draft-ietf-jose-json-web-key-19.txt   draft-ietf-jose-json-web-key-20.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track December 29, 2013 Intended status: Standards Track January 20, 2014
Expires: July 2, 2014 Expires: July 24, 2014
JSON Web Key (JWK) JSON Web Key (JWK)
draft-ietf-jose-json-web-key-19 draft-ietf-jose-json-web-key-20
Abstract Abstract
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data
structure that represents a cryptographic key. This specification structure that represents a cryptographic key. This specification
also defines a JSON Web Key Set (JWK Set) JSON data structure for also defines a JSON Web Key Set (JWK Set) JSON data structure for
representing a set of JWKs. Cryptographic algorithms and identifiers representing a set of JWKs. Cryptographic algorithms and identifiers
for use with this specification are described in the separate JSON for use with this specification are described in the separate JSON
Web Algorithms (JWA) specification and IANA registries defined by Web Algorithms (JWA) specification and IANA registries defined by
that specification. that specification.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 2, 2014. This Internet-Draft will expire on July 24, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. JSON Web Key (JWK) Format . . . . . . . . . . . . . . . . . . 5 3. JSON Web Key (JWK) Format . . . . . . . . . . . . . . . . . . 5
3.1. "kty" (Key Type) Parameter . . . . . . . . . . . . . . . . 5 3.1. "kty" (Key Type) Parameter . . . . . . . . . . . . . . . . 5
3.2. "use" (Key Use) Parameter . . . . . . . . . . . . . . . . 6 3.2. "use" (Public Key Use) Parameter . . . . . . . . . . . . . 6
3.3. "use_details" (Key Use Details) Parameter . . . . . . . . 6 3.3. "key_ops" (Key Operations) Parameter . . . . . . . . . . . 6
3.4. "alg" (Algorithm) Parameter . . . . . . . . . . . . . . . 7 3.4. "alg" (Algorithm) Parameter . . . . . . . . . . . . . . . 7
3.5. "kid" (Key ID) Parameter . . . . . . . . . . . . . . . . . 7 3.5. "kid" (Key ID) Parameter . . . . . . . . . . . . . . . . . 7
3.6. "x5u" (X.509 URL) Parameter . . . . . . . . . . . . . . . 8 3.6. "x5u" (X.509 URL) Parameter . . . . . . . . . . . . . . . 8
3.7. "x5c" (X.509 Certificate Chain) Parameter . . . . . . . . 8 3.7. "x5c" (X.509 Certificate Chain) Parameter . . . . . . . . 8
3.8. "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter . . . 9 3.8. "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter . . . 9
4. JSON Web Key Set (JWK Set) Format . . . . . . . . . . . . . . 9 4. JSON Web Key Set (JWK Set) Format . . . . . . . . . . . . . . 9
4.1. "keys" Parameter . . . . . . . . . . . . . . . . . . . . . 10 4.1. "keys" Parameter . . . . . . . . . . . . . . . . . . . . . 10
5. String Comparison Rules . . . . . . . . . . . . . . . . . . . 10 5. String Comparison Rules . . . . . . . . . . . . . . . . . . . 10
6. Encrypted JWK and Encrypted JWK Set Formats . . . . . . . . . 10 6. Encrypted JWK and Encrypted JWK Set Formats . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
7.1. JSON Web Key Parameters Registry . . . . . . . . . . . . . 11 7.1. JSON Web Key Parameters Registry . . . . . . . . . . . . . 11
7.1.1. Registration Template . . . . . . . . . . . . . . . . 12 7.1.1. Registration Template . . . . . . . . . . . . . . . . 12
7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 12 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 13
7.2. JSON Web Key Use Registry . . . . . . . . . . . . . . . . 14 7.2. JSON Web Key Use Registry . . . . . . . . . . . . . . . . 14
7.2.1. Registration Template . . . . . . . . . . . . . . . . 14 7.2.1. Registration Template . . . . . . . . . . . . . . . . 14
7.2.2. Initial Registry Contents . . . . . . . . . . . . . . 14 7.2.2. Initial Registry Contents . . . . . . . . . . . . . . 15
7.3. JSON Web Key Use Details Registry . . . . . . . . . . . . 15 7.3. JSON Web Key Operations Registry . . . . . . . . . . . . . 15
7.3.1. Registration Template . . . . . . . . . . . . . . . . 15 7.3.1. Registration Template . . . . . . . . . . . . . . . . 15
7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 15 7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 16
7.4. JSON Web Key Set Parameters Registry . . . . . . . . . . . 16 7.4. JSON Web Key Set Parameters Registry . . . . . . . . . . . 16
7.4.1. Registration Template . . . . . . . . . . . . . . . . 17 7.4.1. Registration Template . . . . . . . . . . . . . . . . 17
7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 17 7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 17
7.5. Media Type Registration . . . . . . . . . . . . . . . . . 17 7.5. Media Type Registration . . . . . . . . . . . . . . . . . 17
7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 17 7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 17
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . . 19 9.1. Normative References . . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . . 21 9.2. Informative References . . . . . . . . . . . . . . . . . . 21
Appendix A. Example JSON Web Key Sets . . . . . . . . . . . . . . 21 Appendix A. Example JSON Web Key Sets . . . . . . . . . . . . . . 21
skipping to change at page 4, line 7 skipping to change at page 4, line 7
C.5. Initialization Vector . . . . . . . . . . . . . . . . . . 30 C.5. Initialization Vector . . . . . . . . . . . . . . . . . . 30
C.6. Additional Authenticated Data . . . . . . . . . . . . . . 30 C.6. Additional Authenticated Data . . . . . . . . . . . . . . 30
C.7. Content Encryption . . . . . . . . . . . . . . . . . . . . 31 C.7. Content Encryption . . . . . . . . . . . . . . . . . . . . 31
C.8. Complete Representation . . . . . . . . . . . . . . . . . 34 C.8. Complete Representation . . . . . . . . . . . . . . . . . 34
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 35 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 35
Appendix E. Document History . . . . . . . . . . . . . . . . . . 36 Appendix E. Document History . . . . . . . . . . . . . . . . . . 36
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 40 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 40
1. Introduction 1. Introduction
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) [RFC4627] A JSON Web Key (JWK) is a JavaScript Object Notation (JSON)
data structure that represents a cryptographic key. This [I-D.ietf-json-rfc4627bis] data structure that represents a
specification also defines a JSON Web Key Set (JWK Set) JSON data cryptographic key. This specification also defines a JSON Web Key
structure for representing a set of JWKs. Cryptographic algorithms Set (JWK Set) JSON data structure for representing a set of JWKs.
and identifiers for use with this specification are described in the Cryptographic algorithms and identifiers for use with this
separate JSON Web Algorithms (JWA) [JWA] specification and IANA specification are described in the separate JSON Web Algorithms (JWA)
registries defined by that specification. [JWA] specification and IANA registries defined by that
specification.
Goals for this specification do not include representing certificate Goals for this specification do not include representing certificate
chains, representing certified keys, and replacing X.509 chains, representing certified keys, and replacing X.509
certificates. certificates.
JWKs and JWK Sets are used in the JSON Web Signature (JWS) [JWS] and JWKs and JWK Sets are used in the JSON Web Signature (JWS) [JWS] and
JSON Web Encryption (JWE) [JWE] specifications. JSON Web Encryption (JWE) [JWE] specifications.
Names defined by this specification are short because a core goal is Names defined by this specification are short because a core goal is
for the resulting representations to be compact. for the resulting representations to be compact.
skipping to change at page 5, line 29 skipping to change at page 5, line 31
are specific to the kind of key being represented. These members are specific to the kind of key being represented. These members
represent the parameters of the key. Section 6 of the JSON Web represent the parameters of the key. Section 6 of the JSON Web
Algorithms (JWA) [JWA] specification defines multiple kinds of Algorithms (JWA) [JWA] specification defines multiple kinds of
cryptographic keys and their associated members. cryptographic keys and their associated members.
The member names within a JWK MUST be unique; recipients MUST either The member names within a JWK MUST be unique; recipients MUST either
reject JWKs with duplicate member names or use a JSON parser that reject JWKs with duplicate member names or use a JSON parser that
returns only the lexically last duplicate member name, as specified returns only the lexically last duplicate member name, as specified
in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript]. in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript].
Additional members can be present in the JWK. If not understood by Additional members can be present in the JWK; if not understood by
implementations encountering them, they MUST be ignored. Member implementations encountering them, they MUST be ignored. Member
names used for representing key parameters for different keys types names used for representing key parameters for different keys types
need not be distinct. Any new member name should either be need not be distinct. Any new member name should either be
registered in the IANA JSON Web Key Parameters registry defined in registered in the IANA JSON Web Key Parameters registry defined in
Section 7.1 or be a value that contains a Collision-Resistant Name. Section 7.1 or be a value that contains a Collision-Resistant Name.
3.1. "kty" (Key Type) Parameter 3.1. "kty" (Key Type) Parameter
The "kty" (key type) member identifies the cryptographic algorithm The "kty" (key type) member identifies the cryptographic algorithm
family used with the key. "kty" values should either be registered in family used with the key. "kty" values should either be registered in
skipping to change at page 6, line 6 skipping to change at page 6, line 8
A list of defined "kty" values can be found in the IANA JSON Web Key A list of defined "kty" values can be found in the IANA JSON Web Key
Types registry defined in [JWA]; the initial contents of this Types registry defined in [JWA]; the initial contents of this
registry are the values defined in Section 6.1 of the JSON Web registry are the values defined in Section 6.1 of the JSON Web
Algorithms (JWA) [JWA] specification. Algorithms (JWA) [JWA] specification.
The key type definitions include specification of the members to be The key type definitions include specification of the members to be
used for those key types. Additional members used with "kty" values used for those key types. Additional members used with "kty" values
can also be found in the IANA JSON Web Key Parameters registry can also be found in the IANA JSON Web Key Parameters registry
defined in Section 7.1. defined in Section 7.1.
3.2. "use" (Key Use) Parameter 3.2. "use" (Public Key Use) Parameter
The "use" (public key use) member identifies the intended use of the
public key. The "use" parameter is intended for use cases in which
it is useful to distinguish between public signing keys and public
encryption keys. It is not intended for use cases in which private
or symmetric keys may also be present.
The "use" (key use) member identifies the intended use of the key.
Values defined by this specification are: Values defined by this specification are:
o "sig" (signature or MAC) o "sig" (signature)
o "enc" (encryption) o "enc" (encryption)
Other values MAY be used. Key Use values can be registered in the Other values MAY be used. Public Key Use values can be registered in
IANA JSON Web Key Use registry defined in Section 7.2. The "use" the IANA JSON Web Key Use registry defined in Section 7.2. The "use"
value is a case-sensitive string. A "use" member SHOULD be present, value is a case-sensitive string. Use of the "use" member is
unless the application uses another means or convention to determine OPTIONAL, unless the application requires its presence.
the intended key usage.
When a key is used to wrap another key and a key use designation for When a key is used to wrap another key and a key use designation for
the first key is desired, the "enc" (encryption) key use value SHOULD the first key is desired, the "enc" (encryption) key use value SHOULD
be used, since key wrapping is a kind of encryption. (The "alg" be used, since key wrapping is a kind of encryption. The "enc" value
member can be used to specify the particular kind of encryption to be SHOULD also be used for public keys used for key agreement
performed, when desired.) operations. (The "alg" member can be used to specify the particular
cryptographic operation to be performed, when desired.)
3.3. "use_details" (Key Use Details) Parameter 3.3. "key_ops" (Key Operations) Parameter
The "use_details" (key use details) member identifies the fine- The "key_ops" (key operations) member identifies the operations(s)
grained details of the intended use of the key. Its value is an that the key is intended to be used for. The "key_ops" parameter is
array of key use detail values. Values defined by this specification intended for use cases in which public, private, or symmetric keys
are: may be present.
Its value is an array of key operation values. Values defined by
this specification are:
o "sign" (compute signature or MAC) o "sign" (compute signature or MAC)
o "verify" (verify signature or MAC) o "verify" (verify signature or MAC)
o "encrypt" (encrypt content) o "encrypt" (encrypt content)
o "decrypt" (decrypt content and validate decryption, if applicable) o "decrypt" (decrypt content and validate decryption, if applicable)
o "wrap" (encrypt key) o "wrap" (encrypt key)
o "unwrap" (decrypt key and validate decryption, if applicable) o "unwrap" (decrypt key and validate decryption, if applicable)
o "deriveKey" (derive key) o "deriveKey" (derive key)
o "deriveBits" (derive bits not to be used as a key) o "deriveBits" (derive bits not to be used as a key)
Other values MAY be used. Key Use Detail values can be registered in (Note that the "key_ops" values intentionally match the "KeyUsage"
the IANA JSON Web Key Use Details registry defined in Section 7.3. values defined in the Web Cryptography API [WebCrypto]
specification.)
The use detail values are case-sensitive strings. Duplicate use Other values MAY be used. Key operation values can be registered in
detail values MUST NOT be present in the array. the IANA JSON Web Key Operations registry defined in Section 7.3.
The key operation values are case-sensitive strings. Duplicate key
operation values MUST NOT be present in the array.
Use of the "use_details" member is OPTIONAL, unless the application Use of the "key_ops" member is OPTIONAL, unless the application
requires use this member to record fine-grained key usage details. requires its presence.
(Note that the "use_details" values intentionally match the
"KeyUsage" values defined in the Web Cryptography API [WebCrypto]
specification.)
Multiple unrelated uses SHOULD NOT be specified for a key because of Multiple unrelated key operations SHOULD NOT be specified for a key
the potential vulnerabilities associated with using the same key with because of the potential vulnerabilities associated with using the
multiple algorithms. Thus, the combinations "sign" with "verify", same key with multiple algorithms. Thus, the combinations "sign"
"encrypt" with "decrypt", and "wrap" with "unwrap" are permitted, but with "verify", "encrypt" with "decrypt", and "wrap" with "unwrap" are
other combinations SHOULD NOT be used. permitted, but other combinations SHOULD NOT be used.
If both "use" and "use_details" JWK members are present, the usages The "use" and "key_ops" JWK members SHOULD NOT be used together.
specified by them MUST be consistent. In particular, the "use" value Applications should specify which of these members they use, if
"sig" corresponds to "sign" and/or "verify". The "use" value "enc" either are to be used by the application.
corresponds to all other values defined above. If "use_details"
values corresponding to both "sig" and "enc" "use" values are
present, the "use" member SHOULD NOT be present, and if present, its
value MUST NOT be either "sig" or "enc".
3.4. "alg" (Algorithm) Parameter 3.4. "alg" (Algorithm) Parameter
The "alg" (algorithm) member identifies the algorithm intended for The "alg" (algorithm) member identifies the algorithm intended for
use with the key. The values used should either be registered in the use with the key. The values used should either be registered in the
IANA JSON Web Signature and Encryption Algorithms registry defined in IANA JSON Web Signature and Encryption Algorithms registry defined in
[JWA] or be a value that contains a Collision-Resistant Name. Use of [JWA] or be a value that contains a Collision-Resistant Name. Use of
this member is OPTIONAL. this member is OPTIONAL.
3.5. "kid" (Key ID) Parameter 3.5. "kid" (Key ID) Parameter
skipping to change at page 9, line 39 skipping to change at page 9, line 41
A JSON Web Key Set (JWK Set) is a JSON object representing a set of A JSON Web Key Set (JWK Set) is a JSON object representing a set of
JWKs. The JSON object MUST have a "keys" member, which is an array JWKs. The JSON object MUST have a "keys" member, which is an array
of JWK objects. of JWK objects.
The member names within a JWK Set MUST be unique; recipients MUST The member names within a JWK Set MUST be unique; recipients MUST
either reject JWK Sets with duplicate member names or use a JSON either reject JWK Sets with duplicate member names or use a JSON
parser that returns only the lexically last duplicate member name, as parser that returns only the lexically last duplicate member name, as
specified in Section 15.12 (The JSON Object) of ECMAScript 5.1 specified in Section 15.12 (The JSON Object) of ECMAScript 5.1
[ECMAScript]. [ECMAScript].
Additional members can be present in the JWK Set. If not understood Additional members can be present in the JWK Set; if not understood
by implementations encountering them, they MUST be ignored. by implementations encountering them, they MUST be ignored.
Parameters for representing additional properties of JWK Sets should Parameters for representing additional properties of JWK Sets should
either be registered in the IANA JSON Web Key Set Parameters registry either be registered in the IANA JSON Web Key Set Parameters registry
defined in Section 7.4 or be a value that contains a Collision- defined in Section 7.4 or be a value that contains a Collision-
Resistant Name. Resistant Name.
Implementations SHOULD ignore JWKs within a JWK Set that use "kty" Implementations SHOULD ignore JWKs within a JWK Set that use "kty"
(key type) values that are not understood by them, are missing (key type) values that are not understood by them, are missing
required members, or for which values are out of the supported required members, or for which values are out of the supported
ranges. ranges.
skipping to change at page 13, line 11 skipping to change at page 13, line 15
7.1.2. Initial Registry Contents 7.1.2. Initial Registry Contents
o Parameter Name: "kty" o Parameter Name: "kty"
o Parameter Description: Key Type o Parameter Description: Key Type
o Used with "kty" Value(s): * o Used with "kty" Value(s): *
o Parameter Information Class: Public o Parameter Information Class: Public
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Parameter Name: "use" o Parameter Name: "use"
o Parameter Description: Key Use o Parameter Description: Public Key Use
o Used with "kty" Value(s): * o Used with "kty" Value(s): *
o Parameter Information Class: Public o Parameter Information Class: Public
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.2 of [[ this document ]] o Specification Document(s): Section 3.2 of [[ this document ]]
o Parameter Name: "use_details" o Parameter Name: "key_ops"
o Parameter Description: Key Use o Parameter Description: Key Operations
o Used with "kty" Value(s): * o Used with "kty" Value(s): *
o Parameter Information Class: Public o Parameter Information Class: Public
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
o Parameter Name: "alg" o Parameter Name: "alg"
o Parameter Description: Algorithm o Parameter Description: Algorithm
o Used with "kty" Value(s): * o Used with "kty" Value(s): *
o Parameter Information Class: Public o Parameter Information Class: Public
o Change Controller: IESG o Change Controller: IESG
skipping to change at page 14, line 16 skipping to change at page 14, line 19
o Parameter Name: "x5t" o Parameter Name: "x5t"
o Parameter Description: X.509 Certificate SHA-1 Thumbprint o Parameter Description: X.509 Certificate SHA-1 Thumbprint
o Used with "kty" Value(s): * o Used with "kty" Value(s): *
o Parameter Information Class: Public o Parameter Information Class: Public
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.8 of [[ this document ]] o Specification Document(s): Section 3.8 of [[ this document ]]
7.2. JSON Web Key Use Registry 7.2. JSON Web Key Use Registry
This specification establishes the IANA JSON Web Key Use registry for This specification establishes the IANA JSON Web Key Use registry for
JWK "use" member values. The registry records the key use value and JWK "use" (public key use) member values. The registry records the
a reference to the specification that defines it. This specification public key use value and a reference to the specification that
registers the parameter names defined in Section 3.2. defines it. This specification registers the parameter names defined
in Section 3.2.
7.2.1. Registration Template 7.2.1. Registration Template
Use Member Value: Use Member Value:
The name requested (e.g., "example"). Because a core goal of this The name requested (e.g., "example"). Because a core goal of this
specification is for the resulting representations to be compact, specification is for the resulting representations to be compact,
it is RECOMMENDED that the name be short -- not to exceed 8 it is RECOMMENDED that the name be short -- not to exceed 8
characters without a compelling reason to do so. This name is characters without a compelling reason to do so. This name is
case-sensitive. Names may not match other registered names in a case-sensitive. Names may not match other registered names in a
case-insensitive manner unless the Designated Expert(s) state that case-insensitive manner unless the Designated Expert(s) state that
skipping to change at page 15, line 12 skipping to change at page 15, line 17
o Use Member Value: "sig" o Use Member Value: "sig"
o Use Description: Signature or MAC o Use Description: Signature or MAC
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.2 of [[ this document ]] o Specification Document(s): Section 3.2 of [[ this document ]]
o Use Member Value: "enc" o Use Member Value: "enc"
o Use Description: Encryption o Use Description: Encryption
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.2 of [[ this document ]] o Specification Document(s): Section 3.2 of [[ this document ]]
7.3. JSON Web Key Use Details Registry 7.3. JSON Web Key Operations Registry
This specification establishes the IANA JSON Web Key Use Details This specification establishes the IANA JSON Web Key Operations
registry for values of JWK "use_details" array elements. The registry for values of JWK "key_ops" array elements. The registry
registry records the key use detail value and a reference to the records the key operation value and a reference to the specification
specification that defines it. This specification registers the that defines it. This specification registers the parameter names
parameter names defined in Section 3.3. defined in Section 3.3.
7.3.1. Registration Template 7.3.1. Registration Template
Use Detail Value: Key Operation Value:
The name requested (e.g., "example"). Because a core goal of this The name requested (e.g., "example"). Because a core goal of this
specification is for the resulting representations to be compact, specification is for the resulting representations to be compact,
it is RECOMMENDED that the name be short -- not to exceed 8 it is RECOMMENDED that the name be short -- not to exceed 8
characters without a compelling reason to do so. This name is characters without a compelling reason to do so. This name is
case-sensitive. Names may not match other registered names in a case-sensitive. Names may not match other registered names in a
case-insensitive manner unless the Designated Expert(s) state that case-insensitive manner unless the Designated Expert(s) state that
there is a compelling reason to allow an exception in this there is a compelling reason to allow an exception in this
particular case. particular case.
Use Detail Description: Key Operation Description:
Brief description of the use detail (e.g., "Example description"). Brief description of the key operation (e.g., "Example
description").
Change Controller: Change Controller:
For Standards Track RFCs, state "IESG". For others, give the name For Standards Track RFCs, state "IESG". For others, give the name
of the responsible party. Other details (e.g., postal address, of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included. email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document(s) that specify the parameter, Reference to the document(s) that specify the parameter,
preferably including URI(s) that can be used to retrieve copies of preferably including URI(s) that can be used to retrieve copies of
the document(s). An indication of the relevant sections may also the document(s). An indication of the relevant sections may also
be included but is not required. be included but is not required.
7.3.2. Initial Registry Contents 7.3.2. Initial Registry Contents
o Use Detail Value: "sign" o Key Operation Value: "sign"
o Use Detail Description: Compute signature or MAC o Key Operation Description: Compute signature or MAC
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
o Use Detail Value: "verify" o Key Operation Value: "verify"
o Use Detail Description: Verify signature or MAC o Key Operation Description: Verify signature or MAC
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
o Use Detail Value: "encrypt" o Key Operation Value: "encrypt"
o Use Detail Description: Encrypt content o Key Operation Description: Encrypt content
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
o Use Detail Value: "decrypt" o Key Operation Value: "decrypt"
o Use Detail Description: Decrypt content and validate decryption, o Key Operation Description: Decrypt content and validate
if applicable decryption, if applicable
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
o Use Detail Value: "wrap" o Key Operation Value: "wrap"
o Use Detail Description: Encrypt key o Key Operation Description: Encrypt key
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
o Use Detail Value: "unwrap" o Key Operation Value: "unwrap"
o Use Detail Description: Decrypt key and validate decryption, if o Key Operation Description: Decrypt key and validate decryption, if
applicable applicable
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
o Use Detail Value: "deriveKey" o Key Operation Value: "deriveKey"
o Use Detail Description: Derive key o Key Operation Description: Derive key
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
o Use Detail Value: "deriveBits" o Key Operation Value: "deriveBits"
o Use Detail Description: Derive bits not to be used as a key o Key Operation Description: Derive bits not to be used as a key
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 3.3 of [[ this document ]] o Specification Document(s): Section 3.3 of [[ this document ]]
7.4. JSON Web Key Set Parameters Registry 7.4. JSON Web Key Set Parameters Registry
This specification establishes the IANA JSON Web Key Set Parameters This specification establishes the IANA JSON Web Key Set Parameters
registry for JWK Set parameter names. The registry records the registry for JWK Set parameter names. The registry records the
parameter name and a reference to the specification that defines it. parameter name and a reference to the specification that defines it.
This specification registers the parameter names defined in This specification registers the parameter names defined in
Section 4. Section 4.
skipping to change at page 19, line 34 skipping to change at page 19, line 38
The TLS Requirements in [JWS] also apply to this specification. The TLS Requirements in [JWS] also apply to this specification.
9. References 9. References
9.1. Normative References 9.1. Normative References
[ECMAScript] [ECMAScript]
Ecma International, "ECMAScript Language Specification, Ecma International, "ECMAScript Language Specification,
5.1 Edition", ECMA 262, June 2011. 5.1 Edition", ECMA 262, June 2011.
[I-D.ietf-json-rfc4627bis]
Bray, T., "The JSON Data Interchange Format",
draft-ietf-json-rfc4627bis-10 (work in progress),
December 2013.
[IANA.MediaTypes] [IANA.MediaTypes]
Internet Assigned Numbers Authority (IANA), "MIME Media Internet Assigned Numbers Authority (IANA), "MIME Media
Types", 2005. Types", 2005.
[ITU.X690.1994] [ITU.X690.1994]
International Telecommunications Union, "Information International Telecommunications Union, "Information
Technology - ASN.1 encoding rules: Specification of Basic Technology - ASN.1 encoding rules: Specification of Basic
Encoding Rules (BER), Canonical Encoding Rules (CER) and Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", ITU-T Recommendation Distinguished Encoding Rules (DER)", ITU-T Recommendation
X.690, 1994. X.690, 1994.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", [JWA] Jones, M., "JSON Web Algorithms (JWA)",
draft-ietf-jose-json-web-algorithms (work in progress), draft-ietf-jose-json-web-algorithms (work in progress),
December 2013. January 2014.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", draft-ietf-jose-json-web-encryption Encryption (JWE)", draft-ietf-jose-json-web-encryption
(work in progress), December 2013. (work in progress), January 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), December 2013. in progress), January 2014.
[RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic
Mail: Part I: Message Encryption and Authentication Mail: Part I: Message Encryption and Authentication
Procedures", RFC 1421, February 1993. Procedures", RFC 1421, February 1993.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996. November 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at page 20, line 29 skipping to change at page 20, line 39
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
[RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
skipping to change at page 36, line 26 skipping to change at page 36, line 26
Turner. Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner and Stephen Farrell served as Security area directors Sean Turner and Stephen Farrell served as Security area directors
during the creation of this specification. during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-20
o Renamed "use_details" to "key_ops" (key operations).
o Clarified that "use" is meant for public key use cases, "key_ops"
is meant for use cases in which public, private, or symmetric keys
may be present, and that "use" and "key_ops" should not be used
together.
o Replaced references to RFC 4627 with draft-ietf-json-rfc4627bis,
addressing issue #90.
-19 -19
o Added optional "use_details" (key use details) JWK member. o Added optional "use_details" (key use details) JWK member.
o Reordered the key selection parameters. o Reordered the key selection parameters.
-18 -18
o Changes to address editorial and minor issues #68, #69, #73, #74, o Changes to address editorial and minor issues #68, #69, #73, #74,
#76, #77, #78, #79, #82, #85, #89, and #135. #76, #77, #78, #79, #82, #85, #89, and #135.
 End of changes. 45 change blocks. 
96 lines changed or deleted 116 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/