Re: [jose] JWK Thumbprint in JWS/JWE Header
Justin Richer <jricher@mit.edu> Tue, 19 July 2016 15:39 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 952CD12DAFE for <jose@ietfa.amsl.com>; Tue, 19 Jul 2016 08:39:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level:
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdRkF1xMoW3B for <jose@ietfa.amsl.com>; Tue, 19 Jul 2016 08:39:42 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A201812D76A for <jose@ietf.org>; Tue, 19 Jul 2016 08:24:23 -0700 (PDT)
X-AuditID: 1209190c-0ffff7000000503d-33-578e4626e2df
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id EC.54.20541.6264E875; Tue, 19 Jul 2016 11:24:22 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u6JFOL5B031218; Tue, 19 Jul 2016 11:24:22 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u6JFOJYO009732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 19 Jul 2016 11:24:21 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <1468939736.8067.91.camel@redhat.com>
Date: Tue, 19 Jul 2016 11:24:17 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <F817D984-D424-4335-BBC4-3CC88B1C8223@mit.edu>
References: <1468939736.8067.91.camel@redhat.com>
To: Nathaniel McCallum <npmccallum@redhat.com>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixCmqrKvm1hducPeZhsWaNd1MFnO/zmJ1 YPJYsuQnk8f7fVfZApiiuGxSUnMyy1KL9O0SuDJu373OUtDHWfHo6hbGBsZt7F2MnBwSAiYS H69dYgSxhQTamCRWLZPpYuQCsjcySry6Mo0JwnnIJNHSc5kFpIpZQF3iz7xLzCA2r4CexKb1 b5lAbGGgSU1Hr4LVsAmoSkxf0wIW5xQwkui4egkszgIUnz+pgR1ijqDEpMcbGCFsbYllC19D zbSSuHh2AhvERYYSp452gvWKAO1atm8CI8TVshJPTi5imcAoMAvJSbOQnDQLydgFjMyrGGVT cqt0cxMzc4pTk3WLkxPz8lKLdA31cjNL9FJTSjcxggNVkmcH45k3XocYBTgYlXh4E9h6w4VY E8uKK3MPMUpyMCmJ8qqKAoX4kvJTKjMSizPii0pzUosPMUpwMCuJ8M536QsX4k1JrKxKLcqH SUlzsCiJ827/1h4uJJCeWJKanZpakFoEk5Xh4FCS4JV1BWoULEpNT61Iy8wpQUgzcXCCDOcB Gt4NUsNbXJCYW5yZDpE/xagoJc47EWSrAEgiozQPrheUSBLeHjZ9xSgO9IowLz9IOw8wCcF1 vwIazAQ02EC1G2RwSSJCSqqB0S/jN3NcyRS91boLazsvn4/JflRTWPY60DvX7ktZhIt+ZvfK tOre8rg0SVV922gFvhmrjISe+BybrrGaQ7t2J9+skE+ud6UjXinHBzxd3TR3Q1TH7PwT1+L/ mf17JhokcL4rw8ywWev0qudMbLU8Zh/9Ln7mEvdKD3Kftka+i/PU/vbJvZZKLMUZiYZazEXF iQAeyRhA/wIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/rKUbkQdEhwe4vjIJsBm0WAcMG3Q>
Cc: jose@ietf.org
Subject: Re: [jose] JWK Thumbprint in JWS/JWE Header
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2016 15:39:43 -0000
This was discussed on the list a while ago, and the thought was that you could easily use the JWK thumbprint *as* the “kid” value instead of defining a new field for this use case. The header values are protected by the signature in the normal (compact) JWS/JWE formats, and ought to be protected in the JSON representations too for exactly the reasons you’re talking about. — Justin > On Jul 19, 2016, at 10:48 AM, Nathaniel McCallum <npmccallum@redhat.com> wrote: > > The JWS and JWE specs defined the "kid" header value that can be used > to identify the key used for signing or encryption. Subsequently, the > JWK thumbprint method was defined. > > Has anyone put any thought into registering a header value for JWS and > JWE headers that indicates the thumbprint of the key used for signing > or encryption? This would be very helpful for key indexes especially > when using unprotected headers since the value of "kid" might be > modified. > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] JWK Thumbprint in JWS/JWE Header Nathaniel McCallum
- Re: [jose] JWK Thumbprint in JWS/JWE Header Sergey Beryozkin
- Re: [jose] JWK Thumbprint in JWS/JWE Header Nathaniel McCallum
- Re: [jose] JWK Thumbprint in JWS/JWE Header Sergey Beryozkin
- Re: [jose] JWK Thumbprint in JWS/JWE Header Brian Campbell
- Re: [jose] JWK Thumbprint in JWS/JWE Header Nathaniel McCallum
- Re: [jose] JWK Thumbprint in JWS/JWE Header Nathaniel McCallum
- Re: [jose] JWK Thumbprint in JWS/JWE Header Justin Richer
- [jose] JWK Thumbprint in JWS/JWE Header Nathaniel McCallum