Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Mike Jones <> Mon, 15 September 2014 20:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8D8E51A875C; Mon, 15 Sep 2014 13:49:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sgXnOBAovjzu; Mon, 15 Sep 2014 13:49:13 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::1:727]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6D2D1A6F7F; Mon, 15 Sep 2014 13:48:48 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1024.12; Mon, 15 Sep 2014 20:48:25 +0000
Received: from (2a01:111:f400:7c0c::193) by (2a01:111:e400:4000::24) with Microsoft SMTP Server (TLS) id 15.0.1029.13 via Frontend Transport; Mon, 15 Sep 2014 20:48:25 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1019.14 via Frontend Transport; Mon, 15 Sep 2014 20:48:24 +0000
Received: from ([]) by ([]) with mapi id 14.03.0195.002; Mon, 15 Sep 2014 20:47:44 +0000
From: Mike Jones <>
To: Tim Bray <>, Stephen Kent <>
Thread-Topic: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
Thread-Index: AQHP0QAJrqBafxnciEq+15U92qOPJ5wCX4gggAAqrwCAAAC8AIAAFg3w
Date: Mon, 15 Sep 2014 20:47:43 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439AECE40BTK5EX14MBXC292r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(189002)(377454003)(24454002)(199003)(99396002)(15975445006)(6806004)(46102001)(83322001)(20776003)(92566001)(16236675004)(69596002)(86612001)(230783001)(85306004)(55846006)(74502001)(106466001)(80022001)(44976005)(107046002)(84326002)(74662001)(93886004)(68736004)(85806002)(87936001)(19580405001)(106116001)(26826002)(86362001)(54356999)(64706001)(71186001)(15202345003)(19300405004)(66066001)(4396001)(97736003)(31966008)(95666004)(15395725005)(85852003)(16297215004)(76482001)(77982001)(79102001)(81156004)(76176999)(92726001)(19625215002)(19580395003)(77096002)(512874002)(19617315012)(33656002)(2656002)(21056001)(81542001)(90102001)(83072002)(50986999)(84676001)(81342001)(104016003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB0836;; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03355EE97E
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
Cc: "" <>, Kathleen Moriarty <>, "" <>, "" <>, "" <>
Subject: Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Sep 2014 20:49:15 -0000

Replies inline below…

From: Tim Bray []
Sent: Monday, September 15, 2014 11:54 AM
To: Stephen Kent
Cc: Mike Jones; Kathleen Moriarty;;;;
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

​When I talk about existing software I’m referring to generic JSON parsers such as are included in the basic library set of every programming language now, and which are unfortunately idiosyncratic and inconsistent in their handling of dupe keys, but in almost no cases actually inform the calling software whether or not dupe keys were encountered.

On Mon, Sep 15, 2014 at 11:51 AM, Stephen Kent <<>> wrote:
OK, I'm a bit confused.

I thought the JOSE specs were intended to create standards for transport of keys, and for sigs,
MACs, and encryption of JSON objects.

Actually, the payloads of JWS and JWE objects can be any octet sequence – not just those representing JSON objects.

What is the existing software to which you and Tim refer, when referring to keys (vs.
JSON parsing in general)?

JWK objects are already used in production to distribute public keys.  For instance, the keys for Salesforce’s identity services are in JWK format at  (Note that I’m not saying that just because the current specs are in use, that no changes are possible.)
The existing JSON parsers include every existing JavaScript implementation, for starters, plus the JSON implementations in Java, PHP, Ruby, Python, Perl, .NET, Objective C, Scala, etc.  There’s a pretty large list at  Any of these could be used to consume these keys.


- Tim Bray (If you’d like to send me a private message, see

                                                            -- Mike