Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header Parameter Names in JWE
Anthony Nadalin <tonynad@microsoft.com> Wed, 29 May 2013 15:25 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED62521F93A6 for <oauth@ietfa.amsl.com>; Wed, 29 May 2013 08:25:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.534
X-Spam-Level:
X-Spam-Status: No, score=0.534 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hefYjXuQHUre for <oauth@ietfa.amsl.com>; Wed, 29 May 2013 08:25:29 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0238.outbound.protection.outlook.com [207.46.163.238]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3D321F941F for <oauth@ietf.org>; Wed, 29 May 2013 08:25:25 -0700 (PDT)
Received: from BN1BFFO11FD008.protection.gbl (10.58.52.203) by BN1AFFO11HUB011.protection.gbl (10.58.52.121) with Microsoft SMTP Server (TLS) id 15.0.707.0; Wed, 29 May 2013 15:23:50 +0000
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.37) by BN1BFFO11FD008.mail.protection.outlook.com (10.58.53.68) with Microsoft SMTP Server (TLS) id 15.0.698.0 via Frontend Transport; Wed, 29 May 2013 15:23:50 +0000
Received: from CO9EHSOBE037.bigfish.com (157.54.51.112) by mail.microsoft.com (157.54.80.25) with Microsoft SMTP Server (TLS) id 14.3.136.1; Wed, 29 May 2013 15:23:36 +0000
Received: from mail53-co9-R.bigfish.com (10.236.132.232) by CO9EHSOBE037.bigfish.com (10.236.130.100) with Microsoft SMTP Server id 14.1.225.23; Wed, 29 May 2013 15:23:35 +0000
Received: from mail53-co9 (localhost [127.0.0.1]) by mail53-co9-R.bigfish.com (Postfix) with ESMTP id 9E8EB2607AC for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 29 May 2013 15:23:35 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT005.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -15
X-BigFish: PS-15(zz98dI9371Ic85fhzz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6h1082kzz1033IL17326ah18c673h8275bh8275dhz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1bceh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh17ej9a9j1155h)
Received-SPF: softfail (mail53-co9: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT005.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; LANG:en;
Received: from mail53-co9 (localhost.localdomain [127.0.0.1]) by mail53-co9 (MessageSwitch) id 1369841013685702_19116; Wed, 29 May 2013 15:23:33 +0000 (UTC)
Received: from CO9EHSMHS023.bigfish.com (unknown [10.236.132.230]) by mail53-co9.bigfish.com (Postfix) with ESMTP id A51722801FC; Wed, 29 May 2013 15:23:33 +0000 (UTC)
Received: from BL2PRD0310HT005.namprd03.prod.outlook.com (157.56.240.21) by CO9EHSMHS023.bigfish.com (10.236.130.33) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 29 May 2013 15:23:32 +0000
Received: from BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) by BL2PRD0310HT005.namprd03.prod.outlook.com (10.255.97.40) with Microsoft SMTP Server (TLS) id 14.16.311.1; Wed, 29 May 2013 15:23:31 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.698.13; Wed, 29 May 2013 15:23:29 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.161]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.161]) with mapi id 15.00.0698.010; Wed, 29 May 2013 15:23:29 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>, O Auth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header Parameter Names in JWE
Thread-Index: AQHOW8FGkRCakpTLnEu4Z1c1BnoSlZkcSPkA
Date: Wed, 29 May 2013 15:23:28 +0000
Message-ID: <bdf66a4a6ade4c9f967b6ec2e5893f7d@BY2PR03MB189.namprd03.prod.outlook.com>
References: <4858A2E2-6F15-4D25-9909-E8F2AA15797E@gmail.com> <CAD9ie-sh-3jfL-aq7cmSp0hGaKust6-nM704CPz4Lh19G5w9KA@mail.gmail.com>
In-Reply-To: <CAD9ie-sh-3jfL-aq7cmSp0hGaKust6-nM704CPz4Lh19G5w9KA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:2a:2:92a:7243:8cd5:1397]
Content-Type: multipart/alternative; boundary="_000_bdf66a4a6ade4c9f967b6ec2e5893f7dBY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC104.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(377454002)(199002)(24454002)(54356001)(79102001)(74316001)(6806003)(74366001)(71186001)(81542001)(33646001)(76576001)(74876001)(81342001)(65816001)(74706001)(512954002)(76796001)(76786001)(16676001)(16236675002)(15202345002)(46102001)(74502001)(20776003)(54316002)(56816002)(53806001)(74662001)(80022001)(59766001)(56776001)(76482001)(51856001)(47446002)(69226001)(77982001)(49866001)(50986001)(47736001)(47976001)(4396001)(31966008)(63696002)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BN1AFFO11HUB011; H:TK5EX14HUBC104.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 08617F610C
Subject: Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header Parameter Names in JWE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2013 15:25:41 -0000
So there could be privacy issues on why I would not want the ISS or AUD outside the encrypted payload From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Dick Hardt Sent: Tuesday, May 28, 2013 9:34 AM To: O Auth WG Subject: Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header Parameter Names in JWE Following up on this topic ... On Wed, May 1, 2013 at 2:12 PM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote: "iss" and "aud" would be optional parameters in a JWE. These parameters are in the payload, but since it is encrypted, the payload must be decrypted before they can be read. Some times knowing these parameters is required to be able to decrypt the payload ... These would be additions to 9.3.1 in the JWT specification. Why "iss" is needed: Bob and Charlie each gave Alice a KID and a symmetric key to use to verify and decrypt tokens from them. The App and Alice share keys so Alice knows it is the App. The User authorizes Bob to give the App a token (which authorizes the App to do something) The App gives the token to Alice. Since Alice indirectly received the token, the only way for Alice to know who sent the token, is to look at the KID as the "iss" claim is encrypted. If the "kid" values are GUIDs, then Alice can just look up the "kid" and retrieve the associated symmetric key, and then decrypt and verify the token and THEN see who sent it. If there is a collision in KID values (Bon and Charlie gave the same KID for different keys), then Alice will not know which symmetric key to use. Why "aud" is needed: Dave gives a KID and symmetric key to Ellen, and Frank gives a KID and symmetric key to Gwen. Ellen and Gwen trust each other and know how to talk to each other. Gwen does not know Dave. Ellen does not know Frank The App and Gwen share keys so Gwen knows it is the App. The User authorizes Dave to give the App a token Dave gives the token to Gwen (Dave does not have a relationship with Ellen) Gwen now has a token that Ellen can decrypt and verify, but has no method for knowing that Ellen can do that. The "aud" property would allow Gwen to give the token to Ellen to decrypt and verify. -- -- Dick
- [OAUTH-WG] JWT: add "iss" and "aud" to Reserved H… Dick Hardt
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Mike Jones
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Dick Hardt
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Dick Hardt
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Anthony Nadalin
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Dick Hardt
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Mike Jones
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Dick Hardt