IETF Logo Mail Archive

Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserved Header Parameter Names

Dick Hardt <dick.hardt@gmail.com> Thu, 04 April 2013 20:14 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2607221F87FB for <jose@ietfa.amsl.com>; Thu, 4 Apr 2013 13:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.766
X-Spam-Level:
X-Spam-Status: No, score=-2.766 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQeBLqHvP89R for <jose@ietfa.amsl.com>; Thu, 4 Apr 2013 13:14:21 -0700 (PDT)
Received: from mail-pd0-f171.google.com (mail-pd0-f171.google.com [209.85.192.171]) by ietfa.amsl.com (Postfix) with ESMTP id 032FE21F87D3 for <jose@ietf.org>; Thu, 4 Apr 2013 13:14:20 -0700 (PDT)
Received: by mail-pd0-f171.google.com with SMTP id z10so1620476pdj.2 for <jose@ietf.org>; Thu, 04 Apr 2013 13:14:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=49Gve64ay+Lb4Zgbyw/cZVXUAAjFgU/T1p840q+Uh3c=; b=oUDq06RdTQyNibD6G3/45gpwP7C341Aa4Pg/DZ3HEIYTIX7bzfi3lfu8Kmt41RIecv 5irL9iC0ia46timOPH/0ueasLMkcJ0inGgZ7iu5dU4813kkvQBY1omOLXC2Pu2gnc3g7 lvlzDNGz9U8zimfN/R+Fly8wMLE7OfkEXCO2Jukz24875JBv/6JZRBDrmfTNYcAhjrQv lmlikeQod4Mq1orLYtCkV/LuKqz4uFT39dpeJETKpUyeKKfGq1dK9Ee41kzbZ5qNNQoM 969dc2m1IRZnWLK9FL1Uv6faWZ+z3gvrQAu8HpBKJ6ibMWKfau/Dkbymxb6BMXXfaMzb Go0A==
X-Received: by 10.68.213.193 with SMTP id nu1mr10609581pbc.178.1365106460760; Thu, 04 Apr 2013 13:14:20 -0700 (PDT)
Received: from [10.0.0.80] (c-98-210-193-30.hsd1.ca.comcast.net. [98.210.193.30]) by mx.google.com with ESMTPS id fc8sm12681659pad.21.2013.04.04.13.14.16 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Apr 2013 13:14:17 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <5447C845-C9B7-4A43-8AFC-69E503B0F908@ve7jtb.com>
Date: Thu, 04 Apr 2013 13:14:15 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <983B04CA-B478-443E-982D-023C14F06E18@gmail.com>
References: <059.28920e1fc6703f74a91ab3b3829a8a57@trac.tools.ietf.org> <074.45573b920fde1863b2b824557b6bbbe8@trac.tools.ietf.org> <70DD0047-E4B5-4A00-A74D-B4B3CC67D68E@gmail.com> <4E1F6AAD24975D4BA5B1680429673943675B4F79@TK5EX14MBXC283.redmond.corp.microsoft.com> <5447C845-C9B7-4A43-8AFC-69E503B0F908@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1503)
Cc: "rlb@ipv.sx" <rlb@ipv.sx>, "draft-ietf-jose-json-web-encryption@tools.ietf.org" <draft-ietf-jose-json-web-encryption@tools.ietf.org>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] #17: add 'aud' and 'iss' to 4.1 Reserved Header Parameter Names
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 20:14:22 -0000

On Apr 4, 2013, at 11:52 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> I am not against having them as JWE header elements, I have raised the point in several discussions.
> 
> However given that the decryption key is generally already in the hands of the RP it is hard to make the argument that a kid, thumbprint or jwk object are not enough for the recipient to identify what decryption key to use.

See my example

> 
> I can see a use in a case like Matt Millers XMPP encryption example where the sender doesn't know the public key of the recipient only its name in that case the recipient won't have the decryption key and needs to know in the unencrypted part of the message who to go and ask for the key.
> 
> I think in the XMPP case the recipient sends its public key and the received "kid" back to the issuer and asks for the decryption key to be encrypted by its public key and sent back.   This is perhaps the sort of thing where having the iss in the unencrypted envelope is a requirement.
> 
> "aud" is also arguably useful if you have a multi hop situation where the client needs to make a forwarding decision without creating yet another level of wrapping for the token.

I have potential multi hop that requires "aud"

> 
> So I do see uses for them.  
> 
> I do agree with Mike that it may be best to use the definitions in JWT and have the processing rule about what happens if you get the claim in the header and in the body or if it is only in the header laid out there.   
> 
> The thing that is important in a JWE context is if those claims are going to be integrity protected.   There is continued debate about removing the envelope from the integrity protection.  That is a JWE issue.   I also think if they are in JWT as being allowed in the JWE header referencing that from JWE is not a bad thing. 

I would think it would make sense to have one list of reserved JWE header parameters, not two. Of course, additional ones may be defined in an IANA registry.

v2.23.0 | Report a Bug | By Email