I took a little time today and wrote a short draft specifying a JWS-like object that uses key management for the MAC key used to integrity protect the payload. We had considered doing this in JOSE issue #2 but didn’t do so at the time because of lack of demand. However, I wanted to get this down now to demonstrate that it is easy to do and specify a way to do it, should demand develop in the future — possibly after the JOSE working group has been closed. See http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-00 or https://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signature-00.html.
This spec reuses key management functionality already present in the JWE spec and MAC functionality already present in the JWS spec. The result is essentially a JWS with an Encrypted Key value added, and a new “mac
” Header Parameter value representing the MAC algorithm used. (Like JWE, the key management algorithm is carried in the “alg
” Header Parameter value.)
I also wrote this now as possible input into our thinking on options for creating a CBOR JOSE mapping. If there are CBOR use cases needing managed MAC keys, this could help us reason about ways to structure the solution.
Yes, the spec name and abbreviation are far from catchy. Better naming ideas would be great.
Feedback welcomed.