Re: [jose] TTL for JWK

Brian Campbell <bcampbell@pingidentity.com> Wed, 20 February 2013 14:37 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B818D21F87E4 for <jose@ietfa.amsl.com>; Wed, 20 Feb 2013 06:37:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.95
X-Spam-Level:
X-Spam-Status: No, score=-5.95 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LazGhg1mY-lx for <jose@ietfa.amsl.com>; Wed, 20 Feb 2013 06:37:48 -0800 (PST)
Received: from na3sys009aog138.obsmtp.com (na3sys009aog138.obsmtp.com [74.125.149.19]) by ietfa.amsl.com (Postfix) with ESMTP id 6541721F87E0 for <jose@ietf.org>; Wed, 20 Feb 2013 06:37:48 -0800 (PST)
Received: from mail-oa0-f71.google.com ([209.85.219.71]) (using TLSv1) by na3sys009aob138.postini.com ([74.125.148.12]) with SMTP ID DSNKUSTfvNZIK91FV0t3i+cm62oPVJjS6DbV@postini.com; Wed, 20 Feb 2013 06:37:48 PST
Received: by mail-oa0-f71.google.com with SMTP id o6so40969828oag.10 for <jose@ietf.org>; Wed, 20 Feb 2013 06:37:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=1jY4SusG5gNzxDdlG4nqU1L41xSJrmaR4nw/BgFrmtk=; b=akNm4l2ON1pYlowUBrLMemQKW3A8z7dh52O/Ry/SweG6+LToy3ujXBSB1HH7zCHeHc a1vZ0885Va52jLZp+8MaUk7sPzlVP3S9aXEglR7SNkaKHxJaGzDgCBghSfpTJiGV1LYU fAlh0PuWT8UOl/CpC5FuWZV3XeEYm/oxkGT7CX/MKWCID0W3PUs7I2q1HdvDd/aQ9kfp OgYuaJnXdHzYtpcHJIb/R01WP26mDJbyskyo1EQgj6IG0+C9WS/Rputbp9r39OyjMozP pLiQ8cTpCr8G6GAWtQJ4P6Q5yXS97WKRaPwOYJZMox01sYLFfhNuOBXh56Til+5CnjFy Cwag==
X-Received: by 10.50.11.229 with SMTP id t5mr11323544igb.65.1361371067428; Wed, 20 Feb 2013 06:37:47 -0800 (PST)
X-Received: by 10.50.11.229 with SMTP id t5mr11323541igb.65.1361371067292; Wed, 20 Feb 2013 06:37:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.63.3 with HTTP; Wed, 20 Feb 2013 06:37:17 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E115076349DB@WSMSG3153V.srv.dir.telstra.com>
References: <CA+k3eCTZ4KeC7ZH41OWkjkLCp0RiRBkze=4NpFO7AG5zVq-bJQ@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367477CB0@TK5EX14MBXC284.redmond.corp.microsoft.com> <CA+k3eCTbKzWaSr0cmSKTgfs2WMwfGjxatCMjFJekf+8E5SRjXQ@mail.gmail.com> <84EEBC7B-1C68-485E-998D-D01CAE884675@ve7jtb.com> <255B9BB34FB7D647A506DC292726F6E115076349DB@WSMSG3153V.srv.dir.telstra.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 20 Feb 2013 07:37:17 -0700
Message-ID: <CA+k3eCR4eX7fk3ibra97hcJ9jpEMWxhJZhb4E2RFbSP8ogui9A@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary=e89a8f646d15df9b5404d628e675
X-Gm-Message-State: ALoCoQmLsx+Q+l4JFIvmKF2luXk/lS/uJ9kdwj/RwdEIbwmBxzzYQ7VoTqM4VDqK/e+GaGQc/ncIqL/++DKyoBWnbonQfgvwoPGDnOYQEGMgoskVBRtnPwO2SDHKbJjTQ+k8xzrwo++Q
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] TTL for JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 14:37:49 -0000

To Mike's comment on the ttl of an IP packet - I did extensive research on
wikipedia that suggests a TTL can either be a counter or a time-stamp. The
idea is the same - discard or stop using at such and such a point. TTL may
not be right but it seemed closer than exp for what I was aiming for.

To James and John's comment on JWK Set and HTTP, I was thinking a per key
usage but the way I was envisioning it does ultimately result in the whole
JWK Set being refreshed (re-fetched?) and that would argue for it being at
the JWK Set level. And yeah, at that point it'd make sense to just use HTTP
cache control. I'd been trying to avoid that because of a suspicion that
the HTTP headers would likely be set wrong or ignored by some. But using
that as a justification to reinvent the concept at another layer sounds
rather silly when I say (er type) it out loud. So, I dunno, maybe this
isn't such a great idea after all and using HTTP level caching mechanisms
to address my particular problem is a better approach.

To James' other comment on "MUST-understand-everything" - I don't always
answer rhetorical questions in a public forum but, what the heck, it'd be
more than just awkward. It'd be darn near impossible for any deployments
that had more than just single bilateral relationships. You're point is
taken (though I already fall in the not-MUST-understand camp) but I don't
believe the must-understand requirement applies to JWK as the drafts are
currently written, does it?







On Wed, Feb 20, 2013 at 5:27 AM, Manger, James H <
James.H.Manger@team.telstra.com> wrote:

> This feature sounds so close in function to an HTTP Cache-Control header.
> Surely we can just use this existing mechanism? Particularly as the real
> use case mentioned in getting a JWK from an HTTPS URI.****
>
> ** **
>
> ** **
>
> P.S. If we do defer specifying “TTL for JWK” now, but after a few years
> experience of rolling keys in OpenID Connect decide it would be good, then
> I wonder how awkward deploying it would be due to the
> MUST-understand-everything rule?****
>
> ** **
>
> --****
>
> James Manger****
>
> ** **
>
> On 2013-02-19, at 9:26 PM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:****
>
> ** **
>
> …this was more of a indicator about how long a key could be cached/used
> with a reasonable expectation that things would still work… ****
>
> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
> Of *Brian Campbell
> *Sent:* Tuesday, February 19, 2013 3:43 PM
> *To:* jose@ietf.org
> *Subject:* [jose] TTL for JWK****
>
> I'd like to float the idea of introducing a time to live parameter to the
> base JWK document, which could probably fit in as a subsection of §4 that
> defines parameters common to all key types [1].
>
> The motivation is that many uses of JWKs will involve caching of JWK data
> and a TTL parameter could be used to indicate how long a key could be
> safely cached and used without needing to recheck the JWK source. I don't
> want it to be a hard expiration date for the key but rather a hint to help
> facility efficient and error free caching.
>
> OpenID Connect has a real use case for this where entities publish their
> keys via a JWK Set at an HTTPS URL. To support key rotation and encryption,
> there needs to be some way to indicate the TTL of a public key used to
> encrypt. Of course, this isn't the only way to skin that cat but it strikes
> me as a good way and one that might provide utility for JWK in other
> contexts.
> JSON Web Token [2] defines a data type that is "A JSON numeric value
> representing the number of seconds from 1970-01-01T0:0:0Z UTC until the
> specified UTC date/time" that seems like it could be co-opted to work well
> as the value for a "ttl" parameter.
>
> [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-08#section-4
>
> [2]
> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-2***
> *
>
> ** **
>