draft-ietf-jose-json-web-algorithms-06.txt   draft-ietf-jose-json-web-algorithms-07.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track October 15, 2012 Intended status: Standards Track November 6, 2012
Expires: April 18, 2013 Expires: May 10, 2013
JSON Web Algorithms (JWA) JSON Web Algorithms (JWA)
draft-ietf-jose-json-web-algorithms-06 draft-ietf-jose-json-web-algorithms-07
Abstract Abstract
The JSON Web Algorithms (JWA) specification enumerates cryptographic The JSON Web Algorithms (JWA) specification enumerates cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK)
specifications. specifications.
Status of this Memo Status of this Memo
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2013. This Internet-Draft will expire on May 10, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 40 skipping to change at page 2, line 40
4.5. Key Encryption with AES Key Wrap . . . . . . . . . . . . . 15 4.5. Key Encryption with AES Key Wrap . . . . . . . . . . . . . 15
4.6. Direct Encryption with a Shared Symmetric Key . . . . . . 15 4.6. Direct Encryption with a Shared Symmetric Key . . . . . . 15
4.7. Key Agreement with Elliptic Curve Diffie-Hellman 4.7. Key Agreement with Elliptic Curve Diffie-Hellman
Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15 Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15
4.7.1. Key Derivation for "ECDH-ES" . . . . . . . . . . . . . 16 4.7.1. Key Derivation for "ECDH-ES" . . . . . . . . . . . . . 16
4.8. Composite Plaintext Encryption Algorithms 4.8. Composite Plaintext Encryption Algorithms
"A128CBC+HS256" and "A256CBC+HS512" . . . . . . . . . . . 17 "A128CBC+HS256" and "A256CBC+HS512" . . . . . . . . . . . 17
4.8.1. Key Derivation for "A128CBC+HS256" and 4.8.1. Key Derivation for "A128CBC+HS256" and
"A256CBC+HS512" . . . . . . . . . . . . . . . . . . . 17 "A256CBC+HS512" . . . . . . . . . . . . . . . . . . . 17
4.8.2. Encryption Calculation for "A128CBC+HS256" and 4.8.2. Encryption Calculation for "A128CBC+HS256" and
"A256CBC+HS512" . . . . . . . . . . . . . . . . . . . 18 "A256CBC+HS512" . . . . . . . . . . . . . . . . . . . 19
4.8.3. Integrity Calculation for "A128CBC+HS256" and 4.8.3. Integrity Calculation for "A128CBC+HS256" and
"A256CBC+HS512" . . . . . . . . . . . . . . . . . . . 18 "A256CBC+HS512" . . . . . . . . . . . . . . . . . . . 19
4.9. Plaintext Encryption with AES GCM . . . . . . . . . . . . 19 4.9. Plaintext Encryption with AES GCM . . . . . . . . . . . . 19
4.10. Additional Encryption Algorithms and Parameters . . . . . 19 4.10. Additional Encryption Algorithms and Parameters . . . . . 20
5. Cryptographic Algorithms for JWK . . . . . . . . . . . . . . . 20 5. Cryptographic Algorithms for JWK . . . . . . . . . . . . . . . 21
5.1. "alg" (Algorithm Family) Parameter Values for JWK . . . . 20 5.1. "alg" (Algorithm Family) Parameter Values for JWK . . . . 21
5.2. JWK Parameters for Elliptic Curve Keys . . . . . . . . . . 21 5.2. JWK Parameters for Elliptic Curve Keys . . . . . . . . . . 21
5.2.1. "crv" (Curve) Parameter . . . . . . . . . . . . . . . 21 5.2.1. "crv" (Curve) Parameter . . . . . . . . . . . . . . . 21
5.2.2. "x" (X Coordinate) Parameter . . . . . . . . . . . . . 21 5.2.2. "x" (X Coordinate) Parameter . . . . . . . . . . . . . 22
5.2.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . . . 21 5.2.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . . . 22
5.3. JWK Parameters for RSA Keys . . . . . . . . . . . . . . . 22 5.3. JWK Parameters for RSA Keys . . . . . . . . . . . . . . . 22
5.3.1. "mod" (Modulus) Parameter . . . . . . . . . . . . . . 22 5.3.1. "n" (Modulus) Parameter . . . . . . . . . . . . . . . 22
5.3.2. "xpo" (Exponent) Parameter . . . . . . . . . . . . . . 22 5.3.2. "e" (Exponent) Parameter . . . . . . . . . . . . . . . 22
5.4. Additional Key Algorithm Families and Parameters . . . . . 22 5.4. Additional Key Algorithm Families and Parameters . . . . . 23
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
6.1. JSON Web Signature and Encryption Algorithms Registry . . 23 6.1. JSON Web Signature and Encryption Algorithms Registry . . 24
6.1.1. Registration Template . . . . . . . . . . . . . . . . 23 6.1.1. Registration Template . . . . . . . . . . . . . . . . 24
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 24 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 25
6.2. JSON Web Key Algorithm Families Registry . . . . . . . . . 27 6.2. JSON Web Key Algorithm Families Registry . . . . . . . . . 27
6.2.1. Registration Template . . . . . . . . . . . . . . . . 27 6.2.1. Registration Template . . . . . . . . . . . . . . . . 28
6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 28 6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 28
6.3. JSON Web Key Parameters Registration . . . . . . . . . . . 28 6.3. JSON Web Key Parameters Registration . . . . . . . . . . . 28
6.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 28 6.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 29
7. Security Considerations . . . . . . . . . . . . . . . . . . . 29 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
8.1. Normative References . . . . . . . . . . . . . . . . . . . 30 8.1. Normative References . . . . . . . . . . . . . . . . . . . 30
8.2. Informative References . . . . . . . . . . . . . . . . . . 31 8.2. Informative References . . . . . . . . . . . . . . . . . . 32
Appendix A. Digital Signature/MAC Algorithm Identifier Appendix A. Digital Signature/MAC Algorithm Identifier
Cross-Reference . . . . . . . . . . . . . . . . . . . 32 Cross-Reference . . . . . . . . . . . . . . . . . . . 33
Appendix B. Encryption Algorithm Identifier Cross-Reference . . . 34 Appendix B. Encryption Algorithm Identifier Cross-Reference . . . 35
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 36 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 37
Appendix D. Open Issues . . . . . . . . . . . . . . . . . . . . . 37 Appendix D. Open Issues . . . . . . . . . . . . . . . . . . . . . 37
Appendix E. Document History . . . . . . . . . . . . . . . . . . 37 Appendix E. Document History . . . . . . . . . . . . . . . . . . 37
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 40 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
The JSON Web Algorithms (JWA) specification enumerates cryptographic The JSON Web Algorithms (JWA) specification enumerates cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK) (JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK)
[JWK] specifications. All these specifications utilize JavaScript [JWK] specifications. All these specifications utilize JavaScript
Object Notation (JSON) [RFC4627] based data structures. This Object Notation (JSON) [RFC4627] based data structures. This
specification also describes the semantics and operations that are specification also describes the semantics and operations that are
specific to these algorithms and algorithm families. specific to these algorithms and algorithm families.
skipping to change at page 6, line 41 skipping to change at page 6, line 41
Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted Encoded JWE Encrypted Key Base64url encoding of the JWE Encrypted
Key. Key.
Encoded JWE Ciphertext Base64url encoding of the JWE Ciphertext. Encoded JWE Ciphertext Base64url encoding of the JWE Ciphertext.
Encoded JWE Integrity Value Base64url encoding of the JWE Integrity Encoded JWE Integrity Value Base64url encoding of the JWE Integrity
Value. Value.
AEAD Algorithm An Authenticated Encryption with Associated Data AEAD Algorithm An Authenticated Encryption with Associated Data
(AEAD) [RFC5116] encryption algorithm is one that provides an (AEAD) [RFC5116] encryption algorithm is one that provides an
integrated content integrity check. AES Galois/Counter Mode (GCM) integrated content integrity check. AEAD encryption algorithms
is one such algorithm. accept two inputs, the plaintext and the "additional authenticated
data" value, and produce two outputs, the ciphertext and the
"authentication tag" value. AES Galois/Counter Mode (GCM) is one
such algorithm.
2.3. Terms Incorporated from the JWK Specification 2.3. Terms Incorporated from the JWK Specification
These terms defined by the JSON Web Key (JWK) [JWK] specification are These terms defined by the JSON Web Key (JWK) [JWK] specification are
incorporated into this specification: incorporated into this specification:
JSON Web Key (JWK) A JSON data structure that represents a public JSON Web Key (JWK) A JSON data structure that represents a public
key. key.
JSON Web Key Set (JWK Set) A JSON object that contains an array of JSON Web Key Set (JWK Set) A JSON object that contains an array of
skipping to change at page 16, line 40 skipping to change at page 16, line 40
keydatalen This is set to the number of bits in the desired output keydatalen This is set to the number of bits in the desired output
key. For "ECDH-ES", this is length of the key used by the "enc" key. For "ECDH-ES", this is length of the key used by the "enc"
algorithm. For "ECDH-ES+A128KW", and "ECDH-ES+A256KW", this is algorithm. For "ECDH-ES+A128KW", and "ECDH-ES+A256KW", this is
128 and 256, respectively. 128 and 256, respectively.
AlgorithmID This is set to the concatenation of keydatalen AlgorithmID This is set to the concatenation of keydatalen
represented as a 32 bit big endian integer and the bytes of the represented as a 32 bit big endian integer and the bytes of the
UTF-8 representation of the "alg" header parameter value. UTF-8 representation of the "alg" header parameter value.
PartyUInfo If an "apu" (agreement PartyUInfo) header parameter is PartyUInfo The PartyUInfo value is of the form Datalen || Data,
present, this is set to the result of base64url decoding the "apu" where Data is a variable-length string of zero or more bytes, and
value; otherwise, it is set to the empty byte string. Datalen is a fixed-length, big endian 32 bit counter that
indicates the length (in bytes) of Data, with || being
concatenation. If an "apu" (agreement PartyUInfo) header
parameter is present, Data is set to the result of base64url
decoding the "apu" value and Datalen is set to the number of bytes
in Data. Otherwise, Datalen is set to 0 and Data is set to the
empty byte string.
PartyVInfo If an "apv" (agreement PartyVInfo) header parameter is PartyVInfo The PartyVInfo value is of the form Datalen || Data,
present, this is set to the result of base64url decoding the "apv" where Data is a variable-length string of zero or more bytes, and
value; otherwise, it is set to the empty byte string. Datalen is a fixed-length, big endian 32 bit counter that
indicates the length (in bytes) of Data, with || being
concatenation. If an "apv" (agreement PartyVInfo) header
parameter is present, Data is set to the result of base64url
decoding the "apv" value and Datalen is set to the number of bytes
in Data. Otherwise, Datalen is set to 0 and Data is set to the
empty byte string.
SuppPubInfo This is set to the empty byte string. SuppPubInfo This is set to the empty byte string.
SuppPrivInfo This is set to the empty byte string. SuppPrivInfo This is set to the empty byte string.
For all three "alg" values, the digest function used is SHA-256. For all three "alg" values, the digest function used is SHA-256.
4.8. Composite Plaintext Encryption Algorithms "A128CBC+HS256" and 4.8. Composite Plaintext Encryption Algorithms "A128CBC+HS256" and
"A256CBC+HS512" "A256CBC+HS512"
skipping to change at page 17, line 47 skipping to change at page 18, line 14
Z This is set to the Content Master Key (CMK). Z This is set to the Content Master Key (CMK).
keydatalen This is set to the number of bits in the desired output keydatalen This is set to the number of bits in the desired output
key. key.
AlgorithmID This is set to the concatenation of keydatalen AlgorithmID This is set to the concatenation of keydatalen
represented as a 32 bit big endian integer and the bytes of the represented as a 32 bit big endian integer and the bytes of the
UTF-8 representation of the "enc" header parameter value. UTF-8 representation of the "enc" header parameter value.
PartyUInfo If an "epu" (encryption PartyUInfo) header parameter is PartyUInfo The PartyUInfo value is of the form Datalen || Data,
present, this is set to the result of base64url decoding the "epu" where Data is a variable-length string of zero or more bytes, and
value; otherwise, it is set to the empty byte string. Datalen is a fixed-length, big endian 32 bit counter that
indicates the length (in bytes) of Data, with || being
concatenation. If an "epu" (encryption PartyUInfo) header
parameter is present, Data is set to the result of base64url
decoding the "epu" value and Datalen is set to the number of bytes
in Data. Otherwise, Datalen is set to 0 and Data is set to the
empty byte string.
PartyVInfo If an "epv" (encryption PartyVInfo) header parameter is PartyVInfo The PartyVInfo value is of the form Datalen || Data,
present, this is set to the result of base64url decoding the "epv" where Data is a variable-length string of zero or more bytes, and
value; otherwise, it is set to the empty byte string. Datalen is a fixed-length, big endian 32 bit counter that
indicates the length (in bytes) of Data, with || being
concatenation. If an "epv" (encryption PartyVInfo) header
parameter is present, Data is set to the result of base64url
decoding the "epv" value and Datalen is set to the number of bytes
in Data. Otherwise, Datalen is set to 0 and Data is set to the
empty byte string.
SuppPubInfo This is set to the bytes of one of the ASCII strings SuppPubInfo This is set to the bytes of one of the ASCII strings
"Encryption" ([69, 110, 99, 114, 121, 112, 116, 105, 111, 110]) or "Encryption" ([69, 110, 99, 114, 121, 112, 116, 105, 111, 110]) or
"Integrity" ([73, 110, 116, 101, 103, 114, 105, 116, 121]) "Integrity" ([73, 110, 116, 101, 103, 114, 105, 116, 121])
respectively, depending upon whether the CEK or CIK is being respectively, depending upon whether the CEK or CIK is being
generated. generated.
SuppPrivInfo This is set to the empty byte string. SuppPrivInfo This is set to the empty byte string.
To compute the CEK from the CMK, the ASCII label "Encryption" is used To compute the CEK from the CMK, the ASCII label "Encryption" is used
skipping to change at page 19, line 4 skipping to change at page 19, line 29
4.8.3. Integrity Calculation for "A128CBC+HS256" and "A256CBC+HS512" 4.8.3. Integrity Calculation for "A128CBC+HS256" and "A256CBC+HS512"
This section defines the specifics of computing the JWE Integrity This section defines the specifics of computing the JWE Integrity
Value for the "enc" algorithms "A128CBC+HS256" and "A256CBC+HS512". Value for the "enc" algorithms "A128CBC+HS256" and "A256CBC+HS512".
This value is computed as a MAC of the JWE parameters to be secured. This value is computed as a MAC of the JWE parameters to be secured.
The MAC input value is the bytes of the ASCII representation of the The MAC input value is the bytes of the ASCII representation of the
concatenation of the Encoded JWE Header, a period ('.') character, concatenation of the Encoded JWE Header, a period ('.') character,
the Encoded JWE Encrypted Key, a second period character ('.'), the the Encoded JWE Encrypted Key, a second period character ('.'), the
Encoded JWE Initialization Vector, a third period ('.') character, Encoded JWE Initialization Vector, a third period ('.') character,
and the Encoded JWE Ciphertext. and the Encoded JWE Ciphertext. (Equivalently, this input value is
the concatenation of the "additional authenticated data" value, a
byte containing an ASCII period character, and the bytes of the ASCII
representation of the Encoded JWE Ciphertext.)
The CIK is used as the MAC key. The CIK is used as the MAC key.
For "A128CBC+HS256", HMAC SHA-256 is used as the MAC algorithm. For For "A128CBC+HS256", HMAC SHA-256 is used as the MAC algorithm. For
"A256CBC+HS512", HMAC SHA-512 is used as the MAC algorithm. "A256CBC+HS512", HMAC SHA-512 is used as the MAC algorithm.
The resulting MAC value is used as the JWE Integrity Value. The same The resulting MAC value is used as the JWE Integrity Value.
integrity calculation is performed during decryption. During (Equivalently, this value is the "authentication tag" output for the
decryption, the computed integrity value must match the received JWE algorithm.) The same integrity calculation is performed during
Integrity Value. decryption. During decryption, the computed integrity value must
match the received JWE Integrity Value.
4.9. Plaintext Encryption with AES GCM 4.9. Plaintext Encryption with AES GCM
This section defines the specifics of encrypting the JWE Plaintext This section defines the specifics of encrypting the JWE Plaintext
with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)
[AES] [NIST.800-38D] using 128 or 256 bit keys. The "enc" header [AES] [NIST.800-38D] using 128 or 256 bit keys. The "enc" header
parameter values "A128GCM" or "A256GCM" are used in this case. parameter values "A128GCM" or "A256GCM" are used in this case.
The CMK is used as the encryption key. The CMK is used as the encryption key.
Use of an initialization vector of size 96 bits is REQUIRED with this Use of an initialization vector of size 96 bits is REQUIRED with this
algorithm. algorithm.
The "additional authenticated data" parameter is used to secure the The "additional authenticated data" parameter is used to secure the
header and key values. The "additional authenticated data" value header and key values. (The "additional authenticated data" value
used is the bytes of the ASCII representation of the concatenation of used is the bytes of the ASCII representation of the concatenation of
the Encoded JWE Header, a period ('.') character, the Encoded JWE the Encoded JWE Header, a period ('.') character, the Encoded JWE
Encrypted Key, a second period character ('.'), and the Encoded JWE Encrypted Key, a second period character ('.'), and the Encoded JWE
Initialization Vector. This same "additional authenticated data" Initialization Vector, per Section 5 of the JWE specification.) This
value is used when decrypting as well. same "additional authenticated data" value is used when decrypting as
well.
The requested size of the "authentication tag" output MUST be 128 The requested size of the "authentication tag" output MUST be 128
bits, regardless of the key size. bits, regardless of the key size.
As GCM is an AEAD algorithm, the JWE Integrity Value is set to be the The JWE Integrity Value is set to be the "authentication tag" value
"authentication tag" value produced by the encryption. During produced by the encryption. During decryption, the received JWE
decryption, the received JWE Integrity Value is used as the Integrity Value is used as the "authentication tag" value.
"authentication tag" value.
Examples using this algorithm are shown in Appendices A.1 and A.3 of Examples using this algorithm are shown in Appendices A.1 and A.3 of
[JWE]. [JWE].
4.10. Additional Encryption Algorithms and Parameters 4.10. Additional Encryption Algorithms and Parameters
Additional algorithms MAY be used to protect JWEs with corresponding Additional algorithms MAY be used to protect JWEs with corresponding
"alg" (algorithm) and "enc" (encryption method) header parameter "alg" (algorithm) and "enc" (encryption method) header parameter
values being defined to refer to them. New "alg" and "enc" header values being defined to refer to them. New "alg" and "enc" header
parameter values SHOULD either be registered in the IANA JSON Web parameter values SHOULD either be registered in the IANA JSON Web
skipping to change at page 22, line 11 skipping to change at page 22, line 36
bytes contained in the value. For instance, when representing 521 bytes contained in the value. For instance, when representing 521
bit integers, the byte array to be base64url encoded MUST contain 66 bit integers, the byte array to be base64url encoded MUST contain 66
bytes, including any leading zero bytes. bytes, including any leading zero bytes.
5.3. JWK Parameters for RSA Keys 5.3. JWK Parameters for RSA Keys
JWKs can represent RSA [RFC3447] keys. In this case, the "alg" JWKs can represent RSA [RFC3447] keys. In this case, the "alg"
member value MUST be "RSA". Furthermore, these additional members member value MUST be "RSA". Furthermore, these additional members
MUST be present: MUST be present:
5.3.1. "mod" (Modulus) Parameter 5.3.1. "n" (Modulus) Parameter
The "mod" (modulus) member contains the modulus value for the RSA The "n" (modulus) member contains the modulus value for the RSA
public key. It is represented as the base64url encoding of the public key. It is represented as the base64url encoding of the
value's unsigned big endian representation as a byte array. The value's unsigned big endian representation as a byte array. The
array representation MUST not be shortened to omit any leading zero array representation MUST not be shortened to omit any leading zero
bytes. For instance, when representing 2048 bit integers, the byte bytes. For instance, when representing 2048 bit integers, the byte
array to be base64url encoded MUST contain 256 bytes, including any array to be base64url encoded MUST contain 256 bytes, including any
leading zero bytes. leading zero bytes.
5.3.2. "xpo" (Exponent) Parameter 5.3.2. "e" (Exponent) Parameter
The "xpo" (exponent) member contains the exponent value for the RSA The "e" (exponent) member contains the exponent value for the RSA
public key. It is represented as the base64url encoding of the public key. It is represented as the base64url encoding of the
value's unsigned big endian representation as a byte array. The value's unsigned big endian representation as a byte array. The
array representation MUST utilize the minimum number of bytes to array representation MUST utilize the minimum number of bytes to
represent the value. For instance, when representing the value represent the value. For instance, when representing the value
65537, the byte array to be base64url encoded MUST consist of the 65537, the byte array to be base64url encoded MUST consist of the
three bytes [1, 0, 1]. three bytes [1, 0, 1].
5.4. Additional Key Algorithm Families and Parameters 5.4. Additional Key Algorithm Families and Parameters
Public keys using additional algorithm families MAY be represented Public keys using additional algorithm families MAY be represented
skipping to change at page 28, line 42 skipping to change at page 29, line 19
o Specification Document(s): Section 5.2.1 of [[ this document ]] o Specification Document(s): Section 5.2.1 of [[ this document ]]
o Parameter Name: "x" o Parameter Name: "x"
o Change Controller: IETF o Change Controller: IETF
o Specification Document(s): Section 5.2.2 of [[ this document ]] o Specification Document(s): Section 5.2.2 of [[ this document ]]
o Parameter Name: "y" o Parameter Name: "y"
o Change Controller: IETF o Change Controller: IETF
o Specification Document(s): Section 5.2.3 of [[ this document ]] o Specification Document(s): Section 5.2.3 of [[ this document ]]
o Parameter Name: "mod" o Parameter Name: "n"
o Change Controller: IETF o Change Controller: IETF
o Specification Document(s): Section 5.3.1 of [[ this document ]] o Specification Document(s): Section 5.3.1 of [[ this document ]]
o Parameter Name: "xpo" o Parameter Name: "e"
o Change Controller: IETF o Change Controller: IETF
o Specification Document(s): Section 5.3.2 of [[ this document ]] o Specification Document(s): Section 5.3.2 of [[ this document ]]
7. Security Considerations 7. Security Considerations
All of the security issues faced by any cryptographic application All of the security issues faced by any cryptographic application
must be faced by a JWS/JWE/JWK agent. Among these issues are must be faced by a JWS/JWE/JWK agent. Among these issues are
protecting the user's private key, preventing various attacks, and protecting the user's private key, preventing various attacks, and
helping the user avoid mistakes such as inadvertently encrypting a helping the user avoid mistakes such as inadvertently encrypting a
message for the wrong recipient. The entire list of security message for the wrong recipient. The entire list of security
skipping to change at page 30, line 19 skipping to change at page 30, line 43
8.1. Normative References 8.1. Normative References
[AES] National Institute of Standards and Technology (NIST), [AES] National Institute of Standards and Technology (NIST),
"Advanced Encryption Standard (AES)", FIPS PUB 197, "Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001. November 2001.
[DSS] National Institute of Standards and Technology, "Digital [DSS] National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", FIPS PUB 186-3, June 2009. Signature Standard (DSS)", FIPS PUB 186-3, June 2009.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", October 2012. Encryption (JWE)", November 2012.
[JWK] Jones, M., "JSON Web Key (JWK)", October 2012. [JWK] Jones, M., "JSON Web Key (JWK)", November 2012.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", October 2012. Signature (JWS)", November 2012.
[NIST.800-38A] [NIST.800-38A]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation", "Recommendation for Block Cipher Modes of Operation",
NIST PUB 800-38A, December 2001. NIST PUB 800-38A, December 2001.
[NIST.800-38D] [NIST.800-38D]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation: "Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D, Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
skipping to change at page 32, line 19 skipping to change at page 32, line 43
[RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup
Language) XML-Signature Syntax and Processing", RFC 3275, Language) XML-Signature Syntax and Processing", RFC 3275,
March 2002. March 2002.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
July 2005. July 2005.
[W3C.CR-xmldsig-core2-20120124] [W3C.CR-xmldsig-core2-20120124]
Roessler, T., Yiu, K., Solo, D., Reagle, J., Datta, P., Reagle, J., Solo, D., Datta, P., Hirsch, F., Eastlake, D.,
Eastlake, D., Hirsch, F., and S. Cantor, "XML Signature Cantor, S., Roessler, T., and K. Yiu, "XML Signature
Syntax and Processing Version 2.0", World Wide Web Syntax and Processing Version 2.0", World Wide Web
Consortium CR CR-xmldsig-core2-20120124, January 2012, Consortium CR CR-xmldsig-core2-20120124, January 2012,
<http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>. <http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>.
[W3C.CR-xmlenc-core1-20120313] [W3C.CR-xmlenc-core1-20120313]
Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler, Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch,
"XML Encryption Syntax and Processing Version 1.1", World "XML Encryption Syntax and Processing Version 1.1", World
Wide Web Consortium CR CR-xmlenc-core1-20120313, Wide Web Consortium CR CR-xmlenc-core1-20120313,
March 2012, March 2012,
<http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>. <http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>.
[W3C.REC-xmlenc-core-20021210] [W3C.REC-xmlenc-core-20021210]
Eastlake, D. and J. Reagle, "XML Encryption Syntax and Eastlake, D. and J. Reagle, "XML Encryption Syntax and
Processing", World Wide Web Consortium Recommendation REC- Processing", World Wide Web Consortium Recommendation REC-
xmlenc-core-20021210, December 2002, xmlenc-core-20021210, December 2002,
<http://www.w3.org/TR/2002/REC-xmlenc-core-20021210>. <http://www.w3.org/TR/2002/REC-xmlenc-core-20021210>.
skipping to change at page 37, line 18 skipping to change at page 37, line 37
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
The following items remain to be considered or done in this draft: The following items remain to be considered or done in this draft:
o No known open issues. o No known open issues.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-07
o Added a data length prefix to PartyUInfo and PartyVInfo values.
o Changed the name of the JWK RSA modulus parameter from "mod" to
"n" and the name of the JWK RSA exponent parameter from "xpo" to
"e", so that the identifiers are the same as those used in RFC
3447.
o Made several local editorial changes to clean up loose ends left
over from to the decision to only support block encryption methods
providing integrity.
-06 -06
o Removed the "int" and "kdf" parameters and defined the new o Removed the "int" and "kdf" parameters and defined the new
composite AEAD algorithms "A128CBC+HS256" and "A256CBC+HS512" to composite AEAD algorithms "A128CBC+HS256" and "A256CBC+HS512" to
replace the former uses of AES CBC, which required the use of replace the former uses of AES CBC, which required the use of
separate integrity and key derivation functions. separate integrity and key derivation functions.
o Included additional values in the Concat KDF calculation -- the o Included additional values in the Concat KDF calculation -- the
desired output size and the algorithm value, and optionally desired output size and the algorithm value, and optionally
PartyUInfo and PartyVInfo values. Added the optional header PartyUInfo and PartyVInfo values. Added the optional header
 End of changes. 35 change blocks. 
63 lines changed or deleted 107 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/