IETF Logo Mail Archive

[jose] 'aud' and 'iss' in JWE header

Dick Hardt <dick.hardt@gmail.com> Mon, 25 March 2013 22:53 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAF8921F866E for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 15:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.775
X-Spam-Level:
X-Spam-Status: No, score=-1.775 tagged_above=-999 required=5 tests=[AWL=1.824, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8uunEOYBkice for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 15:53:15 -0700 (PDT)
Received: from mail-pb0-f49.google.com (mail-pb0-f49.google.com [209.85.160.49]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC5421F8606 for <jose@ietf.org>; Mon, 25 Mar 2013 15:53:15 -0700 (PDT)
Received: by mail-pb0-f49.google.com with SMTP id um15so651821pbc.8 for <jose@ietf.org>; Mon, 25 Mar 2013 15:53:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:content-type:content-transfer-encoding:subject :message-id:date:to:mime-version:x-mailer; bh=1QQUsYUbwYi7cbjfzVa961Dxv5oo3EMWvO1W6+wNhaA=; b=zQVm1MpcQOlqr3KC1F2zJBXZfXyzh8zjiOuHU8KEtwvQqTZ1BHz/+B+ggw09UQyeLr Poboc0MvpH8rg/eDE1FcIW9ePAdenVhbTf7AZOX83XyC4pTCL4aOYEV+zGrgEPTL0LM+ ZJNHQTADO+Wz47gdwyTr5uaMn4V+sNKMUYy5MKSlP/5yNizE5hebmivU0H59FmiOznep MC8+R7UbDLZQ/ibmR5aBhC5jnSl3MFSZlWn37LA7ioOuisqt3gz/vOH+owTedebxgEEf 6gXfaMxjaZI16g5dnuqNCfjnKCoFKDTKE31sdZA+K+0/XTJbzQkQ5UVdhfKJFAu66EQb Qg7A==
X-Received: by 10.66.155.135 with SMTP id vw7mr9891793pab.22.1364251994916; Mon, 25 Mar 2013 15:53:14 -0700 (PDT)
Received: from [10.0.0.89] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id qh4sm10098250pac.8.2013.03.25.15.53.12 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Mar 2013 15:53:13 -0700 (PDT)
From: Dick Hardt <dick.hardt@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <57A4986E-4AA7-4E96-8EE6-53F3CE2D73EA@gmail.com>
Date: Mon, 25 Mar 2013 15:53:11 -0700
To: jose@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
X-Mailer: Apple Mail (2.1503)
Subject: [jose] 'aud' and 'iss' in JWE header
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 22:53:16 -0000

Hello everyone

As I am implementing JOSE JWE, I would like to know who the 'iss' and 'aud' is. I am using symmetric, shared keys and the 'aud' party would like to know they really are the intended 'aud' and who the 'isa' is. Otherwise the 'iss' is inferred from the 'kid', and there is no guarantee that two 'iss' won't have the same 'kid' for different keys from different 'iss'.

I don't see an issue with disclosure of who 'iss' and 'aud' are as any party able to intercept the token will have a pretty good idea of where it is coming from and where it is going to. Knowing the 'iss' and 'aud' allows the 'aud' to return an error before doing any crypto if the 'aud' does not match or if there is no 'kid' for the 'iss'.

Is there a reason why I cannot have 'iss' and 'aud' in the header?

This is not an issue with JWS since the payload is clear and the 'aud' can evaluate the 'iss' and 'aud' properties before doing crypto.

-- Dick

v2.23.0 | Report a Bug | By Email