point. > >> > >> John B. > >> On 2013-03-25, at 8:09 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > >> > >>> Will that be compliant though? I would like to spec to say that I can > optionally include those properties in the header of a JWE. > >>> > >>> > >>> On Mar 25, 2013, at 4:02 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > >>> > >>>> Once the change to ignore additional elements in the header there is > nothing to stop you from doing that. > >>>> > >>>> You make a good point about scoping the 'kid' to the 'iss'. > >>>> > >>>> John B. > >>>> > >>>> On 2013-03-25, at 7:53 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > >>>> > >>>>> Hello everyone > >>>>> > >>>>> As I am implementing JOSE JWE, I would like to know who the 'iss' > and 'aud' is. I am using symmetric, shared keys and the 'aud' party would > like to know they really are the intended 'aud' and who the 'isa' is. > Otherwise the 'iss' is inferred from the 'kid', and there is no guarantee > that two 'iss' won't have the same 'kid' for different keys from different > 'iss'. > >>>>> > >>>>> I don't see an issue with disclosure of who 'iss' and 'aud' are as > any party able to intercept the token will have a pretty good idea of where > it is coming from and where it is going to. Knowing the 'iss' and 'aud' > allows the 'aud' to return an error before doing any crypto if the 'aud' > does not match or if there is no 'kid' for the 'iss'. > >>>>> > >>>>> Is there a reason why I cannot have 'iss' and 'aud' in the header? > >>>>> > >>>>> This is not an issue with JWS since the payload is clear and the > 'aud' can evaluate the 'iss' and 'aud' properties before doing crypto. > >>>>> > >>>>> -- Dick > >>>>> _______________________________________________ > >>>>> jose mailing list > >>>>> jose@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/jose > >>>> > >>> > >> > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Richard Barnes
- Re: [jose] 'aud' and 'iss' in JWE header Matt Miller (mamille2)
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt