draft-ietf-jose-json-web-signature-18.txt   draft-ietf-jose-json-web-signature-19.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: May 16, 2014 Ping Identity Expires: July 2, 2014 Ping Identity
N. Sakimura N. Sakimura
NRI NRI
November 12, 2013 December 29, 2013
JSON Web Signature (JWS) JSON Web Signature (JWS)
draft-ietf-jose-json-web-signature-18 draft-ietf-jose-json-web-signature-19
Abstract Abstract
JSON Web Signature (JWS) represents content secured with digital JSON Web Signature (JWS) represents content secured with digital
signatures or Message Authentication Codes (MACs) using JavaScript signatures or Message Authentication Codes (MACs) using JavaScript
Object Notation (JSON) based data structures. Cryptographic Object Notation (JSON) based data structures. Cryptographic
algorithms and identifiers for use with this specification are algorithms and identifiers for use with this specification are
described in the separate JSON Web Algorithms (JWA) specification and described in the separate JSON Web Algorithms (JWA) specification and
an IANA registry defined by that specification. Related encryption an IANA registry defined by that specification. Related encryption
capabilities are described in the separate JSON Web Encryption (JWE) capabilities are described in the separate JSON Web Encryption (JWE)
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 16, 2014. This Internet-Draft will expire on July 2, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. JSON Web Signature (JWS) Overview . . . . . . . . . . . . . . 6 3. JSON Web Signature (JWS) Overview . . . . . . . . . . . . . . 6
3.1. Example JWS . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Example JWS . . . . . . . . . . . . . . . . . . . . . . . 7
4. JWS Header . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. JWS Header . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. Registered Header Parameter Names . . . . . . . . . . . . 9 4.1. Registered Header Parameter Names . . . . . . . . . . . . 9
4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 9 4.1.1. "alg" (Algorithm) Header Parameter . . . . . . . . . . 9
4.1.2. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 10 4.1.2. "jku" (JWK Set URL) Header Parameter . . . . . . . . . 10
4.1.3. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 10 4.1.3. "jwk" (JSON Web Key) Header Parameter . . . . . . . . 10
4.1.4. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 10 4.1.4. "kid" (Key ID) Header Parameter . . . . . . . . . . . 10
4.1.5. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header 4.1.5. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 10
Parameter . . . . . . . . . . . . . . . . . . . . . . 10
4.1.6. "x5c" (X.509 Certificate Chain) Header Parameter . . . 11 4.1.6. "x5c" (X.509 Certificate Chain) Header Parameter . . . 11
4.1.7. "kid" (Key ID) Header Parameter . . . . . . . . . . . 11 4.1.7. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header
Parameter . . . . . . . . . . . . . . . . . . . . . . 11
4.1.8. "typ" (Type) Header Parameter . . . . . . . . . . . . 11 4.1.8. "typ" (Type) Header Parameter . . . . . . . . . . . . 11
4.1.9. "cty" (Content Type) Header Parameter . . . . . . . . 12 4.1.9. "cty" (Content Type) Header Parameter . . . . . . . . 12
4.1.10. "crit" (Critical) Header Parameter . . . . . . . . . . 12 4.1.10. "crit" (Critical) Header Parameter . . . . . . . . . . 12
4.2. Public Header Parameter Names . . . . . . . . . . . . . . 13 4.2. Public Header Parameter Names . . . . . . . . . . . . . . 13
4.3. Private Header Parameter Names . . . . . . . . . . . . . . 13 4.3. Private Header Parameter Names . . . . . . . . . . . . . . 13
5. Producing and Consuming JWSs . . . . . . . . . . . . . . . . . 13 5. Producing and Consuming JWSs . . . . . . . . . . . . . . . . . 13
5.1. Message Signature or MAC Computation . . . . . . . . . . . 13 5.1. Message Signature or MAC Computation . . . . . . . . . . . 13
5.2. Message Signature or MAC Validation . . . . . . . . . . . 14 5.2. Message Signature or MAC Validation . . . . . . . . . . . 14
5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 16 5.3. String Comparison Rules . . . . . . . . . . . . . . . . . 16
6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 16 6. Key Identification . . . . . . . . . . . . . . . . . . . . . . 16
skipping to change at page 3, line 31 skipping to change at page 3, line 31
A.4.2. Validating . . . . . . . . . . . . . . . . . . . . . . 38 A.4.2. Validating . . . . . . . . . . . . . . . . . . . . . . 38
A.5. Example Plaintext JWS . . . . . . . . . . . . . . . . . . 38 A.5. Example Plaintext JWS . . . . . . . . . . . . . . . . . . 38
A.6. Example JWS Using JWS JSON Serialization . . . . . . . . . 39 A.6. Example JWS Using JWS JSON Serialization . . . . . . . . . 39
A.6.1. JWS Per-Signature Protected Headers . . . . . . . . . 39 A.6.1. JWS Per-Signature Protected Headers . . . . . . . . . 39
A.6.2. JWS Per-Signature Unprotected Headers . . . . . . . . 40 A.6.2. JWS Per-Signature Unprotected Headers . . . . . . . . 40
A.6.3. Complete JWS Header Values . . . . . . . . . . . . . . 40 A.6.3. Complete JWS Header Values . . . . . . . . . . . . . . 40
A.6.4. Complete JWS JSON Serialization Representation . . . . 40 A.6.4. Complete JWS JSON Serialization Representation . . . . 40
Appendix B. "x5c" (X.509 Certificate Chain) Example . . . . . . . 41 Appendix B. "x5c" (X.509 Certificate Chain) Example . . . . . . . 41
Appendix C. Notes on implementing base64url encoding without Appendix C. Notes on implementing base64url encoding without
padding . . . . . . . . . . . . . . . . . . . . . . . 43 padding . . . . . . . . . . . . . . . . . . . . . . . 43
Appendix D. Negative Test Case for "crit" Header Parameter . . . 44 Appendix D. Notes on Validation Key Selection . . . . . . . . . . 44
Appendix E. Detached Content . . . . . . . . . . . . . . . . . . 44 Appendix E. Negative Test Case for "crit" Header Parameter . . . 45
Appendix F. Acknowledgements . . . . . . . . . . . . . . . . . . 45 Appendix F. Detached Content . . . . . . . . . . . . . . . . . . 45
Appendix G. Document History . . . . . . . . . . . . . . . . . . 45 Appendix G. Acknowledgements . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 52 Appendix H. Document History . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 53
1. Introduction 1. Introduction
JSON Web Signature (JWS) represents content secured with digital JSON Web Signature (JWS) represents content secured with digital
signatures or Message Authentication Codes (MACs) using JavaScript signatures or Message Authentication Codes (MACs) using JavaScript
Object Notation (JSON) [RFC4627] based data structures. The JWS Object Notation (JSON) [RFC4627] based data structures. The JWS
cryptographic mechanisms provide integrity protection for an cryptographic mechanisms provide integrity protection for an
arbitrary sequence of octets. arbitrary sequence of octets.
Two closely related serializations for JWS objects are defined. The Two closely related serializations for JWS objects are defined. The
skipping to change at page 10, line 24 skipping to change at page 10, line 24
per Section 3.1 of HTTP Over TLS [RFC2818]. Use of this Header per Section 3.1 of HTTP Over TLS [RFC2818]. Use of this Header
Parameter is OPTIONAL. Parameter is OPTIONAL.
4.1.3. "jwk" (JSON Web Key) Header Parameter 4.1.3. "jwk" (JSON Web Key) Header Parameter
The "jwk" (JSON Web Key) Header Parameter is the public key that The "jwk" (JSON Web Key) Header Parameter is the public key that
corresponds to the key used to digitally sign the JWS. This key is corresponds to the key used to digitally sign the JWS. This key is
represented as a JSON Web Key [JWK]. Use of this Header Parameter is represented as a JSON Web Key [JWK]. Use of this Header Parameter is
OPTIONAL. OPTIONAL.
4.1.4. "x5u" (X.509 URL) Header Parameter 4.1.4. "kid" (Key ID) Header Parameter
The "kid" (key ID) Header Parameter is a hint indicating which key
was used to secure the JWS. This parameter allows originators to
explicitly signal a change of key to recipients. The structure of
the "kid" value is unspecified. Its value MUST be a string. Use of
this Header Parameter is OPTIONAL.
When used with a JWK, the "kid" value is used to match a JWK "kid"
parameter value.
4.1.5. "x5u" (X.509 URL) Header Parameter
The "x5u" (X.509 URL) Header Parameter is a URI [RFC3986] that refers The "x5u" (X.509 URL) Header Parameter is a URI [RFC3986] that refers
to a resource for the X.509 public key certificate or certificate to a resource for the X.509 public key certificate or certificate
chain [RFC5280] corresponding to the key used to digitally sign the chain [RFC5280] corresponding to the key used to digitally sign the
JWS. The identified resource MUST provide a representation of the JWS. The identified resource MUST provide a representation of the
certificate or certificate chain that conforms to RFC 5280 [RFC5280] certificate or certificate chain that conforms to RFC 5280 [RFC5280]
in PEM encoded form [RFC1421]. The certificate containing the public in PEM encoded form [RFC1421]. The certificate containing the public
key corresponding to the key used to digitally sign the JWS MUST be key corresponding to the key used to digitally sign the JWS MUST be
the first certificate. This MAY be followed by additional the first certificate. This MAY be followed by additional
certificates, with each subsequent certificate being the one used to certificates, with each subsequent certificate being the one used to
certify the previous one. The protocol used to acquire the resource certify the previous one. The protocol used to acquire the resource
MUST provide integrity protection; an HTTP GET request to retrieve MUST provide integrity protection; an HTTP GET request to retrieve
the certificate MUST use TLS [RFC2818] [RFC5246]; the identity of the the certificate MUST use TLS [RFC2818] [RFC5246]; the identity of the
server MUST be validated, as per Section 3.1 of HTTP Over TLS server MUST be validated, as per Section 3.1 of HTTP Over TLS
[RFC2818]. Use of this Header Parameter is OPTIONAL. [RFC2818]. Use of this Header Parameter is OPTIONAL.
4.1.5. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter
The "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter is a
base64url encoded SHA-1 thumbprint (a.k.a. digest) of the DER
encoding of the X.509 certificate [RFC5280] corresponding to the key
used to digitally sign the JWS. Use of this Header Parameter is
OPTIONAL.
If, in the future, certificate thumbprints need to be computed using
hash functions other than SHA-1, it is suggested that additional
related Header Parameters be defined for that purpose. For example,
it is suggested that a new "x5t#S256" (X.509 Certificate Thumbprint
using SHA-256) Header Parameter could be defined by registering it in
the IANA JSON Web Signature and Encryption Header Parameters registry
defined in Section 9.1.
4.1.6. "x5c" (X.509 Certificate Chain) Header Parameter 4.1.6. "x5c" (X.509 Certificate Chain) Header Parameter
The "x5c" (X.509 Certificate Chain) Header Parameter contains the The "x5c" (X.509 Certificate Chain) Header Parameter contains the
X.509 public key certificate or certificate chain [RFC5280] X.509 public key certificate or certificate chain [RFC5280]
corresponding to the key used to digitally sign the JWS. The corresponding to the key used to digitally sign the JWS. The
certificate or certificate chain is represented as a JSON array of certificate or certificate chain is represented as a JSON array of
certificate value strings. Each string in the array is a base64 certificate value strings. Each string in the array is a base64
encoded ([RFC4648] Section 4 -- not base64url encoded) DER encoded ([RFC4648] Section 4 -- not base64url encoded) DER
[ITU.X690.1994] PKIX certificate value. The certificate containing [ITU.X690.1994] PKIX certificate value. The certificate containing
the public key corresponding to the key used to digitally sign the the public key corresponding to the key used to digitally sign the
JWS MUST be the first certificate. This MAY be followed by JWS MUST be the first certificate. This MAY be followed by
additional certificates, with each subsequent certificate being the additional certificates, with each subsequent certificate being the
one used to certify the previous one. The recipient MUST verify the one used to certify the previous one. The recipient MUST validate
certificate chain according to [RFC5280] and reject the signature if the certificate chain according to [RFC5280] and reject the signature
any validation failure occurs. Use of this Header Parameter is if any validation failure occurs. Use of this Header Parameter is
OPTIONAL. OPTIONAL.
See Appendix B for an example "x5c" value. See Appendix B for an example "x5c" value.
4.1.7. "kid" (Key ID) Header Parameter 4.1.7. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter
The "kid" (key ID) Header Parameter is a hint indicating which key The "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter is a
was used to secure the JWS. This parameter allows originators to base64url encoded SHA-1 thumbprint (a.k.a. digest) of the DER
explicitly signal a change of key to recipients. The structure of encoding of the X.509 certificate [RFC5280] corresponding to the key
the "kid" value is unspecified. Its value MUST be a string. Use of used to digitally sign the JWS. Use of this Header Parameter is
this Header Parameter is OPTIONAL. OPTIONAL.
When used with a JWK, the "kid" value is used to match a JWK "kid" If, in the future, certificate thumbprints need to be computed using
parameter value. hash functions other than SHA-1, it is suggested that additional
related Header Parameters be defined for that purpose. For example,
it is suggested that a new "x5t#S256" (X.509 Certificate Thumbprint
using SHA-256) Header Parameter could be defined by registering it in
the IANA JSON Web Signature and Encryption Header Parameters registry
defined in Section 9.1.
4.1.8. "typ" (Type) Header Parameter 4.1.8. "typ" (Type) Header Parameter
The "typ" (type) Header Parameter is used to declare the MIME Media The "typ" (type) Header Parameter is used to declare the MIME Media
Type [IANA.MediaTypes] of this complete JWS object in contexts where Type [IANA.MediaTypes] of this complete JWS object in contexts where
this is useful to the application. This parameter has no effect upon this is useful to the application. This parameter has no effect upon
the JWS processing. Use of this Header Parameter is OPTIONAL. the JWS processing. Use of this Header Parameter is OPTIONAL.
Per [RFC2045], all media type values, subtype values, and parameter Per [RFC2045], all media type values, subtype values, and parameter
names are case-insensitive. However, parameter values are case- names are case-insensitive. However, parameter values are case-
skipping to change at page 14, line 27 skipping to change at page 14, line 27
particular algorithm being used over the JWS Signing Input particular algorithm being used over the JWS Signing Input
ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' || ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload)). The "alg" (algorithm) Header Parameter BASE64URL(JWS Payload)). The "alg" (algorithm) Header Parameter
MUST be present in the JWS Header, with the algorithm value MUST be present in the JWS Header, with the algorithm value
accurately representing the algorithm used to construct the JWS accurately representing the algorithm used to construct the JWS
Signature. Signature.
6. Compute the encoded signature value BASE64URL(JWS Signature). 6. Compute the encoded signature value BASE64URL(JWS Signature).
7. These three encoded values are used in both the JWS Compact 7. These three encoded values are used in both the JWS Compact
Serialization and the JWS JSON Serialization representations. Serialization and the JWS JSON Serialization representations.
8. If the JWS JSON Serialization is being used, repeat this process 8. If the JWS JSON Serialization is being used, repeat this process
(steps 1-7) for each digital signature or MAC value being (steps 3-7) for each digital signature or MAC value being
applied. applied.
9. Create the desired serialized output. The JWS Compact 9. Create the desired serialized output. The JWS Compact
Serialization of this result is BASE64URL(UTF8(JWS Protected Serialization of this result is BASE64URL(UTF8(JWS Protected
Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS
Signature). The JWS JSON Serialization is described in Signature). The JWS JSON Serialization is described in
Section 7.2. Section 7.2.
5.2. Message Signature or MAC Validation 5.2. Message Signature or MAC Validation
When validating a JWS, the following steps MUST be taken. The order When validating a JWS, the following steps MUST be taken. The order
skipping to change at page 15, line 49 skipping to change at page 15, line 49
8. The encoded representation of the JWS Signature MUST be 8. The encoded representation of the JWS Signature MUST be
successfully base64url decoded following the restriction that no successfully base64url decoded following the restriction that no
padding characters have been used. padding characters have been used.
9. The JWS Signature MUST be successfully validated against the JWS 9. The JWS Signature MUST be successfully validated against the JWS
Signing Input ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' Signing Input ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.'
|| BASE64URL(JWS Payload)) in the manner defined for the || BASE64URL(JWS Payload)) in the manner defined for the
algorithm being used, which MUST be accurately represented by algorithm being used, which MUST be accurately represented by
the value of the "alg" (algorithm) Header Parameter, which MUST the value of the "alg" (algorithm) Header Parameter, which MUST
be present. be present.
10. If the JWS JSON Serialization is being used, repeat this process 10. If the JWS JSON Serialization is being used, repeat this process
(steps 1-9) for each digital signature or MAC value contained in (steps 4-9) for each digital signature or MAC value contained in
the representation. the representation.
5.3. String Comparison Rules 5.3. String Comparison Rules
Processing a JWS inevitably requires comparing known strings to Processing a JWS inevitably requires comparing known strings to
members and values in a JSON object. For example, in checking what members and values in a JSON object. For example, in checking what
the algorithm is, the Unicode string "alg" will be checked against the algorithm is, the Unicode string "alg" will be checked against
the member names in the JWS Header to see if there is a matching the member names in the JWS Header to see if there is a matching
Header Parameter name. The same process is then used to determine if Header Parameter name. The same process is then used to determine if
the value of the "alg" Header Parameter represents a supported the value of the "alg" Header Parameter represents a supported
algorithm. algorithm.
Since the only string comparision operations that are performed are Since the only string comparison operations that are performed are
equality and inequality, the same rules can be used for comparing equality and inequality, the same rules can be used for comparing
both member names and member values against known strings. The JSON both member names and member values against known strings. The JSON
rules for doing member name comparison are described in Section 8.3 rules for doing member name comparison are described in Section 8.3
of [I-D.ietf-json-rfc4627bis]. of [I-D.ietf-json-rfc4627bis].
Also, see the JSON security considerations in Section 10.2 and the Also, see the JSON security considerations in Section 10.2 and the
Unicode security considerations in Section 10.3. Unicode security considerations in Section 10.3.
6. Key Identification 6. Key Identification
It is necessary for the recipient of a JWS to be able to determine It is necessary for the recipient of a JWS to be able to determine
the key that was employed for the digital signature or MAC operation. the key that was employed for the digital signature or MAC operation.
The key employed can be identified using the Header Parameter methods The key employed can be identified using the Header Parameter methods
described in Section 4.1 or can be identified using methods that are described in Section 4.1 or can be identified using methods that are
outside the scope of this specification. Specifically, the Header outside the scope of this specification. Specifically, the Header
Parameters "jku", "jwk", "x5u", "x5t", "x5c", and "kid" can be used Parameters "jku", "jwk", "kid", "x5u", "x5c", and "x5t" can be used
to identify the key used. These Header Parameters MUST be integrity to identify the key used. These Header Parameters MUST be integrity
protected if the information that they convey is to be utilized in a protected if the information that they convey is to be utilized in a
trust decision. trust decision.
The sender SHOULD include sufficient information in the Header The sender SHOULD include sufficient information in the Header
Parameters to identify the key used, unless the application uses Parameters to identify the key used, unless the application uses
another means or convention to determine the key used. Validation of another means or convention to determine the key used. Validation of
the signature or MAC fails when the algorithm used requires a key the signature or MAC fails when the algorithm used requires a key
(which is true of all algorithms except for "none") and the key used (which is true of all algorithms except for "none") and the key used
cannot be determined. cannot be determined.
The means of exchanging any shared symmetric keys used is outside the The means of exchanging any shared symmetric keys used is outside the
scope of this specification. scope of this specification.
Also, see Appendix D for notes on possible key selection algorithms.
7. Serializations 7. Serializations
JWS objects use one of two serializations, the JWS Compact JWS objects use one of two serializations, the JWS Compact
Serialization or the JWS JSON Serialization. Applications using this Serialization or the JWS JSON Serialization. Applications using this
specification need to specify what serialization and serialization specification need to specify what serialization and serialization
features are used for that application. For instance, applications features are used for that application. For instance, applications
might specify that only the JWS JSON Serialization is used, that only might specify that only the JWS JSON Serialization is used, that only
JWS JSON Serialization support for a single signature or MAC value is JWS JSON Serialization support for a single signature or MAC value is
used, or that support for multiple signatures and/or MAC values is used, or that support for multiple signatures and/or MAC values is
used. JWS implementations only need to implement the features needed used. JWS implementations only need to implement the features needed
skipping to change at page 21, line 38 skipping to change at page 21, line 38
o Header Parameter Usage Location(s): JWS o Header Parameter Usage Location(s): JWS
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1.2 of [[ this document ]] o Specification Document(s): Section 4.1.2 of [[ this document ]]
o Header Parameter Name: "jwk" o Header Parameter Name: "jwk"
o Header Parameter Description: JSON Web Key o Header Parameter Description: JSON Web Key
o Header Parameter Usage Location(s): JWS o Header Parameter Usage Location(s): JWS
o Change Controller: IESG o Change Controller: IESG
o Specification document(s): Section 4.1.3 of [[ this document ]] o Specification document(s): Section 4.1.3 of [[ this document ]]
o Header Parameter Name: "x5u" o Header Parameter Name: "kid"
o Header Parameter Description: X.509 URL o Header Parameter Description: Key ID
o Header Parameter Usage Location(s): JWS o Header Parameter Usage Location(s): JWS
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1.4 of [[ this document ]] o Specification Document(s): Section 4.1.4 of [[ this document ]]
o Header Parameter Name: "x5t" o Header Parameter Name: "x5u"
o Header Parameter Description: X.509 Certificate SHA-1 Thumbprint o Header Parameter Description: X.509 URL
o Header Parameter Usage Location(s): JWS o Header Parameter Usage Location(s): JWS
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1.5 of [[ this document ]] o Specification Document(s): Section 4.1.5 of [[ this document ]]
o Header Parameter Name: "x5c" o Header Parameter Name: "x5c"
o Header Parameter Description: X.509 Certificate Chain o Header Parameter Description: X.509 Certificate Chain
o Header Parameter Usage Location(s): JWS o Header Parameter Usage Location(s): JWS
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1.6 of [[ this document ]] o Specification Document(s): Section 4.1.6 of [[ this document ]]
o Header Parameter Name: "kid" o Header Parameter Name: "x5t"
o Header Parameter Description: Key ID o Header Parameter Description: X.509 Certificate SHA-1 Thumbprint
o Header Parameter Usage Location(s): JWS o Header Parameter Usage Location(s): JWS
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1.7 of [[ this document ]] o Specification Document(s): Section 4.1.7 of [[ this document ]]
o Header Parameter Name: "typ" o Header Parameter Name: "typ"
o Header Parameter Description: Type o Header Parameter Description: Type
o Header Parameter Usage Location(s): JWS o Header Parameter Usage Location(s): JWS
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1.8 of [[ this document ]] o Specification Document(s): Section 4.1.8 of [[ this document ]]
skipping to change at page 23, line 12 skipping to change at page 23, line 12
o Required parameters: n/a o Required parameters: n/a
o Optional parameters: n/a o Optional parameters: n/a
o Encoding considerations: 8bit; application/jose values are encoded o Encoding considerations: 8bit; application/jose values are encoded
as a series of base64url encoded values (some of which may be the as a series of base64url encoded values (some of which may be the
empty string) separated by period ('.') characters. empty string) separated by period ('.') characters.
o Security considerations: See the Security Considerations section o Security considerations: See the Security Considerations section
of [[ this document ]] of [[ this document ]]
o Interoperability considerations: n/a o Interoperability considerations: n/a
o Published specification: [[ this document ]] o Published specification: [[ this document ]]
o Applications that use this media type: OpenID Connect, Mozilla o Applications that use this media type: OpenID Connect, Mozilla
Persona, Salesforce, Google, numerous others that use signed JWTs Persona, Salesforce, Google, Android, Windows Azure, Xbox One, and
numerous others that use JWTs
o Additional information: Magic number(s): n/a, File extension(s): o Additional information: Magic number(s): n/a, File extension(s):
n/a, Macintosh file type code(s): n/a n/a, Macintosh file type code(s): n/a
o Person & email address to contact for further information: Michael o Person & email address to contact for further information: Michael
B. Jones, mbj@microsoft.com B. Jones, mbj@microsoft.com
o Intended usage: COMMON o Intended usage: COMMON
o Restrictions on usage: none o Restrictions on usage: none
o Author: Michael B. Jones, mbj@microsoft.com o Author: Michael B. Jones, mbj@microsoft.com
o Change Controller: IESG o Change Controller: IESG
o Type name: application o Type name: application
skipping to change at page 26, line 28 skipping to change at page 26, line 28
[ITU.X690.1994] [ITU.X690.1994]
International Telecommunications Union, "Information International Telecommunications Union, "Information
Technology - ASN.1 encoding rules: Specification of Basic Technology - ASN.1 encoding rules: Specification of Basic
Encoding Rules (BER), Canonical Encoding Rules (CER) and Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", ITU-T Recommendation Distinguished Encoding Rules (DER)", ITU-T Recommendation
X.690, 1994. X.690, 1994.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", [JWA] Jones, M., "JSON Web Algorithms (JWA)",
draft-ietf-jose-json-web-algorithms (work in progress), draft-ietf-jose-json-web-algorithms (work in progress),
November 2013. December 2013.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
November 2013. December 2013.
[RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic
Mail: Part I: Message Encryption and Authentication Mail: Part I: Message Encryption and Authentication
Procedures", RFC 1421, February 1993. Procedures", RFC 1421, February 1993.
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, November 1996. Bodies", RFC 2045, November 1996.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
skipping to change at page 28, line 10 skipping to change at page 28, line 10
11.2. Informative References 11.2. Informative References
[CanvasApp] [CanvasApp]
Facebook, "Canvas Applications", 2010. Facebook, "Canvas Applications", 2010.
[JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign",
September 2010. September 2010.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", draft-ietf-jose-json-web-encryption Encryption (JWE)", draft-ietf-jose-json-web-encryption
(work in progress), November 2013. (work in progress), December 2013.
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", draft-ietf-oauth-json-web-token (work in (JWT)", draft-ietf-oauth-json-web-token (work in
progress), November 2013. progress), December 2013.
[MagicSignatures] [MagicSignatures]
Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic
Signatures", January 2011. Signatures", January 2011.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
July 2005. July 2005.
[W3C.CR-xmldsig-core2-20120124] [W3C.CR-xmldsig-core2-20120124]
Eastlake, D., Reagle, J., Yiu, K., Solo, D., Datta, P., Cantor, S., Roessler, T., Eastlake, D., Yiu, K., Reagle,
Hirsch, F., Cantor, S., and T. Roessler, "XML Signature J., Solo, D., Datta, P., and F. Hirsch, "XML Signature
Syntax and Processing Version 2.0", World Wide Web Syntax and Processing Version 2.0", World Wide Web
Consortium CR CR-xmldsig-core2-20120124, January 2012, Consortium CR CR-xmldsig-core2-20120124, January 2012,
<http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>. <http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>.
Appendix A. JWS Examples Appendix A. JWS Examples
This section provides several examples of JWSs. While the first This section provides several examples of JWSs. While the first
three examples all represent JSON Web Tokens (JWTs) [JWT], the three examples all represent JSON Web Tokens (JWTs) [JWT], the
payload can be any octet sequence, as shown in Appendix A.4. payload can be any octet sequence, as shown in Appendix A.4.
skipping to change at page 44, line 13 skipping to change at page 44, line 13
'=' padding characters are added; if the length mod 4 is 3, one '=' '=' padding characters are added; if the length mod 4 is 3, one '='
padding character is added; if the length mod 4 is 1, the input is padding character is added; if the length mod 4 is 1, the input is
malformed. malformed.
An example correspondence between unencoded and encoded values An example correspondence between unencoded and encoded values
follows. The octet sequence below encodes into the string below, follows. The octet sequence below encodes into the string below,
which when decoded, reproduces the octet sequence. which when decoded, reproduces the octet sequence.
3 236 255 224 193 3 236 255 224 193
A-z_4ME A-z_4ME
Appendix D. Negative Test Case for "crit" Header Parameter Appendix D. Notes on Validation Key Selection
This appendix describes a set of possible algorithms for selecting
the key to be used to validate the digital signature or MAC of a JWS
object. These algorithms are described for illustration purposes
only; specific applications can and are likely to use different
algorithms. This supplements the normative information on key
location in Section 6.
The gist of these algorithms is to collect a set of keys from known
applicable sources of keys and then to use them to attempt to
validate the digital signature or MAC value of a JWS. Potential
sources of keys include:
o Keys supplied by the application protocol being used.
o Keys referenced by the "jku" (JWK Set URL) Header Parameter.
o The key provided by the "jwk" (JSON Web Key) Header Parameter.
o The keys referenced by the "kid" (Key ID) Header Parameter.
o Keys referenced by the "x5u" (X.509 URL) Header Parameter.
o The key provided by the "x5c" (X.509 Certificate Chain) Header
Parameter.
o The key referenced by the "x5t" (X.509 Certificate SHA-1
Thumbprint) Header Parameter.
o Other applicable keys available to the application.
In some cases, the list of collected keys will be ordered in a
particular way. For instance, keys referenced by the "kid" or "x5t"
parameters might be used before other keys.
Finally, signature or MAC validation will be tried with some or all
of the collected and possibly ordered keys. This process will
normally terminate following a successful validation.
This guidance identifies a set of algorithms, rather than a single
algorithm, because in different contexts, not all the sources of keys
will be used, they can be tried in different orders, and sometimes
not all the collected keys will be tried.
Appendix E. Negative Test Case for "crit" Header Parameter
Conforming implementations must reject input containing critical Conforming implementations must reject input containing critical
extensions that are not understood or cannot be processed. The extensions that are not understood or cannot be processed. The
following JWS must be rejected by all implementations, because it following JWS must be rejected by all implementations, because it
uses an extension Header Parameter name uses an extension Header Parameter name
"http://example.invalid/UNDEFINED" that they do not understand. Any "http://example.invalid/UNDEFINED" that they do not understand. Any
other similar input, in which the use of the value other similar input, in which the use of the value
"http://example.invalid/UNDEFINED" is substituted for any other "http://example.invalid/UNDEFINED" is substituted for any other
Header Parameter name not understood by the implementation, must also Header Parameter name not understood by the implementation, must also
be rejected. be rejected.
skipping to change at page 44, line 39 skipping to change at page 45, line 37
"http://example.invalid/UNDEFINED":true "http://example.invalid/UNDEFINED":true
} }
The complete JWS that must be rejected is as follows (with line The complete JWS that must be rejected is as follows (with line
breaks for display purposes only): breaks for display purposes only):
eyJhbGciOiJub25lIiwNCiAiY3JpdCI6WyJodHRwOi8vZXhhbXBsZS5jb20vVU5ERU eyJhbGciOiJub25lIiwNCiAiY3JpdCI6WyJodHRwOi8vZXhhbXBsZS5jb20vVU5ERU
ZJTkVEIl0sDQogImh0dHA6Ly9leGFtcGxlLmNvbS9VTkRFRklORUQiOnRydWUNCn0. ZJTkVEIl0sDQogImh0dHA6Ly9leGFtcGxlLmNvbS9VTkRFRklORUQiOnRydWUNCn0.
RkFJTA. RkFJTA.
Appendix E. Detached Content Appendix F. Detached Content
In some contexts, it is useful integrity protect content that is not In some contexts, it is useful integrity protect content that is not
itself contained in a JWS object. One way to do this is create a JWS itself contained in a JWS object. One way to do this is create a JWS
object in the normal fashion using a representation of the content as object in the normal fashion using a representation of the content as
the payload, but then delete the payload representation from the JWS, the payload, but then delete the payload representation from the JWS,
and send this modified object to the recipient, rather than the JWS. and send this modified object to the recipient, rather than the JWS.
When using the JWS Compact Serialization, the deletion is When using the JWS Compact Serialization, the deletion is
accomplished by replacing the second field (which contains accomplished by replacing the second field (which contains
BASE64URL(JWS Payload)) value with the empty string; when using the BASE64URL(JWS Payload)) value with the empty string; when using the
JWS JSON Serialization, the deletion is accomplished by deleting the JWS JSON Serialization, the deletion is accomplished by deleting the
"payload" member. This method assumes that the recipient can "payload" member. This method assumes that the recipient can
reconstruct the exact payload used in the JWS. To use the modified reconstruct the exact payload used in the JWS. To use the modified
object, the recipient reconstructs the JWS by re-inserting the object, the recipient reconstructs the JWS by re-inserting the
payload representation into the modified object, and uses the payload representation into the modified object, and uses the
resulting JWS in the usual manner. Note that this method needs no resulting JWS in the usual manner. Note that this method needs no
support from JWS libraries, as applications can use this method by support from JWS libraries, as applications can use this method by
modifying the inputs and outputs of standard JWS libraries. modifying the inputs and outputs of standard JWS libraries.
Appendix F. Acknowledgements Appendix G. Acknowledgements
Solutions for signing JSON content were previously explored by Magic Solutions for signing JSON content were previously explored by Magic
Signatures [MagicSignatures], JSON Simple Sign [JSS], and Canvas Signatures [MagicSignatures], JSON Simple Sign [JSS], and Canvas
Applications [CanvasApp], all of which influenced this draft. Applications [CanvasApp], all of which influenced this draft.
Thanks to Axel Nennker for his early implementation and feedback on Thanks to Axel Nennker for his early implementation and feedback on
the JWS and JWE specifications. the JWS and JWE specifications.
This specification is the work of the JOSE Working Group, which This specification is the work of the JOSE Working Group, which
includes dozens of active and dedicated participants. In particular, includes dozens of active and dedicated participants. In particular,
skipping to change at page 45, line 36 skipping to change at page 46, line 34
Dirk Balfanz, Richard Barnes, Brian Campbell, Breno de Medeiros, Dick Dirk Balfanz, Richard Barnes, Brian Campbell, Breno de Medeiros, Dick
Hardt, Joe Hildebrand, Jeff Hodges, Edmund Jay, Yaron Y. Goland, Ben Hardt, Joe Hildebrand, Jeff Hodges, Edmund Jay, Yaron Y. Goland, Ben
Laurie, James Manger, Matt Miller, Tony Nadalin, Axel Nennker, John Laurie, James Manger, Matt Miller, Tony Nadalin, Axel Nennker, John
Panzer, Emmanuel Raviart, Eric Rescorla, Jim Schaad, Paul Tarjan, Panzer, Emmanuel Raviart, Eric Rescorla, Jim Schaad, Paul Tarjan,
Hannes Tschofenig, and Sean Turner. Hannes Tschofenig, and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner and Stephen Farrell served as Security area directors Sean Turner and Stephen Farrell served as Security area directors
during the creation of this specification. during the creation of this specification.
Appendix G. Document History Appendix H. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-19
o Added the appendix "Notes on Validation Key Selection", addressing
issue #93.
o Reordered the key selection parameters.
-18 -18
o Updated the mandatory-to-implement (MTI) language to say that o Updated the mandatory-to-implement (MTI) language to say that
applications using this specification need to specify what applications using this specification need to specify what
serialization and serialization features are used for that serialization and serialization features are used for that
application, addressing issue #119. application, addressing issue #119.
o Changes to address editorial and minor issues #25, #89, #97, #110, o Changes to address editorial and minor issues #25, #89, #97, #110,
#114, #115, #116, #117, #120, and #184. #114, #115, #116, #117, #120, and #184.
 End of changes. 32 change blocks. 
62 lines changed or deleted 118 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/