draft-secure-cookie-session-protocol defines an encrypted-and-MACed message
syntax that is fairly close to (a subset of) JWE.
1. It uses "|" to separate base64url-encoded parts; instead of JWE’s ".".
2. It always includes the creation time; an optional signing-time has been
proposed for JWE/JWS.
3. It has one (opaque) id to indicate the "security context", ie the algorithms
and keys used. JWE
mandates alg ids be present and, optionally, allows separate key ids.
The 3rd point is the interesting issue. draft-secure-cookie-session-protocol
has a better approach than JOSE for this aspect (and more compact). Identifying
the key needs to be mandatory. Whether the key-id also identifies the
algorithms, or whether the algorithms are identified separately, is a matter of
taste.
I mentioned this issue a month ago ("kid":"Current" is broken)
[http://www.ietf.org/mail-archive/web/jose/current/msg01150.html].
draft-secure-cookie-session-protocol illustrates another approach to this issue.
--
James Manger
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
