IETF Logo Mail Archive

Re: [jose] 'aud' and 'iss' in JWE header

Dick Hardt <dick.hardt@gmail.com> Mon, 25 March 2013 23:27 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9708C21F8632 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 16:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.234
X-Spam-Level:
X-Spam-Status: No, score=-3.234 tagged_above=-999 required=5 tests=[AWL=0.365, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUuurVuyAcQ2 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 16:27:09 -0700 (PDT)
Received: from mail-pb0-f45.google.com (mail-pb0-f45.google.com [209.85.160.45]) by ietfa.amsl.com (Postfix) with ESMTP id EB2F021F8630 for <jose@ietf.org>; Mon, 25 Mar 2013 16:27:08 -0700 (PDT)
Received: by mail-pb0-f45.google.com with SMTP id ro8so4447106pbb.4 for <jose@ietf.org>; Mon, 25 Mar 2013 16:27:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=/KpIWWssHyrfAgNSVH1OLoYJo271CbYAwDTgOtukP/E=; b=nL4i/+biSkFmE3d/NAq2gnD99m1QaQOq18QwkPl463U/jpsJ+6rrcd2ATWX3SNnhWa klTVX1cOC2MI//Yvr+3CNa5jnyVVctwgjpXAktqGiuI1gDbPHqMImV6X7zgmBb79aoK3 8Wl1xMSnsQiBWtnIRrPrlQintW3tb5j5VYMFMDC/yZFvNJZlgN86acd9xykAjta9Xay2 EjQLqDivd3k7rZbypGZE9nhGCZWkukxpVtz5Zou8H05snw5YlKHXczUdAqlQfLz8/Rgn i9ZHKywdEMVQWB1C+5KTOdaYW2nrGWYboyQdXzdvy+/zN/IDo/kRPjxG59bl1P70uZVo 3kGg==
X-Received: by 10.66.158.232 with SMTP id wx8mr2473703pab.156.1364254028734; Mon, 25 Mar 2013 16:27:08 -0700 (PDT)
Received: from [10.0.0.89] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id 4sm15005346pbn.23.2013.03.25.16.27.05 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Mar 2013 16:27:06 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <942E1B2E-1469-4472-83A4-3884CF21F5EB@ve7jtb.com>
Date: Mon, 25 Mar 2013 16:27:03 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A7EC3B59-824E-4413-914E-8298036CC0CD@gmail.com>
References: <57A4986E-4AA7-4E96-8EE6-53F3CE2D73EA@gmail.com> <BD041F81-FDEE-4917-86C9-A67B1A62D19F@ve7jtb.com> <AFBB0F6B-FB11-4F01-8F68-218EB211230F@gmail.com> <942E1B2E-1469-4472-83A4-3884CF21F5EB@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1503)
Cc: jose@ietf.org
Subject: Re: [jose] 'aud' and 'iss' in JWE header
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 23:27:09 -0000

'iss' and 'aud' are not reserved header parameter names, so if I used them, then they would be private names subject to collision. 

Unless there is a reason why they should not be allowed, I'd like them to be reserved header parameter names so that their meaning is clear to an implementation or library. I would like to write my libraries to look at the header for those parameters if they are there.

On Mar 25, 2013, at 4:19 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> That will be compliant.  The spec won't call out those particular properties from JWT.   
> 
> If you think that they should be called out as optional parameters that could be considered.  However that is not a open issue at this point.
> 
> John B.
> On 2013-03-25, at 8:09 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
>> Will that be compliant though? I would like to spec to say that I can optionally include those properties in the header of a JWE.
>> 
>> 
>> On Mar 25, 2013, at 4:02 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>> 
>>> Once the change to ignore additional elements in the header there is nothing to stop you from doing that.
>>> 
>>> You make a good point about scoping the 'kid' to the 'iss'. 
>>> 
>>> John B.
>>> 
>>> On 2013-03-25, at 7:53 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>> 
>>>> Hello everyone
>>>> 
>>>> As I am implementing JOSE JWE, I would like to know who the 'iss' and 'aud' is. I am using symmetric, shared keys and the 'aud' party would like to know they really are the intended 'aud' and who the 'isa' is. Otherwise the 'iss' is inferred from the 'kid', and there is no guarantee that two 'iss' won't have the same 'kid' for different keys from different 'iss'.
>>>> 
>>>> I don't see an issue with disclosure of who 'iss' and 'aud' are as any party able to intercept the token will have a pretty good idea of where it is coming from and where it is going to. Knowing the 'iss' and 'aud' allows the 'aud' to return an error before doing any crypto if the 'aud' does not match or if there is no 'kid' for the 'iss'.
>>>> 
>>>> Is there a reason why I cannot have 'iss' and 'aud' in the header?
>>>> 
>>>> This is not an issue with JWS since the payload is clear and the 'aud' can evaluate the 'iss' and 'aud' properties before doing crypto.
>>>> 
>>>> -- Dick
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/jose
>>> 
>> 
>

v2.23.0 | Report a Bug | By Email