draft-ietf-jose-json-web-algorithms-25.txt   draft-ietf-jose-json-web-algorithms-26.txt 
JOSE Working Group M. Jones JOSE Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track March 31, 2014 Intended status: Standards Track April 30, 2014
Expires: October 2, 2014 Expires: November 1, 2014
JSON Web Algorithms (JWA) JSON Web Algorithms (JWA)
draft-ietf-jose-json-web-algorithms-25 draft-ietf-jose-json-web-algorithms-26
Abstract Abstract
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK)
specifications. It defines several IANA registries for these specifications. It defines several IANA registries for these
identifiers. identifiers.
Status of this Memo Status of this Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 2, 2014. This Internet-Draft will expire on November 1, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
3.1. "alg" (Algorithm) Header Parameter Values for JWS . . . . 6 3.1. "alg" (Algorithm) Header Parameter Values for JWS . . . . 6
3.2. HMAC with SHA-2 Functions . . . . . . . . . . . . . . . . 7 3.2. HMAC with SHA-2 Functions . . . . . . . . . . . . . . . . 7
3.3. Digital Signature with RSASSA-PKCS1-V1_5 . . . . . . . . . 8 3.3. Digital Signature with RSASSA-PKCS1-V1_5 . . . . . . . . . 8
3.4. Digital Signature with ECDSA . . . . . . . . . . . . . . . 9 3.4. Digital Signature with ECDSA . . . . . . . . . . . . . . . 9
3.5. Digital Signature with RSASSA-PSS . . . . . . . . . . . . 10 3.5. Digital Signature with RSASSA-PSS . . . . . . . . . . . . 10
3.6. Using the Algorithm "none" . . . . . . . . . . . . . . . . 11 3.6. Using the Algorithm "none" . . . . . . . . . . . . . . . . 11
4. Cryptographic Algorithms for Key Management . . . . . . . . . 12 4. Cryptographic Algorithms for Key Management . . . . . . . . . 12
4.1. "alg" (Algorithm) Header Parameter Values for JWE . . . . 12 4.1. "alg" (Algorithm) Header Parameter Values for JWE . . . . 12
4.2. Key Encryption with RSAES-PKCS1-V1_5 . . . . . . . . . . . 14 4.2. Key Encryption with RSAES-PKCS1-V1_5 . . . . . . . . . . . 14
4.3. Key Encryption with RSAES OAEP . . . . . . . . . . . . . . 14 4.3. Key Encryption with RSAES OAEP . . . . . . . . . . . . . . 14
4.4. Key Wrapping with AES Key Wrap . . . . . . . . . . . . . . 14 4.4. Key Wrapping with AES Key Wrap . . . . . . . . . . . . . . 15
4.5. Direct Encryption with a Shared Symmetric Key . . . . . . 15 4.5. Direct Encryption with a Shared Symmetric Key . . . . . . 15
4.6. Key Agreement with Elliptic Curve Diffie-Hellman 4.6. Key Agreement with Elliptic Curve Diffie-Hellman
Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15 Ephemeral Static (ECDH-ES) . . . . . . . . . . . . . . . . 15
4.6.1. Header Parameters Used for ECDH Key Agreement . . . . 16 4.6.1. Header Parameters Used for ECDH Key Agreement . . . . 16
4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter . . 16 4.6.1.1. "epk" (Ephemeral Public Key) Header Parameter . . 16
4.6.1.2. "apu" (Agreement PartyUInfo) Header Parameter . . 16 4.6.1.2. "apu" (Agreement PartyUInfo) Header Parameter . . 17
4.6.1.3. "apv" (Agreement PartyVInfo) Header Parameter . . 16 4.6.1.3. "apv" (Agreement PartyVInfo) Header Parameter . . 17
4.6.2. Key Derivation for ECDH Key Agreement . . . . . . . . 17 4.6.2. Key Derivation for ECDH Key Agreement . . . . . . . . 17
4.7. Key Encryption with AES GCM . . . . . . . . . . . . . . . 18 4.7. Key Encryption with AES GCM . . . . . . . . . . . . . . . 19
4.7.1. Header Parameters Used for AES GCM Key Encryption . . 19 4.7.1. Header Parameters Used for AES GCM Key Encryption . . 19
4.7.1.1. "iv" (Initialization Vector) Header Parameter . . 19 4.7.1.1. "iv" (Initialization Vector) Header Parameter . . 19
4.7.1.2. "tag" (Authentication Tag) Header Parameter . . . 19 4.7.1.2. "tag" (Authentication Tag) Header Parameter . . . 20
4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 19 4.8. Key Encryption with PBES2 . . . . . . . . . . . . . . . . 20
4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 20 4.8.1. Header Parameters Used for PBES2 Key Encryption . . . 21
4.8.1.1. "p2s" (PBES2 salt input) Parameter . . . . . . . . 20 4.8.1.1. "p2s" (PBES2 salt input) Parameter . . . . . . . . 21
4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 20 4.8.1.2. "p2c" (PBES2 count) Parameter . . . . . . . . . . 21
5. Cryptographic Algorithms for Content Encryption . . . . . . . 21 5. Cryptographic Algorithms for Content Encryption . . . . . . . 21
5.1. "enc" (Encryption Algorithm) Header Parameter Values 5.1. "enc" (Encryption Algorithm) Header Parameter Values
for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21 for JWE . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22 5.2. AES_CBC_HMAC_SHA2 Algorithms . . . . . . . . . . . . . . . 22
5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 22 5.2.1. Conventions Used in Defining AES_CBC_HMAC_SHA2 . . . . 23
5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 22 5.2.2. Generic AES_CBC_HMAC_SHA2 Algorithm . . . . . . . . . 23
5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 23 5.2.2.1. AES_CBC_HMAC_SHA2 Encryption . . . . . . . . . . . 23
5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 24 5.2.2.2. AES_CBC_HMAC_SHA2 Decryption . . . . . . . . . . . 25
5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25 5.2.3. AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . 25
5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 25 5.2.4. AES_192_CBC_HMAC_SHA_384 . . . . . . . . . . . . . . . 26
5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 26 5.2.5. AES_256_CBC_HMAC_SHA_512 . . . . . . . . . . . . . . . 26
5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 26 5.2.6. Content Encryption with AES_CBC_HMAC_SHA2 . . . . . . 27
5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 26 5.3. Content Encryption with AES GCM . . . . . . . . . . . . . 27
6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 27 6. Cryptographic Algorithms for Keys . . . . . . . . . . . . . . 28
6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 27 6.1. "kty" (Key Type) Parameter Values . . . . . . . . . . . . 28
6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 28 6.2. Parameters for Elliptic Curve Keys . . . . . . . . . . . . 28
6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28 6.2.1. Parameters for Elliptic Curve Public Keys . . . . . . 28
6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 28 6.2.1.1. "crv" (Curve) Parameter . . . . . . . . . . . . . 29
6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 28 6.2.1.2. "x" (X Coordinate) Parameter . . . . . . . . . . . 29
6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 29 6.2.1.3. "y" (Y Coordinate) Parameter . . . . . . . . . . . 29
6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29 6.2.2. Parameters for Elliptic Curve Private Keys . . . . . . 29
6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 29 6.2.2.1. "d" (ECC Private Key) Parameter . . . . . . . . . 30
6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 29 6.3. Parameters for RSA Keys . . . . . . . . . . . . . . . . . 30
6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 29 6.3.1. Parameters for RSA Public Keys . . . . . . . . . . . . 30
6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 29 6.3.1.1. "n" (Modulus) Parameter . . . . . . . . . . . . . 30
6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 29 6.3.1.2. "e" (Exponent) Parameter . . . . . . . . . . . . . 30
6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30 6.3.2. Parameters for RSA Private Keys . . . . . . . . . . . 30
6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 30 6.3.2.1. "d" (Private Exponent) Parameter . . . . . . . . . 31
6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 30 6.3.2.2. "p" (First Prime Factor) Parameter . . . . . . . . 31
6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 30 6.3.2.3. "q" (Second Prime Factor) Parameter . . . . . . . 31
6.3.2.4. "dp" (First Factor CRT Exponent) Parameter . . . . 30 6.3.2.4. "dp" (First Factor CRT Exponent) Parameter . . . . 31
6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter . . . 31 6.3.2.5. "dq" (Second Factor CRT Exponent) Parameter . . . 31
6.3.2.6. "qi" (First CRT Coefficient) Parameter . . . . . . 31 6.3.2.6. "qi" (First CRT Coefficient) Parameter . . . . . . 31
6.3.2.7. "oth" (Other Primes Info) Parameter . . . . . . . 31 6.3.2.7. "oth" (Other Primes Info) Parameter . . . . . . . 32
6.4. Parameters for Symmetric Keys . . . . . . . . . . . . . . 32 6.4. Parameters for Symmetric Keys . . . . . . . . . . . . . . 32
6.4.1. "k" (Key Value) Parameter . . . . . . . . . . . . . . 32 6.4.1. "k" (Key Value) Parameter . . . . . . . . . . . . . . 33
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33
7.1. JSON Web Signature and Encryption Algorithms Registry . . 33 7.1. JSON Web Signature and Encryption Algorithms Registry . . 34
7.1.1. Registration Template . . . . . . . . . . . . . . . . 33 7.1.1. Registration Template . . . . . . . . . . . . . . . . 34
7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 34 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 35
7.2. JWE Header Parameter Names Registration . . . . . . . . . 40 7.2. JWE Header Parameter Names Registration . . . . . . . . . 41
7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 40 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 41
7.3. JSON Web Encryption Compression Algorithms Registry . . . 41 7.3. JSON Web Encryption Compression Algorithms Registry . . . 42
7.3.1. Registration Template . . . . . . . . . . . . . . . . 41 7.3.1. Registration Template . . . . . . . . . . . . . . . . 42
7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 42 7.3.2. Initial Registry Contents . . . . . . . . . . . . . . 43
7.4. JSON Web Key Types Registry . . . . . . . . . . . . . . . 42 7.4. JSON Web Key Types Registry . . . . . . . . . . . . . . . 43
7.4.1. Registration Template . . . . . . . . . . . . . . . . 42 7.4.1. Registration Template . . . . . . . . . . . . . . . . 43
7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 43 7.4.2. Initial Registry Contents . . . . . . . . . . . . . . 44
7.5. JSON Web Key Parameters Registration . . . . . . . . . . . 44 7.5. JSON Web Key Parameters Registration . . . . . . . . . . . 44
7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 44 7.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 44
7.6. JSON Web Key Elliptic Curve Registry . . . . . . . . . . . 46 7.6. JSON Web Key Elliptic Curve Registry . . . . . . . . . . . 47
7.6.1. Registration Template . . . . . . . . . . . . . . . . 46 7.6.1. Registration Template . . . . . . . . . . . . . . . . 47
7.6.2. Initial Registry Contents . . . . . . . . . . . . . . 47 7.6.2. Initial Registry Contents . . . . . . . . . . . . . . 48
8. Security Considerations . . . . . . . . . . . . . . . . . . . 47 8. Security Considerations . . . . . . . . . . . . . . . . . . . 48
8.1. Algorithms and Key Sizes will be Deprecated . . . . . . . 48 8.1. Algorithms and Key Sizes will be Deprecated . . . . . . . 49
8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 48 8.2. Key Lifetimes . . . . . . . . . . . . . . . . . . . . . . 49
8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 48 8.3. RSAES-PKCS1-v1_5 Security Considerations . . . . . . . . . 49
8.4. AES GCM Security Considerations . . . . . . . . . . . . . 48 8.4. AES GCM Security Considerations . . . . . . . . . . . . . 49
8.5. Plaintext JWS Security Considerations . . . . . . . . . . 49 8.5. Plaintext JWS Security Considerations . . . . . . . . . . 50
8.6. Differences between Digital Signatures and MACs . . . . . 49 8.6. Differences between Digital Signatures and MACs . . . . . 50
8.7. Denial of Service Attacks . . . . . . . . . . . . . . . . 50 8.7. Denial of Service Attacks . . . . . . . . . . . . . . . . 51
8.8. Reusing Key Material when Encrypting Keys . . . . . . . . 50 8.8. Reusing Key Material when Encrypting Keys . . . . . . . . 51
8.9. Password Considerations . . . . . . . . . . . . . . . . . 50 8.9. Password Considerations . . . . . . . . . . . . . . . . . 51
9. Internationalization Considerations . . . . . . . . . . . . . 51 9. Internationalization Considerations . . . . . . . . . . . . . 52
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 51 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
10.1. Normative References . . . . . . . . . . . . . . . . . . . 51 10.1. Normative References . . . . . . . . . . . . . . . . . . . 52
10.2. Informative References . . . . . . . . . . . . . . . . . . 53 10.2. Informative References . . . . . . . . . . . . . . . . . . 54
Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 54 Appendix A. Algorithm Identifier Cross-Reference . . . . . . . . 55
A.1. Digital Signature/MAC Algorithm Identifier A.1. Digital Signature/MAC Algorithm Identifier
Cross-Reference . . . . . . . . . . . . . . . . . . . . . 55 Cross-Reference . . . . . . . . . . . . . . . . . . . . . 56
A.2. Key Management Algorithm Identifier Cross-Reference . . . 55 A.2. Key Management Algorithm Identifier Cross-Reference . . . 56
A.3. Content Encryption Algorithm Identifier Cross-Reference . 56 A.3. Content Encryption Algorithm Identifier Cross-Reference . 57
Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 57 Appendix B. Test Cases for AES_CBC_HMAC_SHA2 Algorithms . . . . . 58
B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 58 B.1. Test Cases for AES_128_CBC_HMAC_SHA_256 . . . . . . . . . 59
B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 59 B.2. Test Cases for AES_192_CBC_HMAC_SHA_384 . . . . . . . . . 60
B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 60 B.3. Test Cases for AES_256_CBC_HMAC_SHA_512 . . . . . . . . . 61
Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 61 Appendix C. Example ECDH-ES Key Agreement Computation . . . . . . 62
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 63 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 64
Appendix E. Document History . . . . . . . . . . . . . . . . . . 64 Appendix E. Document History . . . . . . . . . . . . . . . . . . 65
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 74
1. Introduction 1. Introduction
The JSON Web Algorithms (JWA) specification registers cryptographic The JSON Web Algorithms (JWA) specification registers cryptographic
algorithms and identifiers to be used with the JSON Web Signature algorithms and identifiers to be used with the JSON Web Signature
(JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK) (JWS) [JWS], JSON Web Encryption (JWE) [JWE], and JSON Web Key (JWK)
[JWK] specifications. It defines several IANA registries for these [JWK] specifications. It defines several IANA registries for these
identifiers. All these specifications utilize JavaScript Object identifiers. All these specifications utilize JavaScript Object
Notation (JSON) [RFC7159] based data structures. This specification Notation (JSON) [RFC7159] based data structures. This specification
also describes the semantics and operations that are specific to also describes the semantics and operations that are specific to
skipping to change at page 10, line 30 skipping to change at page 10, line 30
| ES512 | ECDSA using P-521 and SHA-512 | | ES512 | ECDSA using P-521 and SHA-512 |
+---------------------+-------------------------------+ +---------------------+-------------------------------+
The ECDSA P-256 SHA-256 digital signature for a JWS is validated as The ECDSA P-256 SHA-256 digital signature for a JWS is validated as
follows: follows:
1. The JWS Signature value MUST be a 64 octet sequence. If it is 1. The JWS Signature value MUST be a 64 octet sequence. If it is
not a 64 octet sequence, the validation has failed. not a 64 octet sequence, the validation has failed.
2. Split the 64 octet sequence into two 32 octet sequences. The 2. Split the 64 octet sequence into two 32 octet sequences. The
first array will be R and the second S (with both being in big first octet sequence represents R and the second S. The values R
endian octet order). and S are represented as octet sequences using the Integer-to-
OctetString Conversion defined in Section 2.3.7 of SEC1 [SEC1]
(in big endian octet order).
3. Submit the JWS Signing Input R, S and the public key (x, y) to 3. Submit the JWS Signing Input R, S and the public key (x, y) to
the ECDSA P-256 SHA-256 validator. the ECDSA P-256 SHA-256 validator.
Signing and validation with the ECDSA P-384 SHA-384 and ECDSA P-521 Signing and validation with the ECDSA P-384 SHA-384 and ECDSA P-521
SHA-512 algorithms is performed identically to the procedure for SHA-512 algorithms is performed identically to the procedure for
ECDSA P-256 SHA-256 -- just using the corresponding hash algorithms ECDSA P-256 SHA-256 -- just using the corresponding hash algorithms
with correspondingly larger result values. For ECDSA P-384 SHA-384, with correspondingly larger result values. For ECDSA P-384 SHA-384,
R and S will be 384 bits each, resulting in a 96 octet sequence. For R and S will be 384 bits each, resulting in a 96 octet sequence. For
ECDSA P-521 SHA-512, R and S will be 521 bits each, resulting in a ECDSA P-521 SHA-512, R and S will be 521 bits each, resulting in a
skipping to change at page 12, line 24 skipping to change at page 12, line 25
These algorithms are used to encrypt the CEK, producing the JWE These algorithms are used to encrypt the CEK, producing the JWE
Encrypted Key, or to use key agreement to agree upon the CEK. Encrypted Key, or to use key agreement to agree upon the CEK.
+-------------------+-----------------+------------+----------------+ +-------------------+-----------------+------------+----------------+
| alg Parameter | Key Management | Additional | Implementation | | alg Parameter | Key Management | Additional | Implementation |
| Value | Algorithm | Header | Requirements | | Value | Algorithm | Header | Requirements |
| | | Parameters | | | | | Parameters | |
+-------------------+-----------------+------------+----------------+ +-------------------+-----------------+------------+----------------+
| RSA1_5 | RSAES-PKCS1-V1_ | (none) | Required | | RSA1_5 | RSAES-PKCS1-V1_ | (none) | Required |
| | 5 | | | | | 5 | | |
| RSA-OAEP | RSAES using | (none) | Optional | | RSA-OAEP | RSAES OAEP | (none) | Optional |
| | OAEP with | | | | | using default | | |
| | default | | |
| | parameters | | | | | parameters | | |
| RSA-OAEP-256 | RSAES OAEP | (none) | Optional |
| | using SHA-256 | | |
| | and MGF1 with | | |
| | SHA-256 | | |
| A128KW | AES Key Wrap | (none) | Recommended | | A128KW | AES Key Wrap | (none) | Recommended |
| | with default | | | | | with default | | |
| | initial value | | | | | initial value | | |
| | using 128 bit | | | | | using 128 bit | | |
| | key | | | | | key | | |
| A192KW | AES Key Wrap | (none) | Optional | | A192KW | AES Key Wrap | (none) | Optional |
| | with default | | | | | with default | | |
| | initial value | | | | | initial value | | |
| | using 192 bit | | | | | using 192 bit | | |
| | key | | | | | key | | |
skipping to change at page 14, line 20 skipping to change at page 14, line 26
RSAES-PKCS1-V1_5 [RFC3447]. The "alg" Header Parameter value RSAES-PKCS1-V1_5 [RFC3447]. The "alg" Header Parameter value
"RSA1_5" is used for this algorithm. "RSA1_5" is used for this algorithm.
A key of size 2048 bits or larger MUST be used with this algorithm. A key of size 2048 bits or larger MUST be used with this algorithm.
An example using this algorithm is shown in Appendix A.2 of [JWE]. An example using this algorithm is shown in Appendix A.2 of [JWE].
4.3. Key Encryption with RSAES OAEP 4.3. Key Encryption with RSAES OAEP
This section defines the specifics of encrypting a JWE CEK with RSAES This section defines the specifics of encrypting a JWE CEK with RSAES
using Optimal Asymmetric Encryption Padding (OAEP) [RFC3447], with using Optimal Asymmetric Encryption Padding (OAEP) [RFC3447]. Two
the default parameters specified by RFC 3447 in Section A.2.1. sets of parameters for using OAEP are defined, which use different
(Those default parameters are using a hash function of SHA-1 and a hash functions. In the first case, the default parameters specified
mask generation function of MGF1 with SHA-1.) The "alg" Header by RFC 3447 in Section A.2.1 are used. (Those default parameters are
Parameter value "RSA-OAEP" is used for this algorithm. the SHA-1 hash function and the MGF1 with SHA-1 mask generation
function.) In the second case, the SHA-256 hash function and the
MGF1 with SHA-256 mask generation function are used.
A key of size 2048 bits or larger MUST be used with this algorithm. The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWE Encrypted Key is the result of encrypting the
CEK using the corresponding algorithm:
An example using this algorithm is shown in Appendix A.1 of [JWE]. +---------------------+---------------------------------------------+
| alg Parameter Value | Key Management Algorithm |
+---------------------+---------------------------------------------+
| RSA-OAEP | RSAES OAEP using default parameters |
| RSA-OAEP-256 | RSAES OAEP using SHA-256 and MGF1 with |
| | SHA-256 |
+---------------------+---------------------------------------------+
A key of size 2048 bits or larger MUST be used with these algorithms.
An example using RSAES OAEP with the default parameters is shown in
Appendix A.1 of [JWE].
4.4. Key Wrapping with AES Key Wrap 4.4. Key Wrapping with AES Key Wrap
This section defines the specifics of encrypting a JWE CEK with the This section defines the specifics of encrypting a JWE CEK with the
Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using
the default initial value specified in Section 2.2.3.1. the default initial value specified in Section 2.2.3.1.
The following "alg" (algorithm) Header Parameter values are used to The following "alg" (algorithm) Header Parameter values are used to
indicate that the JWE Encrypted Key is the result of encrypting the indicate that the JWE Encrypted Key is the result of encrypting the
CEK using the corresponding algorithm and key size: CEK using the corresponding algorithm and key size:
skipping to change at page 18, line 22 skipping to change at page 18, line 43
Applications need to specify how the "apu" and "apv" parameters are Applications need to specify how the "apu" and "apv" parameters are
used for that application. The "apu" and "apv" values MUST be used for that application. The "apu" and "apv" values MUST be
distinct, when used. Applications wishing to conform to distinct, when used. Applications wishing to conform to
[NIST.800-56A] need to provide values that meet the requirements of [NIST.800-56A] need to provide values that meet the requirements of
that document, e.g., by using values that identify the sender and that document, e.g., by using values that identify the sender and
recipient. Alternatively, applications MAY conduct key derivation in recipient. Alternatively, applications MAY conduct key derivation in
a manner similar to The Diffie-Hellman Key Agreement Method a manner similar to The Diffie-Hellman Key Agreement Method
[RFC2631]: In that case, the "apu" field MAY either be omitted or [RFC2631]: In that case, the "apu" field MAY either be omitted or
represent a random 512-bit value (analogous to PartyAInfo in represent a random 512-bit value (analogous to PartyAInfo in
Ephemeral-Static mode in [RFC2631]) and the "apv" field SHOULD NOT be Ephemeral-Static mode in RFC 2631) and the "apv" field SHOULD NOT be
present. present.
See Appendix C for an example key agreement computation using this See Appendix C for an example key agreement computation using this
method. method.
4.7. Key Encryption with AES GCM 4.7. Key Encryption with AES GCM
This section defines the specifics of encrypting a JWE Content This section defines the specifics of encrypting a JWE Content
Encryption Key (CEK) with Advanced Encryption Standard (AES) in Encryption Key (CEK) with Advanced Encryption Standard (AES) in
Galois/Counter Mode (GCM) [AES] [NIST.800-38D]. Galois/Counter Mode (GCM) [AES] [NIST.800-38D].
skipping to change at page 37, line 11 skipping to change at page 37, line 39
o Specification Document(s): Section 3.1 of [[ this document ]] o Specification Document(s): Section 3.1 of [[ this document ]]
o Algorithm Name: "RSA1_5" o Algorithm Name: "RSA1_5"
o Algorithm Description: RSAES-PKCS1-V1_5 o Algorithm Description: RSAES-PKCS1-V1_5
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o JOSE Implementation Requirements: Required o JOSE Implementation Requirements: Required
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "RSA-OAEP" o Algorithm Name: "RSA-OAEP"
o Algorithm Description: RSAES using OAEP with default parameters o Algorithm Description: RSAES OAEP using default parameters
o Algorithm Usage Location(s): "alg"
o JOSE Implementation Requirements: Optional
o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "RSA-OAEP-256"
o Algorithm Description: RSAES OAEP using SHA-256 and MGF1 with SHA-
256
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o JOSE Implementation Requirements: Optional o JOSE Implementation Requirements: Optional
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of [[ this document ]] o Specification Document(s): Section 4.1 of [[ this document ]]
o Algorithm Name: "A128KW" o Algorithm Name: "A128KW"
o Algorithm Description: AES Key Wrap using 128 bit key o Algorithm Description: AES Key Wrap using 128 bit key
o Algorithm Usage Location(s): "alg" o Algorithm Usage Location(s): "alg"
o JOSE Implementation Requirements: Recommended o JOSE Implementation Requirements: Recommended
o Change Controller: IESG o Change Controller: IESG
skipping to change at page 51, line 41 skipping to change at page 52, line 34
[AES] National Institute of Standards and Technology (NIST), [AES] National Institute of Standards and Technology (NIST),
"Advanced Encryption Standard (AES)", FIPS PUB 197, "Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001. November 2001.
[DSS] National Institute of Standards and Technology, "Digital [DSS] National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", FIPS PUB 186-4, July 2013. Signature Standard (DSS)", FIPS PUB 186-4, July 2013.
[JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
draft-ietf-jose-json-web-encryption (work in progress), draft-ietf-jose-json-web-encryption (work in progress),
March 2014. April 2014.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
March 2014. April 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), March 2014. in progress), April 2014.
[NIST.800-38A] [NIST.800-38A]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation", "Recommendation for Block Cipher Modes of Operation",
NIST PUB 800-38A, December 2001. NIST PUB 800-38A, December 2001.
[NIST.800-38D] [NIST.800-38D]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Recommendation for Block Cipher Modes of Operation: "Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D, Galois/Counter Mode (GCM) and GMAC", NIST PUB 800-38D,
skipping to change at page 53, line 17 skipping to change at page 54, line 13
Interchange", ANSI X3.4, 1986. Interchange", ANSI X3.4, 1986.
10.2. Informative References 10.2. Informative References
[CanvasApp] [CanvasApp]
Facebook, "Canvas Applications", 2010. Facebook, "Canvas Applications", 2010.
[I-D.ietf-precis-saslprepbis] [I-D.ietf-precis-saslprepbis]
Saint-Andre, P. and A. Melnikov, "Preparation and Saint-Andre, P. and A. Melnikov, "Preparation and
Comparison of Internationalized Strings Representing Comparison of Internationalized Strings Representing
Usernames and Passwords", draft-ietf-precis-saslprepbis-06 Usernames and Passwords", draft-ietf-precis-saslprepbis-07
(work in progress), December 2013. (work in progress), March 2014.
[I-D.mcgrew-aead-aes-cbc-hmac-sha2] [I-D.mcgrew-aead-aes-cbc-hmac-sha2]
McGrew, D., Foley, J., and K. Paterson, "Authenticated McGrew, D., Foley, J., and K. Paterson, "Authenticated
Encryption with AES-CBC and HMAC-SHA", Encryption with AES-CBC and HMAC-SHA",
draft-mcgrew-aead-aes-cbc-hmac-sha2-04 (work in progress), draft-mcgrew-aead-aes-cbc-hmac-sha2-04 (work in progress),
February 2014. February 2014.
[I-D.miller-jose-jwe-protected-jwk] [I-D.miller-jose-jwe-protected-jwk]
Miller, M., "Using JavaScript Object Notation (JSON) Web Miller, M., "Using JavaScript Object Notation (JSON) Web
Encryption (JWE) for Protecting JSON Web Key (JWK) Encryption (JWE) for Protecting JSON Web Key (JWK)
skipping to change at page 54, line 26 skipping to change at page 55, line 23
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005. Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008. Encryption", RFC 5116, January 2008.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[W3C.CR-xmldsig-core2-20120124] [W3C.NOTE-xmldsig-core2-20130411]
Cantor, S., Roessler, T., Eastlake, D., Yiu, K., Reagle, Eastlake, D., Reagle, J., Solo, D., Hirsch, F., Roessler,
J., Solo, D., Datta, P., and F. Hirsch, "XML Signature T., Yiu, K., Datta, P., and S. Cantor, "XML Signature
Syntax and Processing Version 2.0", World Wide Web Syntax and Processing Version 2.0", World Wide Web
Consortium CR CR-xmldsig-core2-20120124, January 2012, Consortium Note NOTE-xmldsig-core2-20130411, April 2013,
<http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124>. <http://www.w3.org/TR/2013/NOTE-xmldsig-core2-20130411/>.
[W3C.CR-xmlenc-core1-20120313]
Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch,
"XML Encryption Syntax and Processing Version 1.1", World
Wide Web Consortium CR CR-xmlenc-core1-20120313,
March 2012,
<http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>.
[W3C.REC-xmlenc-core-20021210] [W3C.REC-xmlenc-core-20021210]
Eastlake, D. and J. Reagle, "XML Encryption Syntax and Eastlake, D. and J. Reagle, "XML Encryption Syntax and
Processing", World Wide Web Consortium Recommendation REC- Processing", World Wide Web Consortium Recommendation REC-
xmlenc-core-20021210, December 2002, xmlenc-core-20021210, December 2002,
<http://www.w3.org/TR/2002/REC-xmlenc-core-20021210>. <http://www.w3.org/TR/2002/REC-xmlenc-core-20021210>.
[W3C.REC-xmlenc-core1-20130411]
Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler,
"XML Encryption Syntax and Processing Version 1.1", World
Wide Web Consortium Recommendation REC-xmlenc-core1-
20130411, April 2013,
<http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/>.
Appendix A. Algorithm Identifier Cross-Reference Appendix A. Algorithm Identifier Cross-Reference
This appendix contains tables cross-referencing the cryptographic This appendix contains tables cross-referencing the cryptographic
algorithm identifier values defined in this specification with the algorithm identifier values defined in this specification with the
equivalent identifiers used by other standards and software packages. equivalent identifiers used by other standards and software packages.
See XML DSIG [RFC3275], XML DSIG 2.0 [W3C.CR-xmldsig-core2-20120124], See XML DSIG [RFC3275], XML DSIG 2.0
XML Encryption [W3C.REC-xmlenc-core-20021210], XML Encryption 1.1 [W3C.NOTE-xmldsig-core2-20130411], XML Encryption
[W3C.CR-xmlenc-core1-20120313], and Java Cryptography Architecture [W3C.REC-xmlenc-core-20021210], XML Encryption 1.1
[W3C.REC-xmlenc-core1-20130411], and Java Cryptography Architecture
[JCA] for more information about the names defined by those [JCA] for more information about the names defined by those
documents. documents.
A.1. Digital Signature/MAC Algorithm Identifier Cross-Reference A.1. Digital Signature/MAC Algorithm Identifier Cross-Reference
This section contains a table cross-referencing the JWS digital This section contains a table cross-referencing the JWS digital
signature and MAC "alg" (algorithm) values defined in this signature and MAC "alg" (algorithm) values defined in this
specification with the equivalent identifiers used by other standards specification with the equivalent identifiers used by other standards
and software packages. and software packages.
skipping to change at page 56, line 5 skipping to change at page 57, line 5
| PS5 | http://www.w3.org/2007/05/xml | SHA512withRS | 1.2.840.1135 | | PS5 | http://www.w3.org/2007/05/xml | SHA512withRS | 1.2.840.1135 |
| 12 | dsig-more#sha512-rsa-MGF1 | AandMGF1 | 49.1.1.10 | | 12 | dsig-more#sha512-rsa-MGF1 | AandMGF1 | 49.1.1.10 |
+-----+-------------------------------+--------------+--------------+ +-----+-------------------------------+--------------+--------------+
A.2. Key Management Algorithm Identifier Cross-Reference A.2. Key Management Algorithm Identifier Cross-Reference
This section contains a table cross-referencing the JWE "alg" This section contains a table cross-referencing the JWE "alg"
(algorithm) values defined in this specification with the equivalent (algorithm) values defined in this specification with the equivalent
identifiers used by other standards and software packages. identifiers used by other standards and software packages.
+------+------------------------+--------------------+--------------+ +-------+------------------------+--------------------+-------------+
| JWE | XML ENC | JCA | OID | | JWE | XML ENC | JCA | OID |
+------+------------------------+--------------------+--------------+ +-------+------------------------+--------------------+-------------+
| RSA1 | http://www.w3.org/2001 | RSA/ECB/PKCS1Paddi | 1.2.840.1135 | | RSA1_ | http://www.w3.org/2001 | RSA/ECB/PKCS1Paddi | 1.2.840.113 |
| _5 | /04/xmlenc#rsa-1_5 | ng | 49.1.1.1 | | 5 | /04/xmlenc#rsa-1_5 | ng | 549.1.1.1 |
| RSA- | http://www.w3.org/2001 | RSA/ECB/OAEPWithSH | 1.2.840.1135 | | RSA-O | http://www.w3.org/2001 | RSA/ECB/OAEPWithSH | 1.2.840.113 |
| OAEP | /04/xmlenc#rsa-oaep-mg | A-1AndMGF1Padding | 49.1.1.7 | | AEP | /04/xmlenc#rsa-oaep-mg | A-1AndMGF1Padding | 549.1.1.7 |
| | f1p | | | | | f1p | | |
| ECDH | http://www.w3.org/2009 | | 1.3.132.1.12 | | RSA-O | http://www.w3.org/2009 | RSA/ECB/OAEPWithSH | 1.2.840.113 |
| -ES | /xmlenc11#ECDH-ES | | | | AEP-2 | /xmlenc11#rsa-oaep | A-256AndMGF1Paddin | 549.1.1.7 |
| A128 | http://www.w3.org/2001 | | 2.16.840.1.1 | | 56 | | g | |
| KW | /04/xmlenc#kw-aes128 | | 01.3.4.1.5 | | ECDH- | http://www.w3.org/2009 | | 1.3.132.1.1 |
| A192 | http://www.w3.org/2001 | | 2.16.840.1.1 | | ES | /xmlenc11#ECDH-ES | | 2 |
| KW | /04/xmlenc#kw-aes192 | | 01.3.4.1.25 | | A128K | http://www.w3.org/2001 | | 2.16.840.1. |
| A256 | http://www.w3.org/2001 | | 2.16.840.1.1 | | W | /04/xmlenc#kw-aes128 | | 101.3.4.1.5 |
| KW | /04/xmlenc#kw-aes256 | | 01.3.4.1.45 | | A192K | http://www.w3.org/2001 | | 2.16.840.1. |
+------+------------------------+--------------------+--------------+ | W | /04/xmlenc#kw-aes192 | | 101.3.4.1.2 |
| | | | 5 |
| A256K | http://www.w3.org/2001 | | 2.16.840.1. |
| W | /04/xmlenc#kw-aes256 | | 101.3.4.1.4 |
| | | | 5 |
+-------+------------------------+--------------------+-------------+
A.3. Content Encryption Algorithm Identifier Cross-Reference A.3. Content Encryption Algorithm Identifier Cross-Reference
This section contains a table cross-referencing the JWE "enc" This section contains a table cross-referencing the JWE "enc"
(encryption algorithm) values defined in this specification with the (encryption algorithm) values defined in this specification with the
equivalent identifiers used by other standards and software packages. equivalent identifiers used by other standards and software packages.
For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and For the composite algorithms "A128CBC-HS256", "A192CBC-HS384", and
"A256CBC-HS512", the corresponding AES CBC algorithm identifiers are "A256CBC-HS512", the corresponding AES CBC algorithm identifiers are
listed. listed.
skipping to change at page 62, line 23 skipping to change at page 63, line 23
"y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps" "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps"
} }
} }
The resulting Concat KDF [NIST.800-56A] parameter values are: The resulting Concat KDF [NIST.800-56A] parameter values are:
Z Z
This is set to the ECDH-ES key agreement output. (This value is This is set to the ECDH-ES key agreement output. (This value is
often not directly exposed by libraries, due to NIST security often not directly exposed by libraries, due to NIST security
requirements, and only serves as an input to a KDF.) In this requirements, and only serves as an input to a KDF.) In this
example, Z is the octet sequence: example, Z is following the octet sequence (using JSON array
notation):
[158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132, [158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121, 38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
140, 254, 144, 196]. 140, 254, 144, 196].
keydatalen keydatalen
This value is 128 - the number of bits in the desired output key This value is 128 - the number of bits in the desired output key
(because "A128GCM" uses a 128 bit key). (because "A128GCM" uses a 128 bit key).
AlgorithmID AlgorithmID
This is set to the octets representing the 32 bit big endian value This is set to the octets representing the 32 bit big endian value
skipping to change at page 64, line 20 skipping to change at page 65, line 20
the following individuals contributed ideas, feedback, and wording the following individuals contributed ideas, feedback, and wording
that influenced this specification: that influenced this specification:
Dirk Balfanz, Richard Barnes, John Bradley, Brian Campbell, Breno de Dirk Balfanz, Richard Barnes, John Bradley, Brian Campbell, Breno de
Medeiros, Vladimir Dzhuvinov, Yaron Y. Goland, Dick Hardt, Joe Medeiros, Vladimir Dzhuvinov, Yaron Y. Goland, Dick Hardt, Joe
Hildebrand, Jeff Hodges, Edmund Jay, James Manger, Matt Miller, Tony Hildebrand, Jeff Hodges, Edmund Jay, James Manger, Matt Miller, Tony
Nadalin, Axel Nennker, John Panzer, Emmanuel Raviart, Eric Rescorla, Nadalin, Axel Nennker, John Panzer, Emmanuel Raviart, Eric Rescorla,
Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner. Nat Sakimura, Jim Schaad, Hannes Tschofenig, and Sean Turner.
Jim Schaad and Karen O'Donoghue chaired the JOSE working group and Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
Sean Turner and Stephen Farrell served as Security area directors Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
during the creation of this specification. Security area directors during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-26
o Added algorithm identifier "RSA-OAEP-256" for RSAES OAEP using
SHA-256 and MGF1 with SHA-256.
o Clarified that the ECDSA signature values R and S are represented
as octet sequences as defined in Section 2.3.7 of SEC1 [SEC1].
o Noted that octet sequences are depicted using JSON array notation.
o Updated references, including to W3C specifications.
-25 -25
o Corrected an external section number reference that had changed. o Corrected an external section number reference that had changed.
-24 -24
o Replaced uses of the term "associated data" wherever it was used o Replaced uses of the term "associated data" wherever it was used
to refer to a data value with "additional authenticated data", to refer to a data value with "additional authenticated data",
since both terms were being used as synonyms, causing confusion. since both terms were being used as synonyms, causing confusion.
 End of changes. 39 change blocks. 
129 lines changed or deleted 177 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/