1 / 7

Bringing JOSE WG Specifications to WGLC: JOSE Overview & Open Issues

Review of JWS, JWE, JWK, JWA specifications for JOSE status, known implementations, and open issues. Discussion on default RSA-OAEP parameters, header fields, nonce, timestamp, and uninterpreted string parameters.

nyoko
Download Presentation

Bringing JOSE WG Specifications to WGLC: JOSE Overview & Open Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bringing the JOSE WG Specifications to WGLC Nat Sakimura November 7, 2012

  2. JOSE Status by Specification • JWS • Very stable since March 2011 • Well over a dozen known implementations • JWE • Open issues largely closed since IETF 84 • At least 5 known implementations • JWK • Semantically very stable – a few syntax changes • Also over a dozen known implementations • JWA • Open issues largely closed since IETF 84 • Used in JWS, JWE, JWK implementations

  3. Conclusions • The specs are fairly mature and implemented • Most issues have been closed • We’re ready for WGLC • Options: • Go to WGLC with the current specs • Close issues we can quickly close, then go to WGLC

  4. Remaining Open Issues • Default RSA-OAEP parameters • Criticality of understanding header fields • Define nonce, timestamp, and/or uninterpreted string parameter(s)?

  5. Default RSA-OAEP parameters • SHA-1 (and mgf1SHA1) are the default OAEP parameters in RFC 3447 • They are also the parameters specified in JWA • Many libs don’t support other OAEP parameters • Interop argues for keeping things as-is • Previous results: • 7 YES – keep the current default OAEP parameters • 2 NO – change the default parameters • 4 DISCUSS

  6. Criticality of understanding header fields • Currently implementations must understand all header fields • Security argues for the current behavior • Extensibility argues for allowing not-understood fields or specifically identified fields • Previous results: • 9 YES – all header fields are critical • 1 NO – all header fields are non-critical • 4 MAYBE – criticality should be specified per field • 3 DISCUSS

  7. Define nonce, timestamp, and/or uninterpreted string parameter(s)? • Previous results: • 7 YES – Define nonce/timestamp parameter • 1 NO – Do not define nonce/timestamp parameter • 14 DISCUSS • DISCUSS likely dominated because there were no concrete proposals • One possibility is to defer decision(s) until concrete proposals are made

More Related