Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header Parameter Names in JWE
Dick Hardt <dick.hardt@gmail.com> Mon, 15 July 2013 03:51 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A48221F9B19 for <oauth@ietfa.amsl.com>; Sun, 14 Jul 2013 20:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwnZShCHG1Ng for <oauth@ietfa.amsl.com>; Sun, 14 Jul 2013 20:51:54 -0700 (PDT)
Received: from mail-bk0-x22a.google.com (mail-bk0-x22a.google.com [IPv6:2a00:1450:4008:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 4F1F821F89C3 for <oauth@ietf.org>; Sun, 14 Jul 2013 20:51:52 -0700 (PDT)
Received: by mail-bk0-f42.google.com with SMTP id jk13so4470273bkc.15 for <oauth@ietf.org>; Sun, 14 Jul 2013 20:51:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=CXiiER2J+Tk4Sl7Y4cP3E6/q4ERnRSMEn8kr4Y4Yqgc=; b=H5vcGHroOMoGxRIh/FyKw04YOJlgmNG6AZ/awDTqo2e5K0xY9mAMFrKBVzx9UF5kUV Ibf1oszqa56yEBni2Kx9qQrjbBFDLYYpXnjszU4t9aigpvllw+Uwr1Cj8/jJVmaHrKsx WAlDZikyxIk5JWfSarsFqX9ZL9DSfWZ2ig/4A4A8COuL4DTHW5BXoRPFRXUpEYM3/xZ+ +RrpKWWQzpS85llCwP7vFOTaHbk3WfU7U2EJaUQvp1JmUZKYPqkMt06tyZwsfq4D0hFO fB7Fgz3Bm4RlpDOPpLXwp0jTPsou+Out1fgO3z3+OTuMvDNpM07veTEfqjbhrnL0/rEa 7kOA==
X-Received: by 10.205.34.14 with SMTP id sq14mr7709363bkb.100.1373860309986; Sun, 14 Jul 2013 20:51:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.205.133.75 with HTTP; Sun, 14 Jul 2013 20:51:29 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436B6BEC90@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4858A2E2-6F15-4D25-9909-E8F2AA15797E@gmail.com> <CAD9ie-sh-3jfL-aq7cmSp0hGaKust6-nM704CPz4Lh19G5w9KA@mail.gmail.com> <bdf66a4a6ade4c9f967b6ec2e5893f7d@BY2PR03MB189.namprd03.prod.outlook.com> <CAD9ie-u7H4N7C6QR5qs3MBwaYJRs9m2Ya4+DvO5kzEJzMACJhA@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436B6BEC90@TK5EX14MBXC283.redmond.corp.microsoft.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 14 Jul 2013 20:51:29 -0700
Message-ID: <CAD9ie-t60MACdGVBikGBxtQsHoxyk_SXO=AsaifH7F6Jp+oNyQ@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="bcaec51a7c7abfb1ed04e184c73d"
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header Parameter Names in JWE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 03:51:55 -0000
looks good to me! On Sun, Jul 14, 2013 at 7:56 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > The following text is included about the potential privacy issue in JWT > draft -10: “It is the responsibility of the application to ensure that > only claims that are safe to be transmitted in an unencrypted manner are > replicated as Header Parameter values in the JWT.”**** > > ** ** > > -- Mike**** > > ** ** > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Dick Hardt > *Sent:* Wednesday, May 29, 2013 8:48 AM > *To:* Anthony Nadalin > *Cc:* O Auth WG > > *Subject:* Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header > Parameter Names in JWE**** > > ** ** > > Yes, there could be privacy issues, and we can describe that as a > consideration in the specification. It is not an issue in my use case.**** > > ** ** > > On Wed, May 29, 2013 at 8:23 AM, Anthony Nadalin <tonynad@microsoft.com> > wrote:**** > > So there could be privacy issues on why I would not want the ISS or AUD > outside the encrypted payload**** > > **** > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Dick Hardt > *Sent:* Tuesday, May 28, 2013 9:34 AM > *To:* O Auth WG > *Subject:* Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header > Parameter Names in JWE**** > > **** > > Following up on this topic ... **** > > **** > > On Wed, May 1, 2013 at 2:12 PM, Dick Hardt <dick.hardt@gmail.com> wrote:** > ** > > "iss" and "aud" would be optional parameters in a JWE. These parameters > are in the payload, but since it is encrypted, the payload must be > decrypted before they can be read. Some times knowing these parameters is > required to be able to decrypt the payload … > > These would be additions to 9.3.1 in the JWT specification. > > Why "iss" is needed: > > Bob and Charlie each gave Alice a KID and a symmetric key to use to verify > and decrypt tokens from them. > > The App and Alice share keys so Alice knows it is the App. > > The User authorizes Bob to give the App a token (which authorizes the App > to do something) > > The App gives the token to Alice. > > Since Alice indirectly received the token, the only way for Alice to know > who sent the token, is to look at the KID as the "iss" claim is encrypted. > If the "kid" values are GUIDs, then Alice can just look up the "kid" and > retrieve the associated symmetric key, and then decrypt and verify the > token and THEN see who sent it. If there is a collision in KID values (Bon > and Charlie gave the same KID for different keys), then Alice will not know > which symmetric key to use. > > Why "aud" is needed: > > Dave gives a KID and symmetric key to Ellen, and Frank gives a KID and > symmetric key to Gwen. > > Ellen and Gwen trust each other and know how to talk to each other. Gwen > does not know Dave. Ellen does not know Frank > > The App and Gwen share keys so Gwen knows it is the App. > > The User authorizes Dave to give the App a token > > Dave gives the token to Gwen (Dave does not have a relationship with Ellen) > > Gwen now has a token that Ellen can decrypt and verify, but has no method > for knowing that Ellen can do that. The "aud" property would allow Gwen to > give the token to Ellen to decrypt and verify.**** > > > > **** > > **** > > -- > -- Dick **** > > > > **** > > ** ** > > -- > -- Dick **** >
- [OAUTH-WG] JWT: add "iss" and "aud" to Reserved H… Dick Hardt
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Mike Jones
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Dick Hardt
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Dick Hardt
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Anthony Nadalin
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Dick Hardt
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Mike Jones
- Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserv… Dick Hardt