| rfc9278.original | rfc9278.txt | |||
|---|---|---|---|---|
| OAuth Working Group M. Jones | Internet Engineering Task Force (IETF) M. Jones | |||
| Internet-Draft K. Yasuda | Request for Comments: 9278 K. Yasuda | |||
| Intended status: Standards Track Microsoft | Category: Standards Track Microsoft | |||
| Expires: December 3, 2022 Jun 1, 2022 | ISSN: 2070-1721 August 2022 | |||
| JWK Thumbprint URI | JWK Thumbprint URI | |||
| draft-ietf-oauth-jwk-thumbprint-uri-03 | ||||
| Abstract | Abstract | |||
| This specification registers a kind of URI that represents a JSON Web | This specification registers a kind of URI that represents a JSON Web | |||
| Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638. | Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638. | |||
| This enables JWK Thumbprints to be used, for instance, as key | This enables JWK Thumbprints to be used, for instance, as key | |||
| identifiers in contexts requiring URIs. | identifiers in contexts requiring URIs. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on December 3, 2022. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9278. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Revised BSD License text as described in Section 4.e of the | |||
| the Trust Legal Provisions and are provided without warranty as | Trust Legal Provisions and are provided without warranty as described | |||
| described in the Simplified BSD License. | in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. Requirements Notation and Conventions . . . . . . . . . . . . 2 | 2. Requirements Notation and Conventions | |||
| 3. JWK Thumbprint URI . . . . . . . . . . . . . . . . . . . . . 3 | 3. JWK Thumbprint URI | |||
| 4. Hash Algorithms Identifier . . . . . . . . . . . . . . . . . 3 | 4. Hash Algorithms Identifier | |||
| 5. Mandatory to Implement Hash Algorithm . . . . . . . . . . . . 3 | 5. Mandatory to Implement Hash Algorithm | |||
| 6. Example JWK Thumbprint URI . . . . . . . . . . . . . . . . . 3 | 6. Example JWK Thumbprint URI | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | 7. Security Considerations | |||
| 7.1. Multiple Public Keys per Private Key . . . . . . . . . . 3 | 7.1. Multiple Public Keys per Private Key | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 8. IANA Considerations | |||
| 8.1. OAuth URI Registration . . . . . . . . . . . . . . . . . 4 | 8.1. OAuth URI Registration | |||
| 8.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 4 | 8.1.1. Registry Contents | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 9. References | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 4 | 9.1. Normative References | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 5 | 9.2. Informative References | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5 | Acknowledgements | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 6 | Authors' Addresses | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 1. Introduction | 1. Introduction | |||
| A JSON Web Key (JWK) Thumbprint [RFC7638] is a URL-safe | A JSON Web Key (JWK) Thumbprint [RFC7638] is a URL-safe | |||
| representation of a hash value over a JSON Web Key (JWK) [RFC7517]. | representation of a hash value over a JWK [RFC7517]. This | |||
| This specification defines a URI prefix indicating that the portion | specification defines a URI prefix indicating that the portion of the | |||
| of the URI following the prefix is a JWK Thumbprint. This enables | URI following the prefix is a JWK Thumbprint. This enables JWK | |||
| JWK Thumbprints to be communicated in contexts requiring URIs, | Thumbprints to be communicated in contexts requiring URIs, including | |||
| including in specific JSON Web Token (JWT) [RFC7519] claims. | in specific JSON Web Token (JWT) [RFC7519] claims. | |||
| JWK Thumbprints URIs are being used in the [SIOPv2] specification as | JWK Thumbprint URIs are being used in the [SIOPv2] specification as | |||
| one kind of subject identifier in a context requiring that the | one kind of subject identifier in a context requiring that the | |||
| identifier be a URI. In this case, the subject identifier is derived | identifier be a URI. In this case, the subject identifier is derived | |||
| from a public key represented as a JWK. Expressing the identifier as | from a public key represented as a JWK. Expressing the identifier as | |||
| JWK Thumbprint URI enables this kind of identifier to be | a JWK Thumbprint URI enables this kind of identifier to be | |||
| differentiated from other kinds of identifiers that are also URIs, | differentiated from other kinds of identifiers that are also URIs, | |||
| such as Decentralized Identifiers (DIDs) [DID-Core]. | such as Decentralized Identifiers (DIDs) [DID-Core]. | |||
| 2. Requirements Notation and Conventions | 2. Requirements Notation and Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. JWK Thumbprint URI | 3. JWK Thumbprint URI | |||
| The following URI prefix is defined to indicate that the portion of | The following URI prefix is defined to indicate that the portion of | |||
| the URI following the prefix is a JWK Thumbprint: | the URI following the prefix is a JWK Thumbprint: | |||
| o "urn:ietf:params:oauth:jwk-thumbprint" | urn:ietf:params:oauth:jwk-thumbprint | |||
| To make it explicit in a URI which hash algorithm is used, the prefix | To make the hash algorithm being used explicit in a URI, the prefix | |||
| is followed by a hash algorithm identifier and a JWK Thumbprint | is followed by a hash algorithm identifier and a JWK Thumbprint | |||
| value, each separated by a colon character to form a URI representing | value, each separated by a colon character to form a URI representing | |||
| a JWK Thumbprint. | a JWK Thumbprint. | |||
| 4. Hash Algorithms Identifier | 4. Hash Algorithms Identifier | |||
| Hash algorithm identifiers used in JWK Thumbprint URIs MUST be values | Hash algorithm identifiers used in JWK Thumbprint URIs MUST be values | |||
| from the "Hash Name String" column in the IANA "Named Information | from the "Hash Name String" column in the IANA "Named Information | |||
| Hash Algorithm" registry [IANA.Hash.Algorithms]. JWK Thumbprint URIs | Hash Algorithm Registry" [IANA.Hash.Algorithms]. JWK Thumbprint URIs | |||
| with hash algorithm identifiers not found in this registry are not | with hash algorithm identifiers not found in this registry are not | |||
| considered valid and applications will need to detect and handle this | considered valid and applications will need to detect and handle this | |||
| error, should it occur. | error, should it occur. | |||
| 5. Mandatory to Implement Hash Algorithm | 5. Mandatory to Implement Hash Algorithm | |||
| To promote interoperability among implementations, the SHA-256 hash | To promote interoperability among implementations, the SHA-256 hash | |||
| algorithm is mandatory to implement. | algorithm is mandatory to implement. | |||
| 6. Example JWK Thumbprint URI | 6. Example JWK Thumbprint URI | |||
| Section 3.1 of [RFC7638] contains the following example JWK | Section 3.1 of [RFC7638] contains the following example JWK | |||
| Thumbprint value: | Thumbprint value: | |||
| NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs | NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs | |||
| A complete JWK Thumbprint URI using the above JWK Thumbprint and | A complete JWK Thumbprint URI using the above JWK Thumbprint and | |||
| SHA-256 hash algorithm is: | SHA-256 hash algorithm is as follows: | |||
| urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs | urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd- | |||
| 6MNwXF4W_7noWXFZAfHkxZsRGC9Xs | ||||
| 7. Security Considerations | 7. Security Considerations | |||
| The security considerations of [RFC7638] also apply when using this | The security considerations of [RFC7638] also apply when using this | |||
| specification. | specification. | |||
| 7.1. Multiple Public Keys per Private Key | 7.1. Multiple Public Keys per Private Key | |||
| There are cryptographic algorithms for which multiple public keys | There are cryptographic algorithms for which multiple public keys | |||
| correspond to the same private key. This is described in the | correspond to the same private key. This is described in the | |||
| security considerations of [RFC7748] as follows: | security considerations of [RFC7748] as follows: | |||
| Designers using these curves should be aware that for each public | | Designers using these curves should be aware that for each public | |||
| key, there are several publicly computable public keys that are | | key, there are several publicly computable public keys that are | |||
| equivalent to it, i.e., they produce the same shared secrets. | | equivalent to it, i.e., they produce the same shared secrets. | |||
| Thus using a public key as an identifier and knowledge of a shared | | Thus using a public key as an identifier and knowledge of a shared | |||
| secret as proof of ownership (without including the public keys in | | secret as proof of ownership (without including the public keys in | |||
| the key derivation) might lead to subtle vulnerabilities. | | the key derivation) might lead to subtle vulnerabilities. | |||
| This consideration for public keys as identifiers equally applies to | This consideration for public keys as identifiers equally applies to | |||
| JWK Thumbprint URIs used as identifiers. A recommended way to ensure | JWK Thumbprint URIs used as identifiers. A recommended way to ensure | |||
| that the JWK Thumbprint URI corresponds to the actual public key used | that the JWK Thumbprint URI corresponds to the actual public key used | |||
| is to sign a message containing the correct public key with the | is to sign a message containing the correct public key with the | |||
| private key. This signed message could also contain the JWK | private key. This signed message could also contain the JWK | |||
| Thumbprint URI (although, by definition, it could also be computed | Thumbprint URI (although, by definition, it could also be computed | |||
| directly from the public key). | directly from the public key). | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| 8.1. OAuth URI Registration | 8.1. OAuth URI Registration | |||
| This specification registers the following value in the IANA "OAuth | This specification registers the following value in the IANA "OAuth | |||
| URI" registry [IANA.OAuth.Parameters] established by [RFC6755]. | URI" registry [IANA.OAuth.Parameters] established by [RFC6755]. | |||
| 8.1.1. Registry Contents | 8.1.1. Registry Contents | |||
| o URN: urn:ietf:params:oauth:jwk-thumbprint | URN: urn:ietf:params:oauth:jwk-thumbprint | |||
| o Common Name: JWK Thumbprint URI | ||||
| o Change controller: IESG | Common Name: JWK Thumbprint URI | |||
| o Specification Document: [[ this specification ]] | ||||
| Change controller: IESG | ||||
| Specification Document: RFC 9278 | ||||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [IANA.OAuth.Parameters] | [IANA.OAuth.Parameters] | |||
| IANA, "OAuth Parameters", | IANA, "OAuth Parameters", | |||
| <http://www.iana.org/assignments/oauth-parameters>. | <http://www.iana.org/assignments/oauth-parameters>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| skipping to change at page 5, line 11 ¶ | skipping to change at line 194 ¶ | |||
| [RFC7638] Jones, M. and N. Sakimura, "JSON Web Key (JWK) | [RFC7638] Jones, M. and N. Sakimura, "JSON Web Key (JWK) | |||
| Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September | Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September | |||
| 2015, <https://www.rfc-editor.org/info/rfc7638>. | 2015, <https://www.rfc-editor.org/info/rfc7638>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [DID-Core] | [DID-Core] Sporny, M., Guy, A., Sabadello, M., and D. Reed, | |||
| Sporny, M., Guy, A., Sabadello, M., and D. Reed, | "Decentralized Identifiers (DIDs) v1.0", August 2021, | |||
| "Decentralized Identifiers (DIDs) v1.0", Aug 2021, | ||||
| <https://www.w3.org/TR/2021/PR-did-core-20210803/>. | <https://www.w3.org/TR/2021/PR-did-core-20210803/>. | |||
| [IANA.Hash.Algorithms] | [IANA.Hash.Algorithms] | |||
| IANA, "Named Information Hash Algorithm Registry", | IANA, "Named Information Hash Algorithm Registry", | |||
| <https://www.iana.org/assignments/named-information/named- | <https://www.iana.org/assignments/named-information>. | |||
| information.xhtml#hash-alg>. | ||||
| [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | |||
| for OAuth", RFC 6755, DOI 10.17487/RFC6755, October 2012, | for OAuth", RFC 6755, DOI 10.17487/RFC6755, October 2012, | |||
| <https://www.rfc-editor.org/info/rfc6755>. | <https://www.rfc-editor.org/info/rfc6755>. | |||
| [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, | [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, | |||
| DOI 10.17487/RFC7517, May 2015, | DOI 10.17487/RFC7517, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7517>. | <https://www.rfc-editor.org/info/rfc7517>. | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | |||
| for Security", RFC 7748, DOI 10.17487/RFC7748, January | for Security", RFC 7748, DOI 10.17487/RFC7748, January | |||
| 2016, <https://www.rfc-editor.org/info/rfc7748>. | 2016, <https://www.rfc-editor.org/info/rfc7748>. | |||
| [SIOPv2] Yasuda, K. and M. B. Jones, "Self-Issued OpenID Provider | [SIOPv2] Yasuda, K., Jones, M., and T. Lodderstedt, "Self-Issued | |||
| v2", December 2021, <https://openid.net/specs/openid- | OpenID Provider v2", June 2022, <https://openid.net/specs/ | |||
| connect-self-issued-v2-1_0.html>. | openid-connect-self-issued-v2-1_0.html>. | |||
| Appendix A. Acknowledgements | Acknowledgements | |||
| Use cases for this specification were developed in the OpenID Connect | Use cases for this specification were developed in the OpenID Connect | |||
| Working Group of the OpenID Foundation. Specifically, it is being | Working Group of the OpenID Foundation. Specifically, it is being | |||
| used a key identifier in the [SIOPv2] specification. | used as a key identifier in the [SIOPv2] specification. | |||
| The following individuals also contributed to the creation of this | The following individuals also contributed to the creation of this | |||
| specification: John Bradley, Scott Bradner, Brian Campbell, Roman | specification: John Bradley, Scott Bradner, Brian Campbell, Roman | |||
| Danyliw, Vladimir Dzhuvinov, Lars Eggert, Warren Kumari, Adam Lemmon, | Danyliw, Vladimir Dzhuvinov, Lars Eggert, Warren Kumari, Adam Lemmon, | |||
| Neil Madden, James Manger, Francesca Palombini, Aaron Parecki, | Neil Madden, James Manger, Francesca Palombini, Aaron Parecki, | |||
| Gonzalo Salgueiro, Rifaat Shekh-Yusef, Robert Sparks, David Waite, | Gonzalo Salgueiro, Rifaat Shekh-Yusef, Robert Sparks, David Waite, | |||
| Robert Wilton, and Paul Wouters. | Robert Wilton, and Paul Wouters. | |||
| Appendix B. Document History | ||||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | ||||
| -03 | ||||
| o Addressed IESG comment by Lars Eggert on the use of inclusive | ||||
| language. | ||||
| -02 | ||||
| o Addressed IETF last call comments by clarifying the requirement to | ||||
| use registered hash algorithm identifiers. | ||||
| -01 | ||||
| o Added security considerations about multiple public keys | ||||
| coresponding to the same private key. | ||||
| o Added hash algorithm identifier after the JWK thumbprint URI | ||||
| prefix to make it explicit in a URI which hash algorithm is used. | ||||
| o Added reference to a registry for hash algorithm identifiers. | ||||
| o Added SHA-256 as a mandatory to implement hash algorithm to | ||||
| promote interoperability. | ||||
| -00 | ||||
| o Created initial working group draft from draft-jones-oauth-jwk- | ||||
| thumbprint-uri-01. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Michael B. Jones | Michael B. Jones | |||
| Microsoft | Microsoft | |||
| Email: mbj@microsoft.com | Email: mbj@microsoft.com | |||
| URI: https://self-issued.info/ | URI: https://self-issued.info/ | |||
| Kristina Yasuda | Kristina Yasuda | |||
| Microsoft | Microsoft | |||
| Email: kryasuda@microsoft.com | Email: kryasuda@microsoft.com | |||
| URI: https://twitter.com/kristinayasuda | URI: https://twitter.com/kristinayasuda | |||
| End of changes. 27 change blocks. | ||||
| 103 lines changed or deleted | 69 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||