Re: [jose] 'aud' and 'iss' in JWE header
John Bradley <ve7jtb@ve7jtb.com> Mon, 25 March 2013 23:02 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E201D21F8628 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 16:02:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZjF1XpwhTYz for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 16:02:42 -0700 (PDT)
Received: from mail-qe0-f45.google.com (mail-qe0-f45.google.com [209.85.128.45]) by ietfa.amsl.com (Postfix) with ESMTP id 12A5221F86BC for <jose@ietf.org>; Mon, 25 Mar 2013 16:02:28 -0700 (PDT)
Received: by mail-qe0-f45.google.com with SMTP id b4so3579442qen.32 for <jose@ietf.org>; Mon, 25 Mar 2013 16:02:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=cRgE/GngOQoFiD8///Xr5Vr0oi1huDPujgaNvfikdMM=; b=kXZlMc8OZqWVJFhjT1ZwpQlkgEQJi5uQNyADCGFFMTG0HfQBLVECwik1Kjh1ATIPqI OSD4fBdR2jbs0DUPUHfXaUkvmHCnOl6gse+JQa9ZFYV3e5bc8T6L58sEiDho+WMXOfEZ Qx7XLrms2MNRYfcbA3SDe3myZCmNRWKGgm6tY2mnX03QtZDDe/gInPj92NFysntzwztI eY+i9aWj2M9Re0KmhPdgdlDUY3PT59YSs3W3tLL+tBdyhQKUvxcM2YcLV9th8dHttqNU 10WxvDx1QNqZcxxUH2IahxOSzb4mQqd8egafN/ukNN+FDvDaMk9K5TCvr7rMmx5+JSkT 1C8A==
X-Received: by 10.229.112.81 with SMTP id v17mr1383559qcp.93.1364252548396; Mon, 25 Mar 2013 16:02:28 -0700 (PDT)
Received: from [192.168.1.34] (190-20-41-38.baf.movistar.cl. [190.20.41.38]) by mx.google.com with ESMTPS id az3sm4125971qeb.7.2013.03.25.16.02.23 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Mar 2013 16:02:26 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_B52E8796-1F92-4605-A6E5-47C994E429E2"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <57A4986E-4AA7-4E96-8EE6-53F3CE2D73EA@gmail.com>
Date: Mon, 25 Mar 2013 20:02:35 -0300
Message-Id: <BD041F81-FDEE-4917-86C9-A67B1A62D19F@ve7jtb.com>
References: <57A4986E-4AA7-4E96-8EE6-53F3CE2D73EA@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQlLDY72jqy860BWjyoSi9aEvmIUghUljVQ17zMTnYRaBX7Kdm3IegBm1czq6h1d32+a4MYM
Cc: jose@ietf.org
Subject: Re: [jose] 'aud' and 'iss' in JWE header
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 23:02:43 -0000
Once the change to ignore additional elements in the header there is nothing to stop you from doing that. You make a good point about scoping the 'kid' to the 'iss'. John B. On 2013-03-25, at 7:53 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > Hello everyone > > As I am implementing JOSE JWE, I would like to know who the 'iss' and 'aud' is. I am using symmetric, shared keys and the 'aud' party would like to know they really are the intended 'aud' and who the 'isa' is. Otherwise the 'iss' is inferred from the 'kid', and there is no guarantee that two 'iss' won't have the same 'kid' for different keys from different 'iss'. > > I don't see an issue with disclosure of who 'iss' and 'aud' are as any party able to intercept the token will have a pretty good idea of where it is coming from and where it is going to. Knowing the 'iss' and 'aud' allows the 'aud' to return an error before doing any crypto if the 'aud' does not match or if there is no 'kid' for the 'iss'. > > Is there a reason why I cannot have 'iss' and 'aud' in the header? > > This is not an issue with JWS since the payload is clear and the 'aud' can evaluate the 'iss' and 'aud' properties before doing crypto. > > -- Dick > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header John Bradley
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt
- Re: [jose] 'aud' and 'iss' in JWE header Richard Barnes
- Re: [jose] 'aud' and 'iss' in JWE header Matt Miller (mamille2)
- Re: [jose] 'aud' and 'iss' in JWE header Dick Hardt