[Openid-specs-ab] JSON token draft based upon a convergence proposal

Mike Jones Michael.Jones at microsoft.com
Tue Oct 26 00:03:13 UTC 2010 

I've produced a new JSON token draft (attached and also at http://self-issued.info/docs/draft-jones-json-web-token-00.html) based on a convergence proposal discussed with the authors of the other JSON signing proposals.  I borrowed portions of this draft with permission from Dirk Balfanz, John Bradley, John Panzer, and Nat Sakimura, and so listed them as co-authors.  (You shouldn't take their being listed as authors as their blanket endorsement of its content, but I appreciate their willingness to let me build upon their work.)

There are still open issues.  In particular, while I call out the need for including mechanism(s) for retrieving public keys that are not encoded in X.509 certificates in the Open Issues (Section 11), I have not yet incorporated them into the draft.  For one thing, there was a comment that we should consider publishing public keys as JWTs, which I haven't had the time to investigate yet.  I'd also like to discuss whether we should assume that the issuer claim can always be used to retrieve a simple public key or whether we need to define a new claim or envelope parameter for that.

Hopefully we can develop consensus positions on these and any other issues found during IIW.  This doc is intended as a further step in that direction.

A detailed comparison of the precursor documents, which led to the convergence proposal incorporated in this draft, is as follows:

Feature<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

JSON Tokens<http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html>

JSON Simple Sign (JSS)<http://jsonenc.info/jss/1.0/>

Canvas Application Signatures<http://developers.facebook.com/docs/authentication/canvas>

JSON Web Token (JWT)<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Proposed Resolution<http://self-issued.info/docs/draft-jones-json-web-token-00.html>

Envelope distinct from payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Reserved claims defined for use in payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes - for optional use<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Overhead of encoding<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Medium<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

High<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Low<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Low<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Low<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Signature algorithms supported (recommended marked +, optional marked *)<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

HMAC SHA-256, RSA SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

HMAC SHA-256, RSA SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html>, ECDSA-SHA256

HMAC SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

HMAC SHA-256, RSA SHA-256+, ECDSA-SHA256+, larger key sizes*<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

HMAC SHA-256, RSA SHA-256, ECDSA-SHA256+, larger key sizes*<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Signing required<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html> (but "none" algorithm could be separately defined)

Location of algorithm parameter<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Key ID parameter<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional in Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional in Envelope for HMAC SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

N/A<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

None<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional in Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Key location parameter<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Discovery method defined for RSA keys<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Required in envelope for RSA SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

N/A<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

None<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional key location or public key in Envelope; any key discovery in separate specification(s)<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Key representation specified<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes - Magic Keys for RSA<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes - X.509 certificates for RSA SHA-256<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

N/A<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional use of X.509 certificates specified; also specify non-X.509 method(s) of public key retrieval; methods<http://self-issued.info/docs/draft-goland-json-web-token-00.html> not in core spec can also be used

Type description for envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Required type URI<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional using concise representation<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Type description for payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional in Envelope<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional in Payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Optional in Payload<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Encoding algorithm<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url with padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url without padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url without padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url without padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url without padding<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Token representations<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url encodings separated by periods<http://self-issued.info/docs/draft-goland-json-web-token-00.html>; (JSON serialization specified in Magic Signatures)

Base64url encodings separated by periods; JSON serialization<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url encodings separated by periods<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url encodings separated by periods<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Base64url encodings separated by periods<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Multiple signatures<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No (but supported by Magic Signatures)<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Yes<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

Not<http://self-issued.info/docs/draft-goland-json-web-token-00.html> in base spec, but could be defined as an extension

Encryption supported<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

In related specification<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

No<http://self-issued.info/docs/draft-goland-json-web-token-00.html>

In related specification<http://self-issued.info/docs/draft-goland-json-web-token-00.html>


Hope to see many of you next week!

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20101026/9bc9701d/attachment.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20101026/9bc9701d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft-jones-json-web-token-00.xml
Type: text/xml
Size: 67293 bytes
Desc: draft-jones-json-web-token-00.xml
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20101026/9bc9701d/attachment.xml>

More information about the Openid-specs-ab mailing list