Mike Jones: self-issued

Musings on Digital Identity

Author: Mike Jones Page 23 of 33

Building the Internet's missing identity layer

W3C WebCrypto API First Public Working Draft

By

On September 18, 2012

In Cryptography, Specifications

W3C logoAs many of you know, the W3C Web Cryptography Working Group is developing a WebIDL/JavaScript API for cryptography operations. They recently published their First Public Working Draft. One of their use cases is being able to use the WebCrypto API to implement the IETF JOSE specifications.

I encourage those of you who are interested to review the draft API specification. Comments can be sent to public-webcrypto-comments@w3.org. The latest public version of the specification can always be found at http://www.w3.org/TR/WebCryptoAPI/.

Also see the post by Virginie Galindo, the working group chair.

OAuth Assertion Framework draft -05

By

On September 10, 2012

In Claims, OAuth, Specifications

OAuth logoDraft 05 of the Assertion Framework for OAuth 2.0 has been published. It contains non-normative editorial changes to improve readability.

The draft is available at:

An HTML-formatted version is available at:

JSON Private Key Specification

By

On August 15, 2012

In Cryptography, JSON, Specifications

IETF logoW3C logoThe W3C WebCrypto working group recently made an inquiry to the IETF JOSE working group about the possibility of defining a JSON representation for private keys. To facilitate discussion of this topic by both working groups, I created a draft JSON Private Key specification. The specification is very simple; it just defines two additional members for the JWK structure for representing the private parts of Elliptic Curve and RSA keys.

The specification is available at:

A HTML-formatted version of the specification is available at:

OAuth Core -31 and OAuth Bearer -23 specs published

By

On August 1, 2012

In OAuth, Specifications

OAuth logoHopefully final versions of the OAuth Core and Bearer specs have been published. These versions correct an editorial issue with the security clarification made in Core -30 and remove David Recordon from the author lists, at his request.

The specifications are available at:

Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-31 are:

  • Clarify that any client can send client_id but that sending it is only required when using the code flow if the client is not otherwise authenticated.
  • Removed David Recordon’s name from the author list, at his request.

Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-23 are:

  • Removed David Recordon’s name from the author list, at his request.

HTML-formatted versions are available at:

IETF 84 versions of JOSE and JWT specifications

By

On July 31, 2012

In Claims, Cryptography, JSON, Specifications

IETF logoI’ve made a minor release of the JSON WEB {Signature,Encryption,Key,Algorithms,Token} (JWS, JWE, JWK, JWA, JWT) specifications to support the working group discussions at IETF 84 in Vancouver, BC. This release incorporates working group feedback since the minor release on July 16th and updates the lists of open issues in the JWE and JWA specifications.

The specifications are available at:

The document history entries (also in the specifications) are as follows:

http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-05

  • Added statement that “StringOrURI values are compared as case-sensitive strings with no transformations or canonicalizations applied”.
  • Indented artwork elements to better distinguish them from the body text.

http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-05

  • Support both direct encryption using a shared or agreed upon symmetric key, and the use of a shared or agreed upon symmetric key to key wrap the CMK.
  • Added statement that “StringOrURI values are compared as case-sensitive strings with no transformations or canonicalizations applied”.
  • Updated open issues.
  • Indented artwork elements to better distinguish them from the body text.

http://tools.ietf.org/html/draft-ietf-jose-json-web-key-05

  • Indented artwork elements to better distinguish them from the body text.

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-05

  • Support both direct encryption using a shared or agreed upon symmetric key, and the use of a shared or agreed upon symmetric key to key wrap the CMK. Specifically, added the alg values dir, ECDH-ES+A128KW, and ECDH-ES+A256KW to finish filling in this set of capabilities.
  • Updated open issues.

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03

  • Added statement that “StringOrURI values are compared as case-sensitive strings with no transformations or canonicalizations applied”.
  • Indented artwork elements to better distinguish them from the body text.

HTML-formatted versions are available at:

My congratulations to Andrew Nash

By

On July 18, 2012

In People

Andrew NashMy congratulations to Andrew Nash on his new position as CTO of Trulioo. Have fun playing on the swings and the monkey bars!

Pre-IETF 84 versions of JOSE and JWT specifications

By

On July 16, 2012

In Claims, Cryptography, JSON, Specifications

IETF logoI’ve made a minor release of the JSON WEB {Signature,Encryption,Key,Algorithms,Token} (JWS, JWE, JWK, JWA, JWT) working group specifications and the JWS and JWE JSON Serialization (JWS-JS, JWE-JS) individual submission specifications in preparation for IETF 84 in Vancouver, BC. These versions incorporate feedback from working group members since the major release on July 6th, and update the lists of open issues in preparation for discussions in Vancouver (and on the working group mailing lists).

One significant addition is that the JWT and JWE-JS specs both now contain complete, testable examples with encrypted results. No normative changes were made.

The working group specifications are available at:

The individual submission specifications are available at:

The document history entries (also in the specifications) are as follows:

http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-04

  • Completed JSON Security Considerations section, including considerations about rejecting input with duplicate member names.
  • Completed security considerations on the use of a SHA-1 hash when computing x5t (x.509 certificate thumbprint) values.
  • Refer to the registries as the primary sources of defined values and then secondarily reference the sections defining the initial contents of the registries.
  • Normatively reference XML DSIG 2.0 [W3C.CR xmldsig core2 20120124] for its security considerations.
  • Added this language to Registration Templates: “This name is case sensitive. Names that match other registered names in a case insensitive manner SHOULD NOT be accepted.”
  • Reference draft-jones-jose-jws-json-serialization instead of draft-jones-json-web-signature-json-serialization.
  • Described additional open issues.
  • Applied editorial suggestions.

http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-04

  • Refer to the registries as the primary sources of defined values and then secondarily reference the sections defining the initial contents of the registries.
  • Normatively reference XML Encryption 1.1 [W3C.CR xmlenc core1 20120313] for its security considerations.
  • Reference draft-jones-jose-jwe-json-serialization instead of draft-jones-json-web-encryption-json-serialization.
  • Described additional open issues.
  • Applied editorial suggestions.

http://tools.ietf.org/html/draft-ietf-jose-json-web-key-04

  • Refer to the registries as the primary sources of defined values and then secondarily reference the sections defining the initial contents of the registries.
  • Normatively reference XML DSIG 2.0 [W3C.CR xmldsig core2 20120124] for its security considerations.
  • Added this language to Registration Templates: “This name is case sensitive. Names that match other registered names in a case insensitive manner SHOULD NOT be accepted.”
  • Described additional open issues.
  • Applied editorial suggestions.

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-04

  • Added text requiring that any leading zero bytes be retained in base64url encoded key value representations for fixed-length values.
  • Added this language to Registration Templates: “This name is case sensitive. Names that match other registered names in a case insensitive manner SHOULD NOT be accepted.”
  • Described additional open issues.
  • Applied editorial suggestions.

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-02

  • Added an example of an encrypted JWT.
  • Added this language to Registration Templates: “This name is case sensitive. Names that match other registered names in a case insensitive manner SHOULD NOT be accepted.”
  • Applied editorial suggestions.

http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-01

  • Generalized language to refer to Message Authentication Codes (MACs) rather than Hash-based Message Authentication Codes (HMACs).

http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-01

  • Added a complete JWE-JS example.
  • Generalized language to refer to Message Authentication Codes (MACs) rather than Hash-based Message Authentication Codes (HMACs).

HTML-formatted versions are available at:

OAuth Core draft -30 published

By

On July 15, 2012

In OAuth, Specifications

OAuth logoDraft -30 of the OAuth Core spec has been published. The only change was:

  • Added text explaining why the server_error and temporarily_unavailable error codes are needed.

The draft is available at:

An HTML-formatted version is available at:

Thanks to Dick Hardt for quickly resolving this issue.

OAuth Core -29 and OAuth Bearer -22 specs published

By

On July 12, 2012

In OAuth, Specifications

OAuth logoNew versions of the OAuth Core and Bearer specs have been published that are intended to address all outstanding issues. (Although see Dick Hardt’s forwarded note from Charles Honton, which may result in an additional issue.)

The specifications are available at:

Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-29 are:

  • Added “MUST” to “A public client that was not issued a client password MUST use the client_id request parameter to identify itself when sending requests to the token endpoint” and added text explaining why this must be so.
  • Added that the authorization server MUST “ensure the authorization code was issued to the authenticated confidential client or to the public client identified by the client_id in the request”.
  • Added Security Considerations section “Misuse of Access Token to Impersonate Resource Owner in Implicit Flow”.
  • Added references in the “Implicit” and “Implicit Grant” sections to particularly pertinent security considerations.
  • Added appendix “Use of application/x-www-form-urlencoded Media Type” and referenced it in places that this encoding is used.
  • Deleted “;charset=UTF-8” from examples formerly using “Content-Type: application/x-www-form-urlencoded;charset=UTF-8”.
  • Added the phrase “with a character encoding of UTF-8” when describing how to send requests using the HTTP request entity-body.
  • For symmetry when using HTTP Basic authentication, also apply the application/x-www-form-urlencoded encoding to the client password, just as was already done for the client identifier.
  • Added “The ABNF below is defined in terms of Unicode code points [W3C.REC xml 20081126]; these characters are typically encoded in UTF-8”.
  • Replaced UNICODENOCTRLCHAR in ABNF with UNICODECHARNOCRLF = %x09 / %x20-7E / %x80-D7FF / %xE000-FFFD / %x10000-10FFFF.
  • Corrected incorrect uses of “which”.
  • Reduced multiple blank lines around artwork elements to single blank lines.
  • Removed Eran Hammer’s name from the author list, at his request. Dick Hardt is now listed as the editor.

Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-22 are:

  • Removed uses of HTTPbis in favor of RFC 2616 and RFC 2617, since HTTPbis is not an approved standard.
  • Match formatting of artwork elements with OAuth core specification.

HTML-formatted versions are available at:

Thanks to Dick Hardt for editing the Core specification. Thanks to Julian Reschke for supplying the text in Core Appendix B on the use of the application/x-www-form-urlencoded encoding.

JSON Serialization Specifications Renamed

By

On July 9, 2012

In Cryptography, JSON, Specifications

IETF logoI renamed the JSON Serialization specifications so that they now have “jose” in the document name. Jim Schaad tells me that then they’ll automatically be added to the JOSE Related Documents list at http://datatracker.ietf.org/wg/jose/. No normative changes were made.

These documents use the JWS and JWE crypto calculations, but enable multiple parallel signatures and multiple recipients.

The new versions are:

HTML formatted versions are available at:

Updated Simple Web Discovery (SWD) Specification

By

On July 6, 2012

In JSON, Specifications

IETF logoI’ve updated the Simple Web Discovery (SWD) specification to incorporate editorial improvements suggested by Julian Reschke and to apply applicable editorial improvements also recently made to the JOSE specifications. No normative changes were made.

The updated specification is available at:

Changes made were:

  • Changed “requests use the x-www-form-urlencoded format” to “requests use query parameters” and changed “an x-www-form-urlencoded form” to “a form encoded using the application/x-www-form-urlencoded encoding algorithm”, both at the suggestion of Julian Reschke.
  • Updated examples to use “urn:example:” URNs rather than “urn:example.org:” URNs, also at Julian’s suggestion.
  • Applied applicable editorial improvements from JOSE specs to SWD.
  • Updated references to related specifications.

An HTML formatted version is available at:

Updated JWT Bearer Token Profiles for OAuth 2.0

By

On July 6, 2012

In Claims, JSON, OAuth, Specifications

OAuth logoI’ve updated the OAuth JWT Profile document to track minor changes to some of the underling documents. No normative changes were made.

The updated specification is available at:

Changes made were:

  • Tracked specification name changes: “The OAuth 2.0 Authorization Protocol” to “The OAuth 2.0 Authorization Framework” and “OAuth 2.0 Assertion Profile” to “Assertion Framework for OAuth 2.0”.
  • Merged in changes between draft-ietf-oauth-saml2-bearer-11 and draft-ietf-oauth-saml2-bearer-13. All changes were strictly editorial.

An HTML formatted version is available at:

Updated versions of JOSE and JWT specifications

By

On July 6, 2012

In Claims, Cryptography, JSON, Specifications

IETF logoNew versions of the JSON WEB {Signature,Encryption,Key,Algorithms,Token} (JWS, JWE, JWK, JWA, JWT) specifications have been released. These versions incorporate numerous suggestions from working group members and developers that clarify the intent of the specifications and make them easier to read and implement. In particular, the JWE spec now includes encryption and key derivation examples for a number of algorithms that have been verified in multiple independent implementations.

I’ve worked to close out all the former “TBD” items in the specs, bringing them up to an editorially complete state, in preparation for working group last call. As with previous releases, see the “Open Issues” sections for a small number of discussion points that I believe merit working group attention.

I also applied the changes made to the JOSE specs to the related individual submission JWS JSON Serialization and JWE JSON Serialization specs, which enable multiple recipients.

The working group specifications are available at:

The individual submission specifications are available at:

The document history entries (also in the specifications) are as follows:

http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-03

  • Added the cty (content type) header parameter for declaring type information about the secured content, as opposed to the typ (type) header parameter, which declares type information about this object.
  • Added “Collision Resistant Namespace” to the terminology section.
  • Reference ITU.X690.1994 for DER encoding.
  • Added an example JWS using ECDSA P-521 SHA-512. This has particular illustrative value because of the use of the 521 bit integers in the key and signature values. This is also an example in which the payload is not a base64url encoded JSON object.
  • Added an example x5c value.
  • No longer say “the UTF-8 representation of the JWS Secured Input (which is the same as the ASCII representation)”. Just call it “the ASCII representation of the JWS Secured Input”.
  • Added Registration Template sections for defined registries.
  • Added Registry Contents sections to populate registry values.
  • Changed name of the JSON Web Signature and Encryption “typ” Values registry to be the JSON Web Signature and Encryption Type Values registry, since it is used for more than just values of the typ parameter.
  • Moved registries JSON Web Signature and Encryption Header Parameters and JSON Web Signature and Encryption Type Values to the JWS specification.
  • Numerous editorial improvements.

http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-03

  • Added the kdf (key derivation function) header parameter to provide crypto agility for key derivation. The default KDF remains the Concat KDF with the SHA-256 digest function.
  • Reordered encryption steps so that the Encoded JWE Header is always created before it is needed as an input to the AEAD “additional authenticated data” parameter.
  • Added the cty (content type) header parameter for declaring type information about the secured content, as opposed to the typ (type) header parameter, which declares type information about this object.
  • Moved description of how to determine whether a header is for a JWS or a JWE from the JWT spec to the JWE spec.
  • Added complete encryption examples for both AEAD and non-AEAD algorithms.
  • Added complete key derivation examples.
  • Added “Collision Resistant Namespace” to the terminology section.
  • Reference ITU.X690.1994 for DER encoding.
  • Added Registry Contents sections to populate registry values.
  • Numerous editorial improvements.

http://tools.ietf.org/html/draft-ietf-jose-json-web-key-03

  • Clarified that kid values need not be unique within a JWK Set.
  • Moved JSON Web Key Parameters registry to the JWK specification.
  • Added “Collision Resistant Namespace” to the terminology section.
  • Changed registration requirements from RFC Required to Specification Required with Expert Review.
  • Added Registration Template sections for defined registries.
  • Added Registry Contents sections to populate registry values.
  • Numerous editorial improvements.

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-03

  • Always use a 128 bit “authentication tag” size for AES GCM, regardless of the key size.
  • Specified that use of a 128 bit IV is REQUIRED with AES CBC. It was previously RECOMMENDED.
  • Removed key size language for ECDSA algorithms, since the key size is implied by the algorithm being used.
  • Stated that the int key size must be the same as the hash output size (and not larger, as was previously allowed) so that its size is defined for key generation purposes.
  • Added the kdf (key derivation function) header parameter to provide crypto agility for key derivation. The default KDF remains the Concat KDF with the SHA-256 digest function.
  • Clarified that the mod and exp values are unsigned.
  • Added Implementation Requirements columns to algorithm tables and Implementation Requirements entries to algorithm registries.
  • Changed AES Key Wrap to RECOMMENDED.
  • Moved registries JSON Web Signature and Encryption Header Parameters and JSON Web Signature and Encryption Type Values to the JWS specification.
  • Moved JSON Web Key Parameters registry to the JWK specification.
  • Changed registration requirements from RFC Required to Specification Required with Expert Review.
  • Added Registration Template sections for defined registries.
  • Added Registry Contents sections to populate registry values.
  • No longer say “the UTF-8 representation of the JWS Secured Input (which is the same as the ASCII representation)”. Just call it “the ASCII representation of the JWS Secured Input”.
  • Added “Collision Resistant Namespace” to the terminology section.
  • Numerous editorial improvements.

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-01

  • Added the cty (content type) header parameter for declaring type information about the secured content, as opposed to the typ (type) header parameter, which declares type information about this object. This significantly simplified nested JWTs.
  • Moved description of how to determine whether a header is for a JWS or a JWE from the JWT spec to the JWE spec.
  • Changed registration requirements from RFC Required to Specification Required with Expert Review.
  • Added Registration Template sections for defined registries.
  • Added Registry Contents sections to populate registry values.
  • Added “Collision Resistant Namespace” to the terminology section.
  • Numerous editorial improvements.

http://tools.ietf.org/html/draft-jones-json-web-signature-json-serialization-02

  • Tracked editorial changes made to the JWS spec.

http://tools.ietf.org/html/draft-jones-json-web-encryption-json-serialization-02

  • Updated examples to track updated algorithm properties in the JWA spec.
  • Tracked editorial changes made to the JWE spec.

HTML formatted versions are available at:

Special thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund Jay for validating the JWE examples!

OAuth Core -28 and Bearer -21 Specifications

By

On June 19, 2012

In OAuth, Specifications

OAuth logoOAuth Core draft -28 has been published. Changes were:

  • Updated the ABNF in the manner discussed by the working group, allowing username and password to be Unicode and restricting client_id and client_secret to ASCII.
  • Specifies the use of the application/x-www-form-urlencoded content-type encoding method to encode the client_id when used as the password for HTTP Basic.

OAuth Bearer draft -21 has also been published. Changes were:

  • Changed “NOT RECOMMENDED” to “not recommended” in caveat about the URI Query Parameter method.
  • Changed “other specifications may extend this specification for use with other transport protocols” to “other specifications may extend this specification for use with other protocols”.
  • Changed Acknowledgements to use only ASCII characters, per the RFC style guide.

The drafts are available at:

HTML-formatted versions are available at:

Thanks to Eran Hammer for approving the Core draft posting.

OAuth Core -27 and Bearer -20 Specifications

By

On June 18, 2012

In OAuth, Specifications

OAuth logoOn June 8, draft 27 of the OAuth 2.0 Authorization Specification and draft 20 of the OAuth 2.0 Bearer Token Specification were published. They addressed DISCUSS issues and COMMENTs raised for these specifications during IESG review.

Changes made to draft-ietf-oauth-v2 were:

  • Added character set restrictions for error, error_description, and error_uri parameters consistent with the OAuth Bearer spec.
  • Added “resource access error response” as an error usage location in the OAuth Extensions Error Registry.
  • Added an ABNF for all message elements.
  • Corrected editorial issues identified during review.

Changes made to draft-ietf-oauth-v2-bearer were:

  • Added caveat about using a reserved query parameter name being counter to URI namespace best practices.
  • Specified use of Cache-Control options when using the URI Query Parameter method.
  • Changed title to “The OAuth 2.0 Authorization Framework: Bearer Token Usage”.
  • Referenced syntax definitions for the scope, error, error_description, and error_uri parameters in the OAuth 2.0 core spec.
  • Registered the invalid_request, invalid_token, and insufficient_scope error values in the OAuth Extensions Error Registry.
  • Acknowledged additional individuals.

The drafts are available at:

HTML-formatted versions are available at:

Initial Standards Track JSON Web Token (JWT) Specifications

By

On May 23, 2012

In Claims, JSON, OAuth, Specifications

IETF logoThe JSON Web Token (JWT) specification and the OAuth 2.0 JWT Bearer Token Profiles specification are now IETF standards track documents in the OAuth working group. These versions are based upon the individual submission versions draft-jones-json-web-token-10 and draft-jones-oauth-jwt-bearer-04 with no normative changes. The JWT specification builds upon the JWS, JWE, JWK, and JWA specifications in the JOSE working group.

These specifications are available at:

HTML formatted versions are available at:

JSON Crypto Specs Draft -02: JWS, JWE, JWK, JWA and JSON Web Token (JWT) Draft -10

By

On May 14, 2012

In Claims, Cryptography, JSON, Specifications

IETF logoJSON Crypto Specs Draft -02: JWS, JWE, JWK, JWA and JSON Web Token (JWT) Draft -10

New -02 versions of the JSON Object Signing and Encryption (JOSE) specifications are now available that incorporate working group decisions made since the previous versions, including decisions made at IETF 83 in Paris and in follow-up discussions on the JOSE working group list. The drafts contain numerous clarifications, refinements, and editorial improvements. They are:

  • JSON Web Signature (JWS) — Digital signature/HMAC specification
  • JSON Web Encryption (JWE) — Encryption specification
  • JSON Web Key (JWK) — Public key specification
  • JSON Web Algorithms (JWA) — Algorithms and identifiers specification

Also, Draft -10 of the JSON Web Token (JWT) specification has been published. It uses the -02 versions of the JOSE specifications and contains parallel editorial changes to those applied to the JOSE specs.

These specifications are available at:

The document history entries (also in the specifications) are as follows:

http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-02:

  • Clarified that it is an error when a kid value is included and no matching key is found.
  • Removed assumption that kid (key ID) can only refer to an asymmetric key.
  • Clarified that JWSs with duplicate Header Parameter Names MUST be rejected.
  • Clarified the relationship between typ header parameter values and MIME types.
  • Registered application/jws MIME type and “JWS” typ header parameter value.
  • Simplified JWK terminology to get replace the “JWK Key Object” and “JWK Container Object” terms with simply “JSON Web Key (JWK)” and “JSON Web Key Set (JWK Set)” and to eliminate potential confusion between single keys and sets of keys. As part of this change, the header parameter name for a public key value was changed from jpk (JSON Public Key) to jwk (JSON Web Key).
  • Added suggestion on defining additional header parameters such as x5t#S256 in the future for certificate thumbprints using hash algorithms other than SHA-1.
  • Specify RFC 2818 server identity validation, rather than RFC 6125 (paralleling the same decision in the OAuth specs).
  • Generalized language to refer to Message Authentication Codes (MACs) rather than Hash-based Message Authentication Codes (HMACs) unless in a context specific to HMAC algorithms.
  • Reformatted to give each header parameter its own section heading.

http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-02:

  • When using AEAD algorithms (such as AES GCM), use the “additional authenticated data” parameter to provide integrity for the header, encrypted key, and ciphertext and use the resulting “authentication tag” value as the JWE Integrity Value.
  • Defined KDF output key sizes.
  • Generalized text to allow key agreement to be employed as an alternative to key wrapping or key encryption.
  • Changed compression algorithm from gzip to DEFLATE.
  • Clarified that it is an error when a kid value is included and no matching key is found.
  • Clarified that JWEs with duplicate Header Parameter Names MUST be rejected.
  • Clarified the relationship between typ header parameter values and MIME types.
  • Registered application/jwe MIME type and “JWE” typ header parameter value.
  • Simplified JWK terminology to get replace the “JWK Key Object” and “JWK Container Object” terms with simply “JSON Web Key (JWK)” and “JSON Web Key Set (JWK Set)” and to eliminate potential confusion between single keys and sets of keys. As part of this change, the header parameter name for a public key value was changed from jpk (JSON Public Key) to jwk (JSON Web Key).
  • Added suggestion on defining additional header parameters such as x5t#S256 in the future for certificate thumbprints using hash algorithms other than SHA-1.
  • Specify RFC 2818 server identity validation, rather than RFC 6125 (paralleling the same decision in the OAuth specs).
  • Generalized language to refer to Message Authentication Codes (MACs) rather than Hash-based Message Authentication Codes (HMACs) unless in a context specific to HMAC algorithms.
  • Reformatted to give each header parameter its own section heading.

http://tools.ietf.org/html/draft-ietf-jose-json-web-key-02:

  • Simplified JWK terminology to get replace the “JWK Key Object” and “JWK Container Object” terms with simply “JSON Web Key (JWK)” and “JSON Web Key Set (JWK Set)” and to eliminate potential confusion between single keys and sets of keys. As part of this change, the top-level member name for a set of keys was changed from jwk to keys.
  • Clarified that values with duplicate member names MUST be rejected.
  • Established JSON Web Key Set Parameters registry.
  • Explicitly listed non-goals in the introduction.
  • Moved algorithm-specific definitions from JWK to JWA.
  • Reformatted to give each member definition its own section heading.

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-02:

  • For AES GCM, use the “additional authenticated data” parameter to provide integrity for the header, encrypted key, and ciphertext and use the resulting “authentication tag” value as the JWE Integrity Value.
  • Defined minimum required key sizes for algorithms without specified key sizes.
  • Defined KDF output key sizes.
  • Specified the use of PKCS #5 padding with AES-CBC.
  • Generalized text to allow key agreement to be employed as an alternative to key wrapping or key encryption.
  • Clarified that ECDH-ES is a key agreement algorithm.
  • Required implementation of AES-128-KW and AES-256-KW.
  • Removed the use of A128GCM and A256GCM for key wrapping.
  • Removed A512KW since it turns out that it’s not a standard algorithm.
  • Clarified the relationship between typ header parameter values and MIME types.
  • Generalized language to refer to Message Authentication Codes (MACs) rather than Hash-based Message Authentication Codes (HMACs) unless in a context specific to HMAC algorithms.
  • Established registries: JSON Web Signature and Encryption Header Parameters, JSON Web Signature and Encryption Algorithms, JSON Web Signature and Encryption “typ” Values, JSON Web Key Parameters, and JSON Web Key Algorithm Families.
  • Moved algorithm-specific definitions from JWK to JWA.
  • Reformatted to give each member definition its own section heading.

http://tools.ietf.org/html/draft-jones-json-web-token-10:

  • Clarified the relationship between typ header parameter values, typ claim values, and MIME types.
  • Clarified that JWTs with duplicate Header Parameter Names or Duplicate Claim names MUST be rejected.
  • Required implementation of AES-128-KW and AES-256-KW when the implementation provides encryption capabilities.
  • Registered “JWT” typ header parameter value.
  • Generalized language to refer to Message Authentication Codes (MACs) rather than Hash-based Message Authentication Codes (HMACs) unless in a context specific to HMAC algorithms.
  • Reformatted to give each claim definition and header parameter its own section heading.

HTML formatted versions are available at:

JSON Web Token (JWT) Specification Draft -09

By

On May 8, 2012

In Claims, JSON, Specifications

IETF logoDraft 09 of the JSON Web Token (JWT) specification has been published. It contains this change:

  • Changed “http://openid.net/specs/jwt/1.0” to “urn:ietf:params:oauth:token-type:jwt” in preparation for OAuth WG draft.

This specification is available at:

An HTML formatted version is available at:

OAuth 2.0 JWT Bearer Token Profiles Specification Draft -04

By

On April 26, 2012

In Claims, JSON, OAuth, Specifications

OAuth logoDraft 04 of the OAuth 2.0 JWT Bearer Token Profiles Specification has been published. This version tracks changes in the OAuth 2.0 Assertion Profile and SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 specifications made in response to working group last call comments, as announced by Brian Campbell.

Changes made were:

  • Merged in changes between draft-ietf-oauth-saml2-bearer-09 and draft-ietf-oauth-saml2-bearer-11.
  • Added the optional iat (issued at) claim, which was already present in the JWT spec.

The draft is available at:

An HTML-formatted version is available at:

OAuth 2.0 Bearer Token Specification Draft -19

By

On April 24, 2012

In OAuth, Specifications

OAuth logoDraft 19 of the OAuth 2.0 Bearer Token Specification has been published. It addresses DISCUSS issues and COMMENTs raised for which resolutions have been agreed to. No normative changes were made. Changes made were:

  • Use ABNF from RFC 5234.
  • Added sentence “The Bearer authentication scheme is intended primarily for server authentication using the WWW-Authenticate and Authorization HTTP headers, but does not preclude its use for proxy authentication” to the introduction.
  • In the introduction, state that this document also imposes semantic requirements upon the access token.
  • Reference the scope definition in the OAuth core spec.
  • Added scope examples.
  • Reference RFC 6265 for security considerations about cookies.

The draft is available at:

An HTML-formatted version is available at:

Page 23 of 33

Previous

Next

Powered by WordPress & Theme by Anders Norén