rfc9278xml2.original.xml   rfc9278.xml 
<?xml version="1.0" encoding="us-ascii"?> <?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet type='text/xsl' href='http://xml2rfc.tools.ietf.org/authoring/r
fc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?> <!DOCTYPE rfc [
<?rfc tocompact="yes"?> <!ENTITY nbsp "&#160;">
<?rfc tocdepth="4"?> <!ENTITY zwsp "&#8203;">
<?rfc tocindent="yes"?> <!ENTITY nbhy "&#8209;">
<?rfc symrefs="yes"?> <!ENTITY wj "&#8288;">
<?rfc sortrefs="yes"?> ]>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-oauth-jwk-thumbprint-uri-03" <rfc xmlns:xi="http://www.w3.org/2001/XInclude" number="9278" category="std" doc
ipr="trust200902"> Name="draft-ietf-oauth-jwk-thumbprint-uri-03" ipr="trust200902" obsoletes="" upd
ates="" consensus="true" submissionType="IETF" xml:lang="en" tocInclude="true" t
ocDepth="4" symRefs="true" sortRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.12.10 -->
<front> <front>
<title abbrev="JWK Thumbprint URI">JWK Thumbprint URI</title> <title abbrev="JWK Thumbprint URI">JWK Thumbprint URI</title>
<seriesInfo name="RFC" value="9278" />
<author fullname="Michael B. Jones" initials="M.B." surname="Jones"> <author fullname="Michael B. Jones" initials="M." surname="Jones">
<organization>Microsoft</organization> <organization>Microsoft</organization>
<address> <address>
<email>mbj@microsoft.com</email> <email>mbj@microsoft.com</email>
<uri>https://self-issued.info/</uri> <uri>https://self-issued.info/</uri>
</address> </address>
</author> </author>
<author fullname="Kristina Yasuda" initials="K." surname="Yasuda"> <author fullname="Kristina Yasuda" initials="K." surname="Yasuda">
<organization>Microsoft</organization> <organization>Microsoft</organization>
<address> <address>
<email>kryasuda@microsoft.com</email> <email>kryasuda@microsoft.com</email>
<uri>https://twitter.com/kristinayasuda</uri> <uri>https://twitter.com/kristinayasuda</uri>
</address> </address>
</author> </author>
<date month="August" year="2022"/>
<date day="1" month="Jun" year="2022"/>
<area>Security</area> <area>Security</area>
<workgroup>OAuth Working Group</workgroup> <workgroup>OAuth</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>JSON Web Key</keyword> <keyword>JSON Web Key</keyword>
<keyword>JWK</keyword> <keyword>JWK</keyword>
<keyword>Thumbprint</keyword> <keyword>Thumbprint</keyword>
<keyword>URI</keyword> <keyword>URI</keyword>
<keyword>URN</keyword> <keyword>URN</keyword>
<keyword>OAuth</keyword> <keyword>OAuth</keyword>
<abstract> <abstract>
<t> <t>
This specification registers a kind of URI that represents This specification registers a kind of URI that represents
a JSON Web Key (JWK) Thumbprint value. a JSON Web Key (JWK) Thumbprint value.
JWK Thumbprints are defined in RFC 7638. JWK Thumbprints are defined in RFC 7638.
This enables JWK Thumbprints to be used, This enables JWK Thumbprints to be used,
for instance, as key identifiers in contexts requiring URIs. for instance, as key identifiers in contexts requiring URIs.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="Introduction" title="Introduction"> <section anchor="Introduction" numbered="true" toc="default">
<name>Introduction</name>
<t> <t>
A JSON Web Key (JWK) Thumbprint <xref target="RFC7638"/> A JSON Web Key (JWK) Thumbprint <xref target="RFC7638" format="default"/>
is a URL-safe representation of a hash value over a JSON Web Key (JWK) <x is a URL-safe representation of a hash value over a JWK <xref target="RFC
ref target="RFC7517"/>. 7517" format="default"/>.
This specification defines a URI prefix indicating that the This specification defines a URI prefix indicating that the
portion of the URI following the prefix is a JWK Thumbprint. portion of the URI following the prefix is a JWK Thumbprint.
This enables JWK Thumbprints to be communicated in contexts requiring URI s, This enables JWK Thumbprints to be communicated in contexts requiring URI s,
including in specific JSON Web Token (JWT) <xref target="RFC7519"/> claim s. including in specific JSON Web Token (JWT) <xref target="RFC7519" format= "default"/> claims.
</t> </t>
<t> <t>
JWK Thumbprints URIs are being used in the <xref target="SIOPv2"/> specif ication JWK Thumbprint URIs are being used in the <xref target="SIOPv2" format="d efault"/> specification
as one kind of subject identifier in a context requiring that the identif ier be a URI. as one kind of subject identifier in a context requiring that the identif ier be a URI.
In this case, the subject identifier is derived from a public key represe nted as a JWK. In this case, the subject identifier is derived from a public key represe nted as a JWK.
Expressing the identifier as JWK Thumbprint URI enables this kind of iden tifier Expressing the identifier as a JWK Thumbprint URI enables this kind of id entifier
to be differentiated from other kinds of identifiers that are also URIs, to be differentiated from other kinds of identifiers that are also URIs,
such as Decentralized Identifiers (DIDs) <xref target="DID-Core"/>. such as Decentralized Identifiers (DIDs) <xref target="DID-Core" format=" default"/>.
</t> </t>
</section> </section>
<section anchor="RNC" numbered="true" toc="default">
<section anchor="RNC" title="Requirements Notation and Conventions"> <name>Requirements Notation and Conventions</name>
<t> <t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPT IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
IONAL" NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
in this document are to be interpreted as described in RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
when, and only when, they appear in all capitals, as shown here. be interpreted as
</t> described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
</section> </section>
<section anchor="JKTURI" numbered="true" toc="default">
<section anchor="JKTURI" title="JWK Thumbprint URI"> <name>JWK Thumbprint URI</name>
<t> <t>
The following URI prefix is defined to indicate that the The following URI prefix is defined to indicate that the
portion of the URI following the prefix is a JWK Thumbprint: portion of the URI following the prefix is a JWK Thumbprint:
</t> </t>
<t indent="3"><tt>urn:ietf:params:oauth:jwk-thumbprint</tt></t>
<t> <t>
<list style="symbols"> To make the hash algorithm being used explicit in a URI,
<t><spanx style='verb'>urn:ietf:params:oauth:jwk-thumbprint</spanx></t>
</list>
</t>
<t>
To make it explicit in a URI which hash algorithm is used,
the prefix is followed by a hash algorithm identifier and a JWK Thumbprint val ue, the prefix is followed by a hash algorithm identifier and a JWK Thumbprint val ue,
each separated by a colon character to form a URI representing a JWK Thumbprin t. each separated by a colon character to form a URI representing a JWK Thumbprin t.
</t> </t>
</section> </section>
<section anchor="HashAlgorithms" numbered="true" toc="default">
<section anchor="HashAlgorithms" title="Hash Algorithms Identifier"> <name>Hash Algorithms Identifier</name>
<t> <t>
Hash algorithm identifiers used in JWK Thumbprint URIs MUST be values fro Hash algorithm identifiers used in JWK Thumbprint URIs <bcp14>MUST</bcp14
m the "Hash Name String" column > be values from the "Hash Name String" column
in the IANA "Named Information Hash Algorithm" registry <xref target="IAN in the IANA "Named Information Hash Algorithm Registry" <xref target="IAN
A.Hash.Algorithms"/>. A.Hash.Algorithms" format="default"/>.
JWK Thumbprint URIs with hash algorithm identifiers not found in this reg istry are not considered valid JWK Thumbprint URIs with hash algorithm identifiers not found in this reg istry are not considered valid
and applications will need to detect and handle this error, should it occ ur. and applications will need to detect and handle this error, should it occ ur.
</t> </t>
</section> </section>
<section anchor="MTI" numbered="true" toc="default">
<section anchor="MTI" title="Mandatory to Implement Hash Algorithm"> <name>Mandatory to Implement Hash Algorithm</name>
<t> <t>
To promote interoperability among implementations, To promote interoperability among implementations,
the SHA-256 hash algorithm is mandatory to implement. the SHA-256 hash algorithm is mandatory to implement.
</t> </t>
</section> </section>
<section anchor="Example" numbered="true" toc="default">
<name>Example JWK Thumbprint URI</name>
<t>
<xref target="RFC7638" sectionFormat="of" section="3.1"/> contains the following
example JWK Thumbprint value:
</t>
<section anchor="Example" title="Example JWK Thumbprint URI"> <t indent="3"><tt>NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs</tt></t>
<t>
Section 3.1 of <xref target="RFC7638"/> contains the following example
JWK Thumbprint value:
</t>
<figure><artwork><![CDATA[
NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs
]]></artwork></figure>
<t> <t>
A complete JWK Thumbprint URI using the above JWK Thumbprint and SHA-25 A complete JWK Thumbprint URI using the above JWK Thumbprint and SHA-25
6 hash algorithm is: 6 hash algorithm is as follows:
</t> </t>
<figure><artwork><![CDATA[ <t indent="3"><tt>urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd-6MN
urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfH wXF4W_7noWXFZAfHkxZsRGC9Xs</tt></t>
kxZsRGC9Xs </section>
]]></artwork></figure>
</section>
<section anchor="Security" title="Security Considerations"> <section anchor="Security" numbered="true" toc="default">
<name>Security Considerations</name>
<t> <t>
The security considerations of <xref target="RFC7638"/> The security considerations of <xref target="RFC7638" format="default"/>
also apply when using this specification. also apply when using this specification.
</t> </t>
<section anchor="MultiplePublicKeysPerPrivateKey" numbered="true" toc="def
<section anchor="MultiplePublicKeysPerPrivateKey" title="Multiple Public K ault">
eys per Private Key"> <name>Multiple Public Keys per Private Key</name>
<t> <t>
There are cryptographic algorithms for which multiple public keys corre spond to the same private key. There are cryptographic algorithms for which multiple public keys corre spond to the same private key.
This is described in the security considerations of <xref target="RFC77 This is described in the security considerations of <xref target="RFC77
48"/> as follows: 48" format="default"/> as follows:
</t> </t>
<t> <blockquote>
<list style="empty">
<t>
Designers using these curves should be aware that for each public Designers using these curves should be aware that for each public
key, there are several publicly computable public keys that are key, there are several publicly computable public keys that are
equivalent to it, i.e., they produce the same shared secrets. Thus equivalent to it, i.e., they produce the same shared secrets. Thus
using a public key as an identifier and knowledge of a shared secre t using a public key as an identifier and knowledge of a shared secre t
as proof of ownership (without including the public keys in the key as proof of ownership (without including the public keys in the key
derivation) might lead to subtle vulnerabilities. derivation) might lead to subtle vulnerabilities.
</t> </blockquote>
</list> <t>
</t>
<t>
This consideration for public keys as identifiers equally applies to JW K Thumbprint URIs used as identifiers. This consideration for public keys as identifiers equally applies to JW K Thumbprint URIs used as identifiers.
A recommended way to ensure that the JWK Thumbprint URI corresponds to the actual A recommended way to ensure that the JWK Thumbprint URI corresponds to the actual
public key used is to sign a message containing the correct public key with the private key. public key used is to sign a message containing the correct public key with the private key.
This signed message could also contain the JWK Thumbprint URI This signed message could also contain the JWK Thumbprint URI
(although, by definition, it could also be computed directly from the p ublic key). (although, by definition, it could also be computed directly from the p ublic key).
</t> </t>
</section> </section>
</section> </section>
<section anchor="IANA" numbered="true" toc="default">
<section anchor="IANA" title="IANA Considerations"> <name>IANA Considerations</name>
<section anchor="URIReg" numbered="true" toc="default">
<section anchor="URIReg" title="OAuth URI Registration"> <name>OAuth URI Registration</name>
<t>
<t>
This specification registers the following value in the This specification registers the following value in the
IANA "OAuth URI" registry IANA "OAuth URI" registry
<xref target="IANA.OAuth.Parameters"/> <xref target="IANA.OAuth.Parameters" format="default"/>
established by <xref target="RFC6755"/>. established by <xref target="RFC6755" format="default"/>.
</t> </t>
<section anchor="URIContents" numbered="true" toc="default">
<section title="Registry Contents" anchor="URIContents"> <name>Registry Contents</name>
<dl>
<t> <dt>URN:</dt><dd>urn:ietf:params:oauth:jwk-thumbprint</dd>
<?rfc subcompact="yes"?> <dt>Common Name:</dt><dd>JWK Thumbprint URI</dd>
<list style="symbols"> <dt>Change controller:</dt><dd>IESG</dd>
<t>URN: urn:ietf:params:oauth:jwk-thumbprint</t> <dt>Specification Document:</dt><dd>RFC 9278</dd>
<t>Common Name: JWK Thumbprint URI</t> </dl>
<t>Change controller: IESG</t> </section>
<t>Specification Document: [[ this specification ]]</t>
</list>
</t>
<?rfc subcompact="no"?>
</section>
</section> </section>
</section> </section>
</middle> </middle>
<back> <back>
<references title="Normative References"> <references>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.R <name>References</name>
FC.2119.xml' ?> <references>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.R <name>Normative References</name>
FC.7638.xml' ?> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.R FC.2119.xml"/>
FC.8174.xml"?> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7638.xml"/>
<reference anchor="IANA.OAuth.Parameters" target="http://www.iana.org/assi <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
gnments/oauth-parameters"> FC.8174.xml"/>
<front>
<title>OAuth Parameters</title>
<author>
<organization>IANA</organization>
</author>
<date/>
</front>
</reference>
</references>
<references title="Informative References">
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.R
FC.6755.xml' ?>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.R
FC.7517.xml' ?>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.R
FC.7519.xml' ?>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.R
FC.7748.xml' ?>
<reference anchor="IANA.Hash.Algorithms" target="https://www.iana.org/assi <reference anchor="IANA.OAuth.Parameters" target="http://www.iana.org/as
gnments/named-information/named-information.xhtml#hash-alg"> signments/oauth-parameters">
<front> <front>
<title>Named Information Hash Algorithm Registry</title> <title>OAuth Parameters</title>
<author> <author>
<organization>IANA</organization> <organization>IANA</organization>
</author> </author>
<date/> </front>
</front> </reference>
</reference> </references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.6755.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7517.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7519.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7748.xml"/>
<reference anchor="SIOPv2" target="https://openid.net/specs/openid-connect <reference anchor="IANA.Hash.Algorithms" target="https://www.iana.org/as
-self-issued-v2-1_0.html"> signments/named-information">
<front> <front>
<title>Self-Issued OpenID Provider v2</title> <title>Named Information Hash Algorithm Registry</title>
<author fullname="Kristina Yasuda"> <author>
<organization>Microsoft</organization> <organization>IANA</organization>
</author> </author>
<author fullname="Michael B. Jones"> </front>
<organization>Microsoft</organization> </reference>
</author>
<date day="18" month="December" year="2021"/>
</front>
</reference>
<reference anchor="DID-Core" target="https://www.w3.org/TR/2021/PR-did-cor <reference anchor="SIOPv2" target="https://openid.net/specs/openid-conne
e-20210803/"> ct-self-issued-v2-1_0.html">
<front> <front>
<title>Decentralized Identifiers (DIDs) v1.0</title> <title>Self-Issued OpenID Provider v2</title>
<author fullname="Manu Sporny"> <author fullname="Kristina Yasuda">
<organization>Digital Bazaar</organization> <organization>Microsoft</organization>
</author> </author>
<author fullname="Amy Guy"> <author fullname="Michael Jones">
<organization>Digital Bazaar</organization> <organization>Microsoft</organization>
</author> </author>
<author fullname="Markus Sabadello"> <author fullname="Torsten Lodderstedt">
<organization>Danube Tech</organization> <organization>yes.com</organization>
</author> </author>
<author fullname="Drummond Reed"> <date month="June" year="2022"/>
<organization>Evernym</organization> </front>
</author> </reference>
<date day="3" month="Aug" year="2021"/>
</front>
</reference>
<reference anchor="DID-Core" target="https://www.w3.org/TR/2021/PR-did-core-
20210803/">
<front>
<title>Decentralized Identifiers (DIDs) v1.0</title>
<author fullname="Manu Sporny">
<organization>Digital Bazaar</organization>
</author>
<author fullname="Amy Guy">
<organization>Digital Bazaar</organization>
</author>
<author fullname="Markus Sabadello">
<organization>Danube Tech</organization>
</author>
<author fullname="Drummond Reed">
<organization>Evernym</organization>
</author>
<date month="Aug" year="2021"/>
</front>
</reference>
</references>
</references> </references>
<section anchor="Acknowledgements" title="Acknowledgements"> <section anchor="Acknowledgements" numbered="false" toc="default">
<name>Acknowledgements</name>
<t> <t>
Use cases for this specification were developed in the Use cases for this specification were developed in the
OpenID Connect Working Group of the OpenID Foundation. OpenID Connect Working Group of the OpenID Foundation.
Specifically, it is being used a key identifier in the Specifically, it is being used as a key identifier in the
<xref target="SIOPv2"/> specification. <xref target="SIOPv2" format="default"/> specification.
</t> </t>
<t> <t>
The following individuals also contributed to the creation of this speci fication: The following individuals also contributed to the creation of this speci fication:
John Bradley, <contact fullname="John Bradley"/>, <contact fullname="Scott Bradner"/>, <contac
Scott Bradner, t fullname="Brian Campbell"/>, <contact fullname="Roman Danyliw"/>, <contact ful
Brian Campbell, lname="Vladimir Dzhuvinov"/>, <contact fullname="Lars Eggert"/>, <contact fullna
Roman Danyliw, me="Warren Kumari"/>, <contact fullname="Adam Lemmon"/>, <contact fullname="Neil
Vladimir Dzhuvinov, Madden"/>, <contact fullname="James Manger"/>, <contact fullname="Francesca Pal
Lars Eggert, ombini"/>, <contact fullname="Aaron Parecki"/>, <contact fullname="Gonzalo Salgu
Warren Kumari, eiro"/>, <contact fullname="Rifaat Shekh-Yusef"/>, <contact fullname="Robert Spa
Adam Lemmon, rks"/>, <contact fullname="David Waite"/>, <contact fullname="Robert Wilton"/>,
Neil Madden, and <contact fullname="Paul Wouters"/>.
James Manger,
Francesca Palombini,
Aaron Parecki,
Gonzalo Salgueiro,
Rifaat Shekh-Yusef,
Robert Sparks,
David Waite,
Robert Wilton,
and
Paul Wouters.
</t>
</section>
<section anchor="History" title="Document History">
<?rfc subcompact="yes"?>
<t>
[[ to be removed by the RFC Editor before publication as an RFC ]]
</t>
<t>
-03
<list style='symbols'>
<t>
Addressed IESG comment by Lars Eggert on the use of inclusive langua
ge.
</t>
</list>
</t>
<t>
-02
<list style='symbols'>
<t>
Addressed IETF last call comments by clarifying the requirement to u
se registered hash algorithm identifiers.
</t>
</list>
</t>
<t>
-01
<list style='symbols'>
<t>
Added security considerations about multiple public keys corespondin
g to the same private key.
</t>
<t>
Added hash algorithm identifier after the JWK thumbprint URI prefix
to make it explicit in a URI which hash algorithm is used.
</t>
<t>
Added reference to a registry for hash algorithm identifiers.
</t>
<t>
Added SHA-256 as a mandatory to implement hash algorithm to promote
interoperability.
</t>
</list>
</t>
<t>
-00
<list style='symbols'>
<t>
Created initial working group draft from draft-jones-oauth-jwk-thumb
print-uri-01.
</t>
</list>
</t> </t>
<?rfc subcompact="no"?>
</section> </section>
</back> </back>
</rfc> </rfc>
 End of changes. 47 change blocks. 
281 lines changed or deleted 188 lines changed or added

This html diff was produced by rfcdiff 1.48.