#18: Address MAC key lifetime concerns The point was raised on CFRG that it is beneficial to have short-lived MAC keys. <http://www.ietf.org/mail-archive/web/cfrg/current/msg03386.html>
The current JWS specification works against this objective by relying on out-of-band mechanisms for provisioning MAC keys. If there were a mechanism for providing short-lived keys wrapped under a long-lived key, as there is in JWE, this would not be an issue. The working group needs to do one of two things: 1. Add wrapped keys to JWS 2. Add security considerations to JWS REQUIRING that an application protocol ensure that key lifetimes are controlled. In the past, the group has resolved not to do (1) (see ISSUE-2), but it also has not done (2). To resolve this issue, one of the two options above needs to be implemented. -- -------------------------+------------------------------------------------- Reporter: [email protected] | Owner: draft-ietf-jose-json-web- Type: defect | [email protected] Priority: major | Status: new Component: json-web- | Milestone: signature | Version: Severity: - | Keywords: -------------------------+------------------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/18> jose <http://tools.ietf.org/jose/> _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
