Re: [jose] TTL for JWK

John Bradley <ve7jtb@ve7jtb.com> Wed, 20 February 2013 03:38 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FF5221F8802 for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 19:38:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.466
X-Spam-Level:
X-Spam-Status: No, score=-3.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjtPeqZvl0uH for <jose@ietfa.amsl.com>; Tue, 19 Feb 2013 19:38:13 -0800 (PST)
Received: from mail-qc0-f177.google.com (mail-qc0-f177.google.com [209.85.216.177]) by ietfa.amsl.com (Postfix) with ESMTP id 17B7121F87A4 for <jose@ietf.org>; Tue, 19 Feb 2013 19:38:12 -0800 (PST)
Received: by mail-qc0-f177.google.com with SMTP id u28so2856510qcs.8 for <jose@ietf.org>; Tue, 19 Feb 2013 19:38:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=y/d9hW0EVVgeogAxu9vfZMH+BxWC0t7+ZzRL6b83uuA=; b=ihQ8lwbi9m9vJCtN9sXB4C71LyR510n5XdJJMXrDdCz25Tg4l7MM4/mh+ZZXohMmBj 4xcVsJr2eXXNCqSMpWi7mJVq7Fj486N/2VW2RpxF+Th/zywQc55MQFdsUsesICTMr+JP Kx0lHlezsgHP3sgGfZ2k9T4+ukDmykCSGyEZe4aJr6r1A/vhXslX7nyaayrlt1MiES73 Sq2kHUFSbtO/KBBzXlD/rE3nd5JF03zN/ebLYu0jf5yP6q3mLta/3HuCtkBzA4DkzGvL G9oy3QPYY/A23aKMvagdKqNmKAVF6D+VlwDXK1g3zwgvkcpISdL2Ws2f4waB/G1hKuhP BfzA==
X-Received: by 10.49.130.167 with SMTP id of7mr8950976qeb.22.1361331492374; Tue, 19 Feb 2013 19:38:12 -0800 (PST)
Received: from [192.168.1.213] (190-20-4-185.baf.movistar.cl. [190.20.4.185]) by mx.google.com with ESMTPS id z5sm29185421qer.8.2013.02.19.19.37.59 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Feb 2013 19:38:10 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_FF9882BC-D165-47D0-B832-2C5CD6617B8D"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED9411513F6D4@xmb-aln-x11.cisco.com>
Date: Wed, 20 Feb 2013 00:37:06 -0300
Message-Id: <BB7A15C2-486F-4AD2-917B-F1B1B40385EA@ve7jtb.com>
References: <CA+k3eCTZ4KeC7ZH41OWkjkLCp0RiRBkze=4NpFO7AG5zVq-bJQ@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367477CB0@TK5EX14MBXC284.redmond.corp.microsoft.com> <CA+k3eCTbKzWaSr0cmSKTgfs2WMwfGjxatCMjFJekf+8E5SRjXQ@mail.gmail.com> <84EEBC7B-1C68-485E-998D-D01CAE884675@ve7jtb.com> <BF7E36B9C495A6468E8EC573603ED9411513F6D4@xmb-aln-x11.cisco.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQkQeiQJQgtb7Ex1npvQupKX6tN7uBWu/frwOwXTqBFtukR48WkjzjlfkiYmaSE6dAi6jUGI
Cc: Mike Jones <Michael.Jones@microsoft.com>, Brian Campbell <bcampbell@pingidentity.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] TTL for JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 03:38:14 -0000

Sorry I was thinking of the caching for secondary servers rather than the per record ttl.  I suppose DNS has both.

If a jku contains a set is the caching the shortest value?   I am not against doing it per jwk as that is potentially more flexible and avoids a new element in jwk set.

If we were only talking about jku files then http caching might work, but has limitations.

John B.
On 2013-02-20, at 12:21 AM, "Matt Miller (mamille2)" <mamille2@cisco.com> wrote:

> I think applying the ttl to the individual JWK makes more sense.  I can definitely see where a JWK set would hold one key, then be updated with a new alternate (roll-over) key with a long ttl (since it's the new replacement) but with a short ttl on the original (because it's going to actually go live any day/minute/second now).  When the new key is fully deployed, the JWK set is updated to remove it.
> 
> As with implied comparisons to DNS, the ttl there is on the individual resource records, not the entire answer.
> 
> - m&m
> 
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
> 
> On Feb 19, 2013, at 8:12 PM, John Bradley <ve7jtb@ve7jtb.com>
> wrote:
> 
>> Yes ttl and exp are different.    ttl probably should apply to a JWK set as a whole rather than the individual JWK where exp is certainly a per key value.
>> 
>> Mike, this is a bit like the distinction in DNS.
>> 
>> John B.
>> 
>> On 2013-02-19, at 9:26 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>> 
>>> The subtle (and maybe unimportant) distinction I was trying to make was that this was more of a indicator about how long a key could be cached/used with a reasonable expectation that things would still work. I tend to think of key expiration as being something more like any use of the key after the time should be considered invalid. I wanted to avoid requiring message rejection if expiration checks failed (as is the case with exp in JWT).  I remember the change to RSA to free up "exp" and was going to propose just using that. But after thinking about it a bit, to me anyway, "ttl" conveyed that idea better than "exp." I'd be fine with either parameter name though.
>>> 
>>> Does that make sense?
>>> 
>>> 
>>> On Tue, Feb 19, 2013 at 5:04 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>>> Is this a key expiration time parameter or is there a subtle distinction that I’m missing?  If it is an expiration time, I’d recommend that if we do this, that we reuse the name “exp” from the JWT spec.  (We actually stopped using this name as an RSA parameter name a few drafts ago exactly so we could use it for this purpose.)
>>> 
>>> 
>>> 
>>>                                                           -- Mike
>>> 
>>> 
>>> 
>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Brian Campbell
>>> Sent: Tuesday, February 19, 2013 3:43 PM
>>> To: jose@ietf.org
>>> Subject: [jose] TTL for JWK
>>> 
>>> 
>>> 
>>> I'd like to float the idea of introducing a time to live parameter to the base JWK document, which could probably fit in as a subsection of §4 that defines parameters common to all key types [1].
>>> 
>>> The motivation is that many uses of JWKs will involve caching of JWK data and a TTL parameter could be used to indicate how long a key could be safely cached and used without needing to recheck the JWK source. I don't want it to be a hard expiration date for the key but rather a hint to help facility efficient and error free caching.
>>> 
>>> OpenID Connect has a real use case for this where entities publish their keys via a JWK Set at an HTTPS URL. To support key rotation and encryption, there needs to be some way to indicate the TTL of a public key used to encrypt. Of course, this isn't the only way to skin that cat but it strikes me as a good way and one that might provide utility for JWK in other contexts.
>>> JSON Web Token [2] defines a data type that is "A JSON numeric value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time" that seems like it could be co-opted to work well as the value for a "ttl" parameter.
>>> 
>>> [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-08#section-4
>>> 
>>> [2] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-2
>>> 
>>> 
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>> 
>>> 
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>