[Openid-specs-ab] Forthcoming minor changes to JOSE specs pertinent to OpenID Connect

Mike Jones Michael.Jones at microsoft.com
Wed May 1 05:49:23 UTC 2013


An interim JOSE working group meeting was held yesterday and today at Cisco in Denver.  The good news is that many issues were discussed and resolved in a productive manner.

I wanted to give you a heads-up that two minor changes will be made to the JOSE specs that do affect OpenID Connect.  One is that the syntax for the PKIX key type will be changed from having the x5c member be in an independent "kty":"PKIX" element to being a member within the "kty":"RSA" (or "kty":"EC" structure).  So the example at http://openid.net/specs/openid-connect-messages-1_0-17.html#PKIXKeyType would change to:

  {"keys":[
   {"kty":"RSA",
    "use":"sig",
    "kid":"1b94c",
    "n":"vrj...",
    "e":"AQAB",
    "x5c":
     ["MII...=="]}
  ]}

This only affects code that is using the PKIX key type.

The second change is that the contents of the Additional Associated Data (AAD) value in JWE will be simplified to only include the Encoded JWE Header value but not the Encoded JWE Encrypted Key.  This means that the value X computed in step 15 of http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-10#section-5.1 will be used directly as the AAD value, without computing Y (in step 16) and concatenating it to X (in step 17).

This change simplifies the encryption AAD calculation.

I will plan on incorporating these changes into the JOSE drafts as soon as possible.  Hopefully this will be the last breaking change to the encryption calculation.

                                                            Best wishes,
                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130501/b96b211b/attachment.html>


More information about the Openid-specs-ab mailing list