[OAUTH-WG] Updated versions of JWT, JWS, JWE, and JWK specs posted
Mike Jones <Michael.Jones@microsoft.com> Mon, 31 October 2011 23:49 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF451F0DAC for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 16:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.242
X-Spam-Level:
X-Spam-Status: No, score=-10.242 tagged_above=-999 required=5 tests=[AWL=0.356, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37r71q6gSO3f for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 16:49:08 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 3A17A1F0DAE for <oauth@ietf.org>; Mon, 31 Oct 2011 16:49:08 -0700 (PDT)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Mon, 31 Oct 2011 16:49:08 -0700
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.229]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.01.0339.002; Mon, 31 Oct 2011 16:49:07 -0700
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Updated versions of JWT, JWS, JWE, and JWK specs posted
Thread-Index: AcyYJ62p3Urd6FmoTNG65pDqbjAOLQ==
Date: Mon, 31 Oct 2011 23:49:07 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F6D6610@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.70]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F6D6610TK5EX14MBXC283r_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Updated versions of JWT, JWS, JWE, and JWK specs posted
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 23:49:11 -0000
I've posted updated versions of the JSON Web Token (JWT)<http://self-issued.info/docs/draft-jones-json-web-token.html>, JSON Web Signature (JWS)<http://self-issued.info/docs/draft-jones-json-web-signature.html>, JSON Web Encryption (JWE)<http://self-issued.info/docs/draft-jones-json-web-encryption.html>, and JSON Web Key (JWK)<http://self-issued.info/docs/draft-jones-json-web-key.html> specifications. No changes should be required to any existing deployments as a result of these updates. The primary thrust of these changes was updating the JWT spec to describe how to create and process encrypted JWTs. (The previous JWT spec pre-dated publication of the JWE spec.) I also removed duplicate content from the JWT spec describing the steps to sign JWTs and instead simply referenced it in the JWS spec. Numerous suggestions on improving the specifications from the WOES and JOSE lists were also incorporated. The changelog entries are as follows: draft-jones-json-web-token-06<http://self-issued.info/docs/draft-jones-json-web-token-06.html> * Reference and use content from [JWS]<http://self-issued.info/docs/draft-jones-json-web-token.html#JWS> and [JWE]<http://self-issued.info/docs/draft-jones-json-web-token.html#JWE>, rather than repeating it here. * Simplified terminology to better match JWE, where the terms "JWT Header" and "Encoded JWT Header" are now used, for instance, rather than the previous terms "Decoded JWT Header Segment" and "JWT Header Segment". Also changed to "Plaintext JWT" from "Unsigned JWT". * Describe how to perform nested encryption and signing operations. * Changed "integer" to "number", since that is the correct JSON type. * Changed StringAndURI to StringOrURI. draft-jones-json-web-signature-03<http://self-issued.info/docs/draft-jones-json-web-signature-03.html> * Simplified terminology to better match JWE, where the terms "JWS Header" and "Encoded JWS Header", are now used, for instance, rather than the previous terms "Decoded JWS Header Input" and "JWS Header Input". Likewise the terms "JWS Payload" and "JWS Signature" are now used, rather than "JWS Payload Input" and "JWS Crypto Output". * The jku and x5u URLs are now required to be absolute URLs. * Removed this unnecessary language from the kid description: "Omitting this parameter is equivalent to setting it to an empty string". * Changed StringAndURI to StringOrURI. draft-jones-json-web-encryption-01<http://self-issued.info/docs/draft-jones-json-web-encryption-01.html> * Changed type of Ephemeral Public Key (epk) from string to JSON object, so that a JWK Key Object value can be used directly. * Specified that the Digest Method for ECDH-ES is SHA-256. (The specification was previously silent about the choice of digest method.) * The jku and x5u URLs are now required to be absolute URLs. * Removed this unnecessary language from the kid description: "Omitting this parameter is equivalent to setting it to an empty string". * Use the same language as RFC 2616 does when describing GZIP message compression. draft-jones-json-web-key-02<http://self-issued.info/docs/draft-jones-json-web-key-02.html> * Editorial changes to have this spec better match the JWT, JWS, and JWE specs. No normative changes. The specs are available in the standard places. The HTML versions can be found at these locations: * http://tools.ietf.org/html/draft-jones-json-web-token-06 * http://tools.ietf.org/html/draft-jones-json-web-signature-03 * http://tools.ietf.org/html/draft-jones-json-web-encryption-01 * http://tools.ietf.org/html/draft-jones-json-web-key-02 * http://self-issued.info/docs/draft-jones-json-web-token-06.html * http://self-issued.info/docs/draft-jones-json-web-signature-03.html * http://self-issued.info/docs/draft-jones-json-web-encryption-01.html * http://self-issued.info/docs/draft-jones-json-web-key-02.html Feedback welcome! -- Mike