IETF Logo Mail Archive

Re: [OAUTH-WG] JWK Thumbprint URI Specification

Mike Jones <Michael.Jones@microsoft.com> Mon, 29 November 2021 20:58 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C1A63A096F for <oauth@ietfa.amsl.com>; Mon, 29 Nov 2021 12:58:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LFaIW2sV7zO for <oauth@ietfa.amsl.com>; Mon, 29 Nov 2021 12:58:42 -0800 (PST)
Received: from na01-obe.outbound.protection.outlook.com (mail-cusazlp17010003.outbound.protection.outlook.com [40.93.13.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F9E03A096C for <oauth@ietf.org>; Mon, 29 Nov 2021 12:58:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h8A0x80dpTM/Ke55xx9DEprBkASDF9z3nD6vHrqkj7SpHbkAswGibPgA8gAGGeqsj37BEqlst6i+qqolza6YbY64apm3xJvSs+IPGhUR9tei8Q9p4qYyJuUny9qJ5QJ7h8HXk8tlszovZiylMawExP9V3wF3ugMOAoMMHgcaa+XHsnLpp7oz7G9DmDBDuXDhVXJbC/qdU7wGI9JtqIO/p3nmkhwpGu+1qKhnGUvWrsulfhw9vqOGc/kHJJozBuTSeXrzPZtk0FO+VXlAvmm+c6n8pqFafCT/KVGmPJ9i+3S+xw2qRFtMJBAgzl4RsE6wU15f22kjg5l5T//oD5UQGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bsrK8nrkS5WMNVlb+TluITprQ/L8GdGRYutYQMEzHk4=; b=J06xn5TkYgqgYftF9O3A4PDvxZjB5YukaE9YLX68IjsaWWA/B8/twkIfv/Ln/DSnTImcP+qSygO/q2tEHlhXIhJmNpVUTA4pTwtHM0mVopSVomIbVfjxBRbFMIByMFXRUb4UOf29nqQe482WeG8HDr8Wo5v2isGRehgWExgppWj2+MTzYxn7qyZE6gRwe297kYvCxzfRslLkDxCXr6ZOxmguBUpI9j/ke1ZdIf1950X1fk8lPWwFvvuZTenJI0BHXaXXlSrnNrxlFRiaDx5GFgnXE9O5skkP7gcPG8qImVOho41MzRU0+CLGsXS7siXX7yNFGVcHHDD+CA7USC1VhQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bsrK8nrkS5WMNVlb+TluITprQ/L8GdGRYutYQMEzHk4=; b=aPv/Pmg3zDY57rS7yUDaR1M5tTdFBunDwQ0BNUWakohUpHaIF4FnwhHk6go+gopGjKfy0utljPuhZjp7jiOKJ6/ACuOqP+bGy/uIPqF0uLnuqTql+n1WUxdNrd9cYDe7XwCSU2W9mrUfxAh2fFjW5uLgpX2iE/g6iy5P3TBX6Dk=
Received: from SA2PR00MB1002.namprd00.prod.outlook.com (2603:10b6:806:11a::8) by BN8PR00MB0450.namprd00.prod.outlook.com (2603:10b6:408:61::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4793.0; Mon, 29 Nov 2021 20:58:36 +0000
Received: from SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::4da6:64af:f655:be82]) by SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::4da6:64af:f655:be82%5]) with mapi id 15.20.4793.000; Mon, 29 Nov 2021 20:58:36 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
CC: David Chadwick <D.W.Chadwick@kent.ac.uk>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] JWK Thumbprint URI Specification
Thread-Index: AdflY97wYQofs95UR7ezIb5+d/sA+w==
Date: Mon, 29 Nov 2021 20:58:35 +0000
Message-ID: <SA2PR00MB1002357B78E386E1416A7233F5669@SA2PR00MB1002.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7793ded4-8b12-4f2f-1486-08d9b37b02ef
x-ms-traffictypediagnostic: BN8PR00MB0450:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <BN8PR00MB045074D1B8396E9B59A00628F5669@BN8PR00MB0450.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: K6FhEQmG6B5BgxepOf9ML4SrbL2QosrZEsWKHcncj1kx74HiqMlSrC+CKQjzQf9oy2qrfbqBttWjKzJJEDg2huCNLre6A6b2op8qFIXAd72GRN1AwWPe8v4Ye4RpcFaes3Fu1jVuRz2yZqUbc8yzjV129QIptL3RJxJY41nTxH29sOKqLI/m3LeNxPMo+D5Yh0j6Upq51DMaH8CiB8Ti8oaJknK/MRiuofuGerML2BU/h/C6WCfTna32ny0E1UHVn30ylHweMlqMw3APUCsJSlUpN5pBYp03NgQLLOAFsU9fYKFFhHmwqb6RBCeE3H0DmBQINQ7BekXzgo4Al05zCsiSEKTNEX/65DCtjK4C8LtEQrT8qaXMWNbbEeZ1CXkhihIpggJr9jyyM3xMDboMPa0uIFcdN0HCixVinvY7FwyYFN4t5KJg1WN2deHKDg8OGdQuGpwqvK+oH01n/E64Rzj+7zLBTRyKEmCNTBUGcpYaODCW34TcS/WGi06jiuYLqM6I8itAY+6AUDRo4+t2rBiZH9jKoglj0BYeVX+GKje8iwzS0lNR18b19aCYS1gSYubokRclJUava2JXGaih65qKJYffZ2RnJVfbXrzYV1lfnhFoQhkw93Im8Cs4Ad6I2DeNxBqcBip0xD3Ffr7oyhxv1TzHE2TkqQ5qS8I7uhukaLJ9TVHiA1T7ZOA8LD4RMW6I3jRmTIMEFpnD4JM7F/kxhBWx0h6rOtamIXg5UscgQfoyQIWylRE8GZR787nvXg0eQQ4off93OPGrDdGRRERHW98YGLR91JAMxFjmnjtwJOg+ChGlrCZQFKO/5nPDTBJmSlY+etB2hxjvQBenIz4gqJif0hvT2+VODQFwX5QTINKoLOCbhYIM6xJY65QK
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA2PR00MB1002.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(52536014)(38100700002)(508600001)(66946007)(38070700005)(66446008)(66556008)(64756008)(122000001)(21615005)(66476007)(4326008)(8676002)(82960400001)(82950400001)(5660300002)(166002)(9686003)(2906002)(7696005)(71200400001)(33656002)(53546011)(86362001)(8990500004)(186003)(6506007)(966005)(10290500003)(54906003)(55016003)(316002)(8936002)(76116006)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Ay9lq6F2q9uBBhyo79Awzq+wXPETnr0N51x8uvtngoJHvKxAT95I2yDJyvgVE9YhI9Sn2U7Ny5E4UtXfGXnoxcxjFTUOyAS93Dzz2TnVN26kp29kNekkwk7MNTxV6yoXb/CoYo+gHzUC8cWyDpIv2wk2i0eI6N7tYNHYKuJ79/GvECeyLC/0Wlds9WEnkCnR5Ij6VTReBCT39dv49i8MA6GpzNUUAOZ+GMNr+1l6qxtAPE97qqUd+Cd1dGIV7RJVgLbsLo1UuDQKKnGvvlZJKfhLs5GkxF9XaU2UYyqbMvTZHRGu8ULzziNhmkdF4JUFJB7/JbsccVTbv4HDlOIwL0JTZGeS+B6UEzkkEFKImXAcTK8wNzfobL4yV8+S4ZIkJ/eIVB75Oal2K9NFQypZncIYDW8qEVxh9JPTi+cfv7jqsby/5CzRnheXOelxPBcjjppBPFXP4Rwbuun3hAvR3Qb5hVqvxJ0/8wjKFCZgsZ542Vwn4m2Ox7JqDYOXySse14EQKyLZUYslLVD0ngb5ADhFODCvefvT5Bq16pJt9rT3Kurhl7b60CKKUTNjQXW0q6x4OhNWyk5IFEiWoOStM5VmIpFuxkxkrQrDoa1TCUyQqGQM7rzA78cwWQ0ayNH3l9QStuwLqwfJWi2Rp8s8dDuLS2Tw6Aacc/7d9tEvL1X/0atAVIdMznezIFWQBh7cspMLoDgWLGBCcHTCD5ms4u+4IyZTyo4RR1gopGYPiRHZIrRvqJ6l2s2OmU1xTNyy9GznvrKCVHMgAWuHve8Om5fdLp7paqcXkZ0VDxVRQNHT0FDFY9OEUQxx92gRfTe87KUADnpIMDWhUk23EL4UKp0/ae4h4FX3dCKE9NQqyFZ4V3yDnVeiampB5QBRwy+4LaXHKHAko85SUeENysJyUfsIFzQQas5S/GlaRJbdU1G/2pzJA8jmEapgRx4EUCpe9AGP/9j7GcicvNhRaKbU92rhtU/bktPahB81Vv6oNg4gsQrd76yVjelZ20x2YYR0ewCZ+j36taoq1hYa4VrMoywYOe0TzOTqb9/95yE7NDv3FB055XGodb1r0sYtBX8Y2iqoERUfR7w2ZI7BVYLFqRAsO9sdOtyifFsHXr/k9vVrRzlsv8rHWLoFLFO9EeFiE0yg/iVN1mHZopWMf0Jb4DrW1Do9jxCGtrC8riyffdA/IR3Fs+EQ4/dyN+ervFTCDyzzmrEqLmT0Q76Q/dALfYHCyy6vtoyq8/etEr7U7tfxiLt6PUf0a7gD6SI9QYdbXfcw3hZwFawfyVbUECKkDsCMgrzvUeKV8wFCmlNgoqS1wMJkIQxy1G8xcl31eTuclzPXo3CAsr5qmmVK5gr0ats8gZDY7FoSL/BEkKP8ESIa0UPovekBdxwO9qoFyF3cOhRRHdft30dCEzEQF6Zc5ISTKUrfMQo9FDbXkebyisVuth4CumWPgpbjLG5UCwMiSgxkwzMmxeO4UsN2Q7G3UFdqHTWn1ceLp9lJwz0tWtBuEzsldPe3z4o0+hDzC+xrd7QMIPGY1+c8RHApFRVnMbuCOftuFTnmPoxYF5/my3LJoVKhAPldYkv4tqPT8OoBB/jN+zLdDFHTBgu2ETdfS5wNNtRZc9qidds2YGgrZhKQGkJEvl8gEC/lThht0ke2N1mMnVynED7lcYTDH4PgArpkNoMbM/+FkRWNjP9YV2M=
Content-Type: multipart/alternative; boundary="_000_SA2PR00MB1002357B78E386E1416A7233F5669SA2PR00MB1002namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA2PR00MB1002.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7793ded4-8b12-4f2f-1486-08d9b37b02ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2021 20:58:36.0102 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GeZW8fOz3B+bk/mJBw6wOX9AOFZaT+efZmmrY6Xltvy9J2YG1pUq/7m8ERER4qfTCe+eZtajFVdhAol2y+60ZQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR00MB0450
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GM7_uMbX5RUBRM1RHCexvdcPvmg>
Subject: Re: [OAUTH-WG] JWK Thumbprint URI Specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 20:58:48 -0000

Hi DW,

Having the OAuth WG to add a new registration to a registry that it controls is fairly easy.  Our success in motivating and accomplishing registering a new URI scheme may vary.

You can read about how the JWK Thumbprint RFC handles choice of hash functions in the Selection of Hash Function section https://datatracker.ietf.org/doc/html/rfc7638#section-3.4.  I would propose that we do the same.  I can plan on adding text to that effect in the next published draft.

                                                       Thanks,
                                                       -- Mike

From: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
Sent: Wednesday, November 24, 2021 2:42 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: David Chadwick <D.W.Chadwick@kent.ac.uk>; oauth@ietf.org
Subject: Re: [OAUTH-WG] JWK Thumbprint URI Specification

I would investigate whether there are advantages of having this be a URN vs a URI in a new base scheme (e.g. jkt:bTz_1…). I haven’t seen much URN namespacing of dynamic values (e.g. values not being maintained by the entity responsible for the namespace or sub-spaces), and a new scheme is a terser form.

Also, do you foresee any reason to support other hashing algorithms, since thumbprints themselves do not dictate a hashing algorithm? An optional hashing seems simple enough to add, except I don’t know of a hash algorithm registry to reference

-DW

Sent from my iPhone


On Nov 24, 2021, at 4:18 PM, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>> wrote:

The JWK Thumbprint is typically used as a key identifier. Yes, the key needs to be known by other means if you’re going to use it.  Some protocols work that way, which is what this spec is intended to enable.  For instance, the Self-Issued OpenID Provider (SIOP) v1 and v2 protocols send the public key separately in a “sub_jwk” claim.  In other use cases, it may already be known to the receiving party – for instance, from a prior discovery step.

It would be fine to separately also define a URI representation communicating an entire JWK, but that would be for different use cases, and not the goal of this (intentionally narrowly scoped) specification.

                                                       Cheers,
                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of David Chadwick
Sent: Wednesday, November 24, 2021 12:36 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWK Thumbprint URI Specification

On 24/11/2021 20:07, Mike Jones wrote:

The JSON Web Key (JWK) Thumbprint specification [RFC 7638<https://www.rfc-editor.org/rfc/rfc7638.html>] defines a method for computing a hash value over a JSON Web Key (JWK) [RFC 7517<https://www.rfc-editor.org/rfc/rfc7517.html>] and encoding that hash in a URL-safe manner. Kristina Yasuda<https://twitter.com/kristinayasuda> and I have just created the JWK Thumbprint URI<https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-00.html> specification, which defines how to represent JWK Thumbprints as URIs. This enables JWK Thumbprints to be communicated in contexts requiring URIs, including in specific JSON Web Token (JWT) [RFC 7519<https://www.rfc-editor.org/rfc/rfc7519.html>] claims.



My immediate observation is why are you sending the thumbprint of the JSON Web Key and not sending the actual key value in the URI?

Sending the thumbprint means the recipient still has to have some other way of obtaining the actual public key, whereas sending the public key as a URI means that no other way is needed.

Kind regards

David



Use cases for this specification were developed in the OpenID Connect Working Group<https://openid.net/wg/connect/> of the OpenID Foundation. Specifically, its use is planned in future versions of the Self-Issued OpenID Provider v2<https://openid.net/specs/openid-connect-self-issued-v2-1_0.html> specification.



The specification is available at:
1.       https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-00.html

                                                       -- Mike

P.S.  This note was also published at https://self-issued.info/?p=2211 and as @selfissued<https://twitter.com/selfissued/>.





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email