Re: [jose] TTL for JWK

Richard Barnes <rlb@ipv.sx> Wed, 20 February 2013 23:24 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E41121E803A for <jose@ietfa.amsl.com>; Wed, 20 Feb 2013 15:24:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WmvgR8WhPXHU for <jose@ietfa.amsl.com>; Wed, 20 Feb 2013 15:24:03 -0800 (PST)
Received: from mail-oa0-f43.google.com (mail-oa0-f43.google.com [209.85.219.43]) by ietfa.amsl.com (Postfix) with ESMTP id 7B35C21E8037 for <jose@ietf.org>; Wed, 20 Feb 2013 15:24:03 -0800 (PST)
Received: by mail-oa0-f43.google.com with SMTP id l10so8615723oag.2 for <jose@ietf.org>; Wed, 20 Feb 2013 15:24:03 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=F6PH8HGLEp0Rm90evCCAhk86Ah7kko2VHLCSb9FI5XI=; b=FU4BDXwHrwKz/seP48drSVy++V+Z3IJgaVUNJi89DIITK7s9BYduC83JpdUJra4yUB 1o4oa13mG2iEms/MrsRqUShgIMKfnocTTpZVbIPjT7WD3v25AiwqFjZzmZV6w4bwINNy xa7iaFIgzJY4edHq1GmciegYEUCWiGGXtHVPtzusTV+0FQu4MJk7O06lZEyCvJyb4wxh dBOA8OaPkbVjZIa0xWUlsKeOQtLd7nBReBDJaOPNn3vvvtwpNWTn4dY8F78HSa/ADRwn Fscp7wtXp12oP1zKtXMB2K6Vop1mgZtopQfST6Exg05CbDbAaDtQGoAckkSnu1kIsqUu hRfA==
MIME-Version: 1.0
X-Received: by 10.182.40.71 with SMTP id v7mr9778482obk.85.1361402643075; Wed, 20 Feb 2013 15:24:03 -0800 (PST)
Received: by 10.60.60.98 with HTTP; Wed, 20 Feb 2013 15:24:02 -0800 (PST)
X-Originating-IP: [50.59.37.123]
In-Reply-To: <CA+k3eCSGPfpUbeBkSCMTh+jAJgxMP8BWsgdLPt_CqsvkaXASCQ@mail.gmail.com>
References: <CA+k3eCTZ4KeC7ZH41OWkjkLCp0RiRBkze=4NpFO7AG5zVq-bJQ@mail.gmail.com> <5124E39C.2030804@oracle.com> <CA+k3eCSGPfpUbeBkSCMTh+jAJgxMP8BWsgdLPt_CqsvkaXASCQ@mail.gmail.com>
Date: Wed, 20 Feb 2013 18:24:02 -0500
Message-ID: <CAL02cgShtAZssKzX_jiTroFczsepG=d=QaV_8=1kYoTk9UiHmg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary=f46d04446c11efd38204d630404a
X-Gm-Message-State: ALoCoQm7WEhashIZD8G5pxAvUGR+C8MunRZtYFAa9so4/iWpa/DBznPRg1IQ/l3NjKMZ0ZSpZf7F
Cc: "jose@ietf.org" <jose@ietf.org>, Prateek Mishra <prateek.mishra@oracle.com>
Subject: Re: [jose] TTL for JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 23:24:04 -0000

Yeah, even after reading the thread, this proposal seems really unclear.

Now, my first thought on reading Brian's initial mail was, "oh, it looks
like we're creeping back toward X.509!"  Which I don't mean as a bad thing.
 After all, a lot of the fields we already have in JWK are analogous to
PKIX fields, and what are certificates but a key, some attributes, and a
signature over that package.  If we were going to go down that path
(PKIJ?), then this sort of attribute would completely make sense,
especially if it were phrased as an absolute time, like the PKIX notAfter.

But if we are going to go down that path, I think we need a recharter...

--Richard






On Wed, Feb 20, 2013 at 10:19 AM, Brian Campbell <bcampbell@pingidentity.com
> wrote:

> A fair question Prateek, but if you take that to it's logical end, it
> might suggest that "use", "kid" and "alg" be removed from JWK as well.
>
> But my resolve for this proposal is weakening so it's not worth arguing
> about.
>
>
> On Wed, Feb 20, 2013 at 7:54 AM, Prateek Mishra <prateek.mishra@oracle.com
> > wrote:
>
>>  Shouldn't this be a part of a key management layer distinct from JWK?
>>
>> I was under the impression that JWK was limited to
>>
>> [quote]
>>
>>
>> JavaScript Object Notation (JSON) data
>>    structure that represents a public key.  This specification also
>>    defines a JSON Web Key Set (JWK Set) JSON data structure for
>>    representing a set of JWKs.
>>
>> [\quote]
>>
>> - prateek
>>
>> I'd like to float the idea of introducing a time to live parameter to the
>> base JWK document, which could probably fit in as a subsection of ยง4 that
>> defines parameters common to all key types [1].
>>
>> The motivation is that many uses of JWKs will involve caching of JWK data
>> and a TTL parameter could be used to indicate how long a key could be
>> safely cached and used without needing to recheck the JWK source. I don't
>> want it to be a hard expiration date for the key but rather a hint to help
>> facility efficient and error free caching.
>>
>> OpenID Connect has a real use case for this where entities publish their
>> keys via a JWK Set at an HTTPS URL. To support key rotation and encryption,
>> there needs to be some way to indicate the TTL of a public key used to
>> encrypt. Of course, this isn't the only way to skin that cat but it strikes
>> me as a good way and one that might provide utility for JWK in other
>> contexts.
>> JSON Web Token [2] defines a data type that is "A JSON numeric value
>> representing the number of seconds from 1970-01-01T0:0:0Z UTC until the
>> specified UTC date/time" that seems like it could be co-opted to work well
>> as the value for a "ttl" parameter.
>>
>> [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-08#section-4
>>
>> [2]
>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-2
>>
>>
>> _______________________________________________
>> jose mailing listjose@ietf.orghttps://www.ietf.org/mailman/listinfo/jose
>>
>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>