Re: [OAUTH-WG] Nested JWT (was: Re: [jose] "typ":"JWS")
Mike Jones <Michael.Jones@microsoft.com> Fri, 06 July 2012 18:31 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86BB611E80D2 for <oauth@ietfa.amsl.com>; Fri, 6 Jul 2012 11:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.262
X-Spam-Level:
X-Spam-Status: No, score=-5.262 tagged_above=-999 required=5 tests=[AWL=1.337, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qfI0iuISJ+S for <oauth@ietfa.amsl.com>; Fri, 6 Jul 2012 11:31:17 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe006.messaging.microsoft.com [216.32.180.16]) by ietfa.amsl.com (Postfix) with ESMTP id 1A6E011E80AD for <oauth@ietf.org>; Fri, 6 Jul 2012 11:31:17 -0700 (PDT)
Received: from mail111-va3-R.bigfish.com (10.7.14.254) by VA3EHSOBE002.bigfish.com (10.7.40.22) with Microsoft SMTP Server id 14.1.225.23; Fri, 6 Jul 2012 18:29:25 +0000
Received: from mail111-va3 (localhost [127.0.0.1]) by mail111-va3-R.bigfish.com (Postfix) with ESMTP id 875DA602CA; Fri, 6 Jul 2012 18:29:25 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -29
X-BigFish: VS-29(zz98dI9371I542M1432I1447Izz1202hzz1033IL8275dhz2fh2a8h668h839hd25hf0ah107ah)
Received-SPF: pass (mail111-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail111-va3 (localhost.localdomain [127.0.0.1]) by mail111-va3 (MessageSwitch) id 1341599363750384_9838; Fri, 6 Jul 2012 18:29:23 +0000 (UTC)
Received: from VA3EHSMHS030.bigfish.com (unknown [10.7.14.237]) by mail111-va3.bigfish.com (Postfix) with ESMTP id B3A414004C; Fri, 6 Jul 2012 18:29:23 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS030.bigfish.com (10.7.99.40) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 6 Jul 2012 18:29:23 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0309.003; Fri, 6 Jul 2012 18:31:11 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Thread-Topic: Nested JWT (was: Re: [jose] "typ":"JWS")
Thread-Index: AQHNW6RTy17iT3k5l0KLVKfXYwOy5pcckp4g
Date: Fri, 06 Jul 2012 18:31:11 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436657A2B8@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436657A131@TK5EX14MBXC283.redmond.corp.microsoft.com> <F6ACB680-7E7D-43BF-A8D8-013B17A97F70@bbn.com>
In-Reply-To: <F6ACB680-7E7D-43BF-A8D8-013B17A97F70@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.75]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Nested JWT (was: Re: [jose] "typ":"JWS")
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 18:31:18 -0000
A nested JWT is one where a JWT is used as the payload of another JWT, for instance, so you can do sign/encrypt/sign. See http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-01#section-7 and http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-01#section-5.2. I wouldn't use it for multiple signatures - I'd use http://tools.ietf.org/html/draft-jones-json-web-signature-json-serialization-02 or similar for that. -- Mike -----Original Message----- From: Richard L. Barnes [mailto:rbarnes@bbn.com] Sent: Friday, July 06, 2012 11:23 AM To: Mike Jones Cc: Manger, James H; jose@ietf.org Subject: Nested JWT (was: Re: [jose] "typ":"JWS") Not sure what the appropriate list is for this, so I'm just going to ask it here: What is a "nested JWT"? I'm guessing it's a JWT claim set wrapped in JWS multiple times, as in the example we were discussing earlier? Why would you want to do that instead of having parallel signatures? On Jul 6, 2012, at 2:19 PM, Mike Jones wrote: > Thanks for the thought on this, James. > > In the -03 drafts there is now a clear distinction between "typ" (type) - information about this object and the new "cty" (content type) - information about the secured object. Besides being semantically cleaner, this also simplified nested JWTs. > > I then was able to make changes in the spirit of the ones you suggested below, although using slightly different wording in some cases. > > -- > Mike > > From: Manger, James H [mailto:James.H.Manger@team.telstra.com] > Sent: Tuesday, May 15, 2012 5:40 PM > To: Mike Jones; jose@ietf.org > Subject: RE: "typ":"JWS" > > >> draft-ietf-jose-json-web-signature-02 §7.2 registers the "JWS" type > >> value (for the "typ" header field) . Perhaps "typ":"JWS" is more > >> useful in a JWE header when encrypting signed content (sign-then-encrypt). If this is the intention, then mentioning the "JWS" type value when defining the "typ" header for a JWS is misleading. It would be better to mention it where the JWE spec defines "typ". > >> . > > > Your second paragraph correctly describes the intended usage. For instance, see http://tools.ietf.org/html/draft-jones-json-web-token-10#section-5.1 for this usage in action. The value is registered per the working group decision relating "typ" values to MIME types. > > Good. So let's say that. Suggested text changes: > > * draft-ietf-jose-json-web-signature-02, section 4.1.8 "typ" (Type) Header Parameter: delete the 2nd sentence because signing a signature is not what we are talking about (and JWS-JS recommends a different approach for multiple signatures anyway). > > * section 7.1 Registration of application/jws MIME Media Type: add a phrase explicitly stating the syntax (since the spec mentions two: compact, and JWS JS) so the section says: > This specification registers the "application/jws" MIME Media Type [RFC 2045] > to identify content that uses the JWS compact serialization. > > * section 7.2 Registration of "JWS" Type Value: mention the intended use of encrypting signed content by adding this sentence. > The "typ" parameter can be set to "JWS" in a JSON Web Encryption [JWE] header when encrypting signed content. > > * draft-ietf-jose-json-web-encryption-02, section 4.1.13 "typ" (Type) Header Parameter, section 11.1 Registration of application/jwe MIME Media Type, section 11.2 Registration of "JWE" type Value: make equivalent changes. > > -- > James Manger > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- Re: [OAUTH-WG] Nested JWT (was: Re: [jose] "typ":… Mike Jones
- Re: [OAUTH-WG] Nested JWT (was: Re: [jose] "typ":… Richard L. Barnes
- Re: [OAUTH-WG] Nested JWT (was: Re: [jose] "typ":… John Bradley
- Re: [OAUTH-WG] Nested JWT (was: Re: [jose] "typ":… Manger, James H