I’ve made a minor release of the JSON WEB
{Signature,Encryption,Key,Algorithms,Token} (JWS, JWE, JWK, JWA, JWT) working
group specifications and the JWS and JWE JSON Serialization (JWS-JS, JWE-JS)
individual submission specifications in preparation for IETF 84 in Vancouver,
BC<http://www.ietf.org/meeting/84/index.html>. These versions incorporate
feedback from working group members since the major release on July
6th<http://self-issued.info/?p=759>, and update the lists of open issues in
preparation for discussions in Vancouver (and on the working group mailing
lists).
One significant addition is that the JWT and JWE-JS specs both now contain
complete, testable examples with encrypted results. No normative changes were
made.
The working group specifications are available at:
· http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-04
· http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-04
· http://tools.ietf.org/html/draft-ietf-jose-json-web-key-04
· http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-04
· http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-02
The individual submission specifications are available at:
· http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-01
· http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-01
The document history entries (also in the specifications) are as follows:
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-04
* Completed JSON Security Considerations section, including considerations
about rejecting input with duplicate member names.
* Completed security considerations on the use of a SHA-1 hash when
computing x5t (x.509 certificate thumbprint) values.
* Refer to the registries as the primary sources of defined values and then
secondarily reference the sections defining the initial contents of the
registries.
* Normatively reference XML DSIG 2.0 [W3C.CR‑xmldsig‑core2‑20120124] for
its security considerations.
* Added this language to Registration Templates: "This name is case
sensitive. Names that match other registered names in a case insensitive manner
SHOULD NOT be accepted."
* Reference draft-jones-jose-jws-json-serialization instead of
draft-jones-json-web-signature-json-serialization.
* Described additional open issues.
* Applied editorial suggestions.
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-04
* Refer to the registries as the primary sources of defined values and then
secondarily reference the sections defining the initial contents of the
registries.
* Normatively reference XML Encryption 1.1 [W3C.CR‑xmlenc‑core1‑20120313]
for its security considerations.
* Reference draft-jones-jose-jwe-json-serialization instead of
draft-jones-json-web-encryption-json-serialization.
* Described additional open issues.
* Applied editorial suggestions.
http://tools.ietf.org/html/draft-ietf-jose-json-web-key-04
* Refer to the registries as the primary sources of defined values and then
secondarily reference the sections defining the initial contents of the
registries.
* Normatively reference XML DSIG 2.0 [W3C.CR‑xmldsig‑core2‑20120124] for
its security considerations.
* Added this language to Registration Templates: "This name is case
sensitive. Names that match other registered names in a case insensitive manner
SHOULD NOT be accepted."
* Described additional open issues.
* Applied editorial suggestions.
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-04
* Added text requiring that any leading zero bytes be retained in base64url
encoded key value representations for fixed-length values.
* Added this language to Registration Templates: "This name is case
sensitive. Names that match other registered names in a case insensitive manner
SHOULD NOT be accepted."
* Described additional open issues.
* Applied editorial suggestions.
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-02
* Added an example of an encrypted JWT.
* Added this language to Registration Templates: "This name is case
sensitive. Names that match other registered names in a case insensitive manner
SHOULD NOT be accepted."
* Applied editorial suggestions.
http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-01
* Generalized language to refer to Message Authentication Codes (MACs)
rather than Hash-based Message Authentication Codes (HMACs).
http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-01
* Added a complete JWE-JS example.
* Generalized language to refer to Message Authentication Codes (MACs)
rather than Hash-based Message Authentication Codes (HMACs).
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
