IETF Logo Mail Archive

Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwk-thumbprint-uri-01.txt> (JWK Thumbprint URI) to Proposed Standard

David Waite <david@alkaline-solutions.com> Wed, 11 May 2022 08:53 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FFD0C157B40; Wed, 11 May 2022 01:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AU7S_0En2lFf; Wed, 11 May 2022 01:53:33 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F16E9C157B3F; Wed, 11 May 2022 01:53:18 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id D3D2C206E2C; Wed, 11 May 2022 08:53:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1652259197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Sidalq5uA3GJW1v3aYOXEuKRS7PiSJLPc/FAC7hSaRc=; b=J8UuBtcwU/QbKnorZsXWZlyhzf9AOLI8FlE1MBebGcsglLlcbHxtrh1r00A4kAhfAiUurE JjeUudX3TyPJmXnj23zTdVI8idCqyuG2fhmxx0EGdWvEeMEHWr9mUtalVW9LlxDkpTLXWn oWzv6wbBXWpBtaL77o0yMfSmlFpAzwA=
From: David Waite <david@alkaline-solutions.com>
Message-Id: <600A7327-CEDD-433B-B457-319CE36827E9@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7A270255-F9B0-4A09-8660-9009B5E846DE"
Mime-Version: 1.0
Date: Wed, 11 May 2022 02:53:14 -0600
In-Reply-To: <CADNypP8ZwqeXJGabGVhKamsQa9JQqD=10dB57++cDZFuQXUuDg@mail.gmail.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, "Manger, James" <James.H.Manger=40team.telstra.com@dmarc.ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-oauth-jwk-thumbprint-uri@ietf.org" <draft-ietf-oauth-jwk-thumbprint-uri@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
References: <165092137918.1385.17213010140457783707@ietfa.amsl.com> <ME3PR01MB59734146D665E8834FE3FC40E5FB9@ME3PR01MB5973.ausprd01.prod.outlook.com> <SJ0PR00MB10056834E04389B9C5A918B2F5C09@SJ0PR00MB1005.namprd00.prod.outlook.com> <CADNypP8ZwqeXJGabGVhKamsQa9JQqD=10dB57++cDZFuQXUuDg@mail.gmail.com>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: +
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hv0w0cKbPaAYraszLhhXXI6JKNw>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwk-thumbprint-uri-01.txt> (JWK Thumbprint URI) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 08:53:37 -0000

RFC 7517 does define an "application/jwk+json" media type which could be used with the ct= query parameter for ni-scheme uri. The resulting ni-scheme URI could be used to refer to a specific generated JWK document.

However, I do not believe this would be a sufficient way to indicate that this is the pre-hash minimized, canonicalized form required for thumbprint generation in RFC 7638 (e.g. non-required members removed, JSON documents in lexicographical key order represented as UTF-8).

The information dropping of the canonicalization in JWK thumbprints results in a few important properties - in particular, a local JWK document representing a private key and the shared JWK document representing the corresponding public key will have the same thumbprint. This enables the JWK Thumbprint to serve as an algorithmic key identifier for all participating parties.

This creates the issue with using the ni scheme - a NI URI could be used to refer to a single JWK document. However, the semantics when interpreting a thumbprint are that it references potentially multiple data forms with different binary representations, and that a software ‘lookup’ operation taking a JWK thumbprint may result in data which does not have the specified hash value. My interpretation would be that these behaviors go against the spirit of RFC 6920.

-DW

> On May 6, 2022, at 6:27 AM, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
> 
> Mike,
> 
> RFC6920 defines an optional query parameter, in section 3:
> https://www.rfc-editor.org/rfc/rfc6920.html#section-3 <https://www.rfc-editor.org/rfc/rfc6920.html#section-3>
> 
> I guess you could have added a query parameter to add that specificity.
> 
> Regards,
>  Rifaat

v2.23.0 | Report a Bug | By Email