Re: [OAUTH-WG] Comments on draft-chadwick-oauth-jwk-uri-00
David Chadwick <d.w.chadwick@verifiablecredentials.info> Sun, 20 February 2022 16:33 UTC
Return-Path: <d.w.chadwick@verifiablecredentials.info>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 226883A0E57 for <oauth@ietfa.amsl.com>; Sun, 20 Feb 2022 08:33:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=verifiablecredentials.info
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yFKmlG1Mx9hq for <oauth@ietfa.amsl.com>; Sun, 20 Feb 2022 08:33:24 -0800 (PST)
Received: from client-mail1.aiso.net (client-mail1.aiso.net [199.19.158.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 106473A08AD for <oauth@ietf.org>; Sun, 20 Feb 2022 08:33:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=verifiablecredentials.info; s=mail; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=UUD4XG9xXMBMP8VlYA/Fc5GFGs4ccJ0jDci5QJn2bsg=; b=hG5EdALvbfJKssmvG7dmxLSlyI RHj6B+3xm5Ehpc7utty0BdKNGwlFxqps0BjEGXy/mB7utrebRVZ5puZd+sxphYu1CfkrOS7aWbh36 TxZeu7kszs/EEV3oNRlPGa6xu1+QR7H42gO2RU8N9N6g6jpnpA/227aOLZ62AP0Q3Ork=;
Received: from [212.170.250.122] (helo=[192.168.0.102]) by client-mail1.aiso.net (envelope-from <d.w.chadwick@verifiablecredentials.info>) with esmtpsa (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1nLp9C-0006YZ-8O; Sun, 20 Feb 2022 08:33:21 -0800
Message-ID: <b3bc5a1d-4f0f-c089-8922-bb9f5ba365ca@verifiablecredentials.info>
Date: Sun, 20 Feb 2022 16:33:17 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.1
Content-Language: en-GB
To: Mike Jones <Michael.Jones@microsoft.com>, David Chadwick <D.W.Chadwick@kent.ac.uk>
Cc: "oauth@ietf.org" <oauth@ietf.org>
References: <SA2PR00MB1002028095276BE702AA24EFF5379@SA2PR00MB1002.namprd00.prod.outlook.com>
From: David Chadwick <d.w.chadwick@verifiablecredentials.info>
Organization: Verifiable Credentials Ltd
In-Reply-To: <SA2PR00MB1002028095276BE702AA24EFF5379@SA2PR00MB1002.namprd00.prod.outlook.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-AISO-Id: info@verifiablecredentials.info
X-AISO-Outbound-SA-Spam-Score: 0.7
X-AISO-Outbound-SA-Spam-Score-Int: 7
X-AISO-Outbound-SA-Spam-Report: BAYES_00=-1.9, HTML_MESSAGE=0.001, KAM_INFOUSMEBIZ=2.5, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-0.001, T_SCC_BODY_TEXT_LINE=-0.01
X-AISO-Report-Abuse: abuse@aiso.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3xAky14vtDQCovjz9xwrKRfu4MY>
Subject: Re: [OAUTH-WG] Comments on draft-chadwick-oauth-jwk-uri-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Feb 2022 16:33:28 -0000
Thanks for pointing the working group to this individual submission, David. Here’s some initial comments on the document, as you requested.
First, you specify base64 encoding of the JWK, rather than base64url encoding of it. This would result in non-URL-safe characters in the URI, such as /, +, and =. If you’re going to encode things, I suggest using the URL-safe base64url encoding.
But secondly, I would not re-encode the JWK fields at all. I know that David Waite had an idea for a representation of JWK URIs where the JSON fields are represented as colon-separated pairs in the URI. So for instance, the example JWK at https://datatracker.ietf.org/doc/html/rfc7517#section-3" class="moz-txt-link-freetext" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc7517#section-3 would be instead represented as:
urn:ietf:params:oauth:jwk:kty:EC:crv:P-256:x:f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU:y:x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0:kid:Public%20key%20used%20in%20JWS%20spec%20Appendix%20A.3%20example
This would avoid double base64url-encoding fields, which would prevent unnecessary size expansion.
I suggest you work with David if you want to further pursue the idea of a JWK URI specification.
Best wishes,
-- Mike
- [OAUTH-WG] Comments on draft-chadwick-oauth-jwk-u… Mike Jones
- Re: [OAUTH-WG] Comments on draft-chadwick-oauth-j… David Chadwick