[Openid-specs-ab] FW: JSON Web Key (JWK) Thumbprint Specification

Mike Jones Michael.Jones at microsoft.com
Fri Apr 11 00:52:21 UTC 2014


This is the speclet we'd discussed for a JWK Thumbprint, which is pertinent to the revised "sub" computation needed for issue #920 - https://bitbucket.org/openid/connect/issue/920/attack-identified-against-self-issued-sub.

                                                            -- Mike

From: Mike Jones
Sent: Thursday, April 10, 2014 5:50 PM
To: jose at ietf.org
Subject: JSON Web Key (JWK) Thumbprint Specification

I created a new simple spec that defines a way to create a thumbprint of an arbitrary key, based upon its JWK representation.  The abstract of the spec is:

This specification defines a means of computing a thumbprint value (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects. This specification also registers the new JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these values.

The desire for this came up in an OpenID Connect context, but it's of general applicability, so I decided to submit the spec to the JOSE working group.  Thanks to James Manger, John Bradley, and Nat Sakimura for the discussions that led up to this spec.

The specification is available at:

*        http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00

An HTML formatted version is also available at:

*        https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html

                                                            -- Mike

P.S.  I also posted this notice at http://self-issued.info/?p=1213 and as @selfissued.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140411/9932f4d0/attachment.html>


More information about the Openid-specs-ab mailing list