[OAUTH-WG] Comments on draft-chadwick-oauth-jwk-uri-00
Mike Jones <Michael.Jones@microsoft.com> Fri, 18 February 2022 18:33 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A4283A12C9 for <oauth@ietfa.amsl.com>; Fri, 18 Feb 2022 10:33:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.675
X-Spam-Level:
X-Spam-Status: No, score=-2.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7iXtHlRyyZM for <oauth@ietfa.amsl.com>; Fri, 18 Feb 2022 10:33:25 -0800 (PST)
Received: from na01-obe.outbound.protection.outlook.com (mail-eus2azon11020016.outbound.protection.outlook.com [52.101.56.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F96B3A0E17 for <oauth@ietf.org>; Fri, 18 Feb 2022 10:33:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fi6PmUWLyuDOlhcwzyHv2CEzSbEsmLyXrRBMwmmihVIXNt+SX8P0aWP765cmGY3TGrkNuLAGCdKAeGCcnNU7MYk3tjS0GiB62XxNS9Ra/f+lJVLjn4jzZdvWKicYqPp6vRhMrMjEEnzIRgBMEb9BNeJUbooV6fFyLrNS7YNwqXwuyQ5oGI8HIfQwrERq5NSUP/bEjHoirP/6tHGpCRWxpOPB+BB3Zo1qUWR9kwyaUOUIJxklJgQ/T8bPUNH+VhjF+7CrxSeMwFze85ri5dphJFapib0Lkz8+CJGTaOo99rWJhB43FOZKcm7xvo4P4pZ3kU8C4l2XZCX9M2B8vj+c8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2OT5jHQLldtvsew2R8kCzb02JQDdPT3oMOQ2Kj71EXE=; b=Tn5ZLy79rM7YbPTuRM2alyDWVUP8Sy9EUyz1tamIOer8gC/GhpR5tYZbvszC9ZaVLiXBFCcq0t4yZDrmyQzLRCJZBHvl+2SX6gfc4yNBWgQNCNVH2N0XMe8jL1VT9E7F0TXS1qKnoYDmMBFjdE/qHMBxnPmKAknPchJynj8/Qx+Vh5EVYPVXEjHa+1CTJwgzOEkum2e+NPDLI6yhXKqAH6+yLmPaO7EIxxSrIlsOWvJPI0B7GweTOC4L0upH7PcGm8qhdUamibgEbQslsZrKVPwrMLxLK/R2OhVpKEcdgU/AcwEsHd3O1QT7+uxazUe5YP+TUWdwQIdKiGcmO8ExtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2OT5jHQLldtvsew2R8kCzb02JQDdPT3oMOQ2Kj71EXE=; b=gejAWXDzXYA3pNfqI/PpvK8Cnlj/HmFsI30Nq4y8gI/ERxLK4JP263V08O3x9XC6l0m4/su3eYDfYF3fKF+tz3UfcvxyqUyiJM0yaepeYlQO1EghgIwYq6GXO8ez+RFki89wlsgpED9QXmr97LoMAEy8QxDCTyyVLIbqGF7p7wU=
Received: from SA2PR00MB1002.namprd00.prod.outlook.com (2603:10b6:806:11a::8) by SJ0PR00MB1038.namprd00.prod.outlook.com (2603:10b6:a03:2aa::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5035.0; Fri, 18 Feb 2022 18:33:08 +0000
Received: from SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::606b:1776:cae2:5b14]) by SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::606b:1776:cae2:5b14%7]) with mapi id 15.20.5041.000; Fri, 18 Feb 2022 18:33:08 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: David Chadwick <D.W.Chadwick@kent.ac.uk>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Comments on draft-chadwick-oauth-jwk-uri-00
Thread-Index: Adgk9ALilAhyeGhORPeV4vy/NkMBHA==
Date: Fri, 18 Feb 2022 18:33:08 +0000
Message-ID: <SA2PR00MB1002028095276BE702AA24EFF5379@SA2PR00MB1002.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-02-18T18:18:55Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=834ab313-8d25-473e-b0c0-c5429707d479; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c0dd8e37-2b6e-49d7-6950-08d9f30d1c7f
x-ms-traffictypediagnostic: SJ0PR00MB1038:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <SJ0PR00MB1038C4C89C4368A5455611BCF5379@SJ0PR00MB1038.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xBv5KFzrtF1uZb3yMgDjy/R1n9wlOsGLtYRn0EUDuTUcTwT/MhB+xCch3mxNCa3nyxNkrFuPBCpSYzXvobAcxHE5G7rSk86U6Ba0ASYCCt/ysNyqhfoo60kTKHOguBcwym27IeBq2K3xkh5vvHSl4jZaq2SQfp1ZgjSutAu+4IPIMn46Sz1NvHoVn5q7OVkzWEMpwFiTltaamXQoVDo/ObD1tHKW3Oe2xAE9y94ac5V7nztSkyEDUN5tAt3kM5msVZFWIBjVHc7OHPa+T8U4ICuY9bCqhS2mUCf6lQCA6EXiiy40nE7IctpqV7WyAT0Hon2/69wsGIHXbRodeY6EytLjydVF0wUJAWfs8UsfPu4u3681ZpajyjwGOfQlocywAQqlNmhG03f1rX7bLAnxo6IIRu+xbxel85E02AgLG3vOI3fTP5i07p559CnVsmBbNE99AVv+CtaQvH8vBxuHGZ+PeowVQdY62pvfDatyYh6bTOqPukJ2MAWJ9Ny4kUeJZDa/KyKRbG9okPeVRdNhsQLFkaQBALIoahJYbAmtUFT9XN4h6NKeFh4JM9eVn4X9qUHQ2xgYcT0TOtE14XqNmab2A54nkeEoDsilRzwoLZLD/drCknbwKVwKaMxR9v21IytLRbFBYZidjS1K8kV/Cz1Aq0HCV4x8sJks8LngHwizhm6Pd6qfQQXeXN5Gq0knR4FL/mEu2K0hkb3Ur8b6mPp+uAKPKGJW2NRMaOKOYStyFbQyIPc34spjNOLXP8EqcxauamrUjBl2FfqPTOu4TQHGECCDJNyhUjyjTKl1M2gELN5tL2m5Tj8W7aQ/ueWlkKL0cBUz+8JGiiJlXVPqvw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA2PR00MB1002.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8936002)(186003)(52536014)(5660300002)(166002)(8990500004)(966005)(9686003)(33656002)(71200400001)(6506007)(7696005)(55016003)(83380400001)(10290500003)(508600001)(82960400001)(82950400001)(38070700005)(86362001)(6916009)(316002)(2906002)(66476007)(122000001)(38100700002)(8676002)(66556008)(66446008)(76116006)(64756008)(66946007)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: an5gzxy9s8WObcQle/GWa+lhR9C2j8xRGl0k3wswrY4advcc9LPvEx7N3S2ZwCI/NQvsigTMXHLS0KyTh4yhqnS+q6DNH7c7ErZGsmTUs2hrVzEVI2JljJJHj0t+oAEBv9EW/cMPCXtQ9Cq1WrnCJ1+nrBI313zliFYjnDGF/hkhnUCVbBlGomf2FnaaZiktlQTN5OzMGTOTkCcyIqf6ZbezqbpiEIxaA+0AZFuGxFvpZqojJgTHbGlwjrm5puG8Zc+4/B7tYCIh2vINDVUgMG8wBQ7R+KH/DJ4YGg4b9fw5QYVjhqsPZMx2xH9kJDQwuD64SJvNTZDiD6gdFKupFMqsP3cJnz6kuAu8jiOlGEM6oxszG1IsAmLleZCqca06m//Y/oYeYmBnF3mCd5sTrxdzUed+jekAevj42RRCwx/Hq3jDpboTdQqtG0rgEslRT7zpvmTtcKwkjGxgEtM/OCUn7E78uodcNUanYDgPgzGqOtVhiUwJHzj1sriyHpU8CPRZfdA1a7Thqt2cdrKUq8xgnlQ7mleJsosrYwQyjzrgk8kF1V+HPdkKfIO8XfmEEshF8nxZ0bXAL3jn5WO4PfH2o4S6MKnKvpDbzzJ5ckhzvWfZImRkwS2lvVGoBE3XNyzxk+1k8HrsSUq3yX+iEh2UCG8px9Ow9zjAiyHzErIAcnfo44nIZd+gNJzZRZ3xRj22Bx0TvSdAsz7lyB+bEJ0Yx0iFwsbcJY1ew3oxFTt12XekYiga32B7FdyE7tqWDOyMhCXT/zqvgaZZF3TBF/JgyW6C1BrPqj1jORbosbrsN+fsHFBhbPbSaztCGkihHyRytE9ILIQ8G5/IgBuU6aOH37Ucx40zkblk1sB2M3/bnURc5612g8WIEd8KTsJqx7c2OPviHwqO1+vgu3L06155K8ru9frtEoiASYgeshos2VaOGmBizZ7o7t7zwXIaGaZELVZkN5dUN1yjjCuDnzyS9viWVUV7edRqedphVaStOWR3js/CDpb2Mo/GqlzYl+CdSAnre70VXz9Da4M091QV5VmFy7fDSsQOEDJvy35bgCaUDCxLCnfGTvQXdtVDUXQoLJCXYA04FZEjZXisUHFXBVqLqk2HwPctrqrsfMrPrGufR3Pg7hZudmfKNUvu65pxjZb6ZNGFxVV0bORzeaTjPXP6Au1mAJhV3UcAUBhsSQCqfVAIFy5TL7Ufy8jlgNnWRa07/NnZQ3iptszzUiduBXeR7gSVRYPHAGyzSnbyg5/WHShScRXTYnvqHOwRJQiO7v52UxFF3inoqEHEix2htMey3w6E9jULSWNln8lBE6rjPMctcGJG1G1z2aPkZG04wHvwTOWd3ETTl7pk6C9FDHdg+Sta/b+vIVOjtDRq5NQkE/h6pH7ThRTv5hqh4EK14MmbdxmW5GPA40mGu2ZZe4n9qWMl2ssFbdCz3D+kKm4/h8Z8mMuPXNwyRUlcyQu1xDuDbK+bdw+vpXl1RLBYXwPE3z4sADkulmHWx8q3k2tEmz+MH4k6cHP5xp588MyH0ASjIRdPHFFTtwOZnqz+04UijGc74yfLhNBubIKqKOzZVguCCJa+U1CrHv0e01Jw/MMX5uEFkc2/C97D73xOhtJtO1GKay0oNkhxwaK7oq+T2fLUJmDuja/l5yH2ImfCNwKRet08qApRCVX7tA==
Content-Type: multipart/alternative; boundary="_000_SA2PR00MB1002028095276BE702AA24EFF5379SA2PR00MB1002namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA2PR00MB1002.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c0dd8e37-2b6e-49d7-6950-08d9f30d1c7f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2022 18:33:08.7022 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TXdsL0vm38OeAaTlmZUM4a2b3Xi7+YyInA6hVCnT5rSNuuiVElD3Tx2Pd4FpgEoUvRnUN0r8ONW13E2hJ1ad6w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR00MB1038
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/imhc1ufBKjiIkfY3-1tOXo7vwuY>
Subject: [OAUTH-WG] Comments on draft-chadwick-oauth-jwk-uri-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2022 18:33:28 -0000
Thanks for pointing the working group to this individual submission, David. Here's some initial comments on the document, as you requested. First, you specify base64 encoding of the JWK, rather than base64url encoding of it. This would result in non-URL-safe characters in the URI, such as /, +, and =. If you're going to encode things, I suggest using the URL-safe base64url encoding. But secondly, I would not re-encode the JWK fields at all. I know that David Waite had an idea for a representation of JWK URIs where the JSON fields are represented as colon-separated pairs in the URI. So for instance, the example JWK at https://datatracker.ietf.org/doc/html/rfc7517#section-3 would be instead represented as: urn:ietf:params:oauth:jwk:kty:EC:crv:P-256:x:f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU:y:x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0:kid:Public%20key%20used%20in%20JWS%20spec%20Appendix%20A.3%20example This would avoid double base64url-encoding fields, which would prevent unnecessary size expansion. I suggest you work with David if you want to further pursue the idea of a JWK URI specification. Best wishes, -- Mike
- [OAUTH-WG] Comments on draft-chadwick-oauth-jwk-u… Mike Jones
- Re: [OAUTH-WG] Comments on draft-chadwick-oauth-j… David Chadwick