Re: [jose] 'aud' and 'iss' in JWE header
John Bradley <ve7jtb@ve7jtb.com> Mon, 25 March 2013 23:19 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0028D21F8573 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 16:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.77
X-Spam-Level:
X-Spam-Status: No, score=-1.77 tagged_above=-999 required=5 tests=[AWL=-1.829, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GeBf2UQLcFCg for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 16:19:27 -0700 (PDT)
Received: from mail-qc0-x22f.google.com (mail-qc0-x22f.google.com [IPv6:2607:f8b0:400d:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECED21F8570 for <jose@ietf.org>; Mon, 25 Mar 2013 16:19:27 -0700 (PDT)
Received: by mail-qc0-f175.google.com with SMTP id j3so2870263qcs.20 for <jose@ietf.org>; Mon, 25 Mar 2013 16:19:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=PaHtyAUHwwclxGQToBwzKR5mjPu0uP5Oi/ce2t4apt0=; b=cegORfFrGZBl9P78URbL9r+OEPrLzUVFr5ccgT/k8EEDH5foA4LXnMkDRY2hUf7/j4 tBpEIdWmyN4pj3rXLknu/OqTAOB9VU1nCuA7cinKjFJkYVM5r0ZTKu88nnw+lzK3UJZC IYx5s9tqKWz/ICyupNJ6L8TWIpjuj5FreDwpUWqB/Bni5Uo42TpRYJ1rsRLtms+kcDld UChcc7UTqSe3YoXOn0zjML5jtdelVeR837trcuE7L2mwOkRSoWlFQ551gguccG8QDXFR D1KcmOx2L+1xVxcGKpXTTgJycKH9HWYoqRJwiuJp8ac24SwK+N2C6M8N2VaHRZuGdRO3 8B1w==
X-Received: by 10.49.3.134 with SMTP id c6mr1673555qec.41.1364253566963; Mon, 25 Mar 2013 16:19:26 -0700 (PDT)
Received: from [192.168.1.34] (190-20-41-38.baf.movistar.cl. [190.20.41.38]) by mx.google.com with ESMTPS id dt10sm4282260qab.0.2013.03.25.16.19.24 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Mar 2013 16:19:25 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_7DF6881E-3B78-496F-9B99-B2045C720CEE"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <AFBB0F6B-FB11-4F01-8F68-218EB211230F@gmail.com>
Date: Mon, 25 Mar 2013 20:19:34 -0300
Message-Id: <942E1B2E-1469-4472-83A4-3884CF21F5EB@ve7jtb.com>
References: <57A4986E-4AA7-4E96-8EE6-53F3CE2D73EA@gmail.com> <BD041F81-FDEE-4917-86C9-A67B1A62D19F@ve7jtb.com> <AFBB0F6B-FB11-4F01-8F68-218EB211230F@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQmdtcAMqQNZyXi1sGqqcY77FA67Nm3keH9PKxYMfh2BvrBu2PCEnljWej3UT1Bo8E7+coDk
Cc: jose@ietf.org
Subject: Re: [jose] 'aud' and 'iss' in JWE header
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 23:19:29 -0000
That will be compliant. The spec won't call out those particular properties from JWT. If you think that they should be called out as optional parameters that could be considered. However that is not a open issue at this point. John B. On 2013-03-25, at 8:09 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > Will that be compliant though? I would like to spec to say that I can optionally include those properties in the header of a JWE. > > > On Mar 25, 2013, at 4:02 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > >> Once the change to ignore additional elements in the header there is nothing to stop you from doing that. >> >> You make a good point about scoping the 'kid' to the 'iss'. >> >> John B. >> >> On 2013-03-25, at 7:53 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >> >>> Hello everyone >>> >>> As I am implementing JOSE JWE, I would like to know who the 'iss' and 'aud' is. I am using symmetric, shared keys and the 'aud' party would like to know they really are the intended 'aud' and who the 'isa' is. Otherwise the 'iss' is inferred from the 'kid', and there is no guarantee that two 'iss' won't have the same 'kid' for different keys from different 'iss'. >>> >>> I don't see an issue with disclosure of who 'iss' and 'aud' are as any party able to intercept the token will have a pretty good idea of where it is coming from and where it is going to. Knowing the 'iss' and 'aud' allows the 'aud' to return an error before doing any crypto if the 'aud' does not match or if there is no 'kid' for the 'iss'. >>> >>> Is there a reason why I cannot have 'iss' and 'aud' in the header? >>> >>> This is not an issue with JWS since the payload is clear and the 'aud' can evaluate the 'iss' and 'aud' properties before doing crypto. >>> >>> -- Dick >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >> >
- [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Richard Barnes
- Re: [jose] 'aud' and 'iss' in JWE header Matt Miller (mamille2)
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt