One document matched: draft-jones-jose-jws-json-serialization-04.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="4"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" ipr="trust200902" docName="draft-jones-jose-jws-json-serialization-04">
<front>
<title abbrev="JWS JSON Serialization (JWS-JS)">JSON Web Signature JSON Serialization (JWS-JS)</title>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization>Microsoft</organization>
<address>
<email>mbj@microsoft.com</email>
<uri>http://self-issued.info/</uri>
</address>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization>independent</organization>
<address>
<email>ve7jtb@ve7jtb.com</email>
</address>
</author>
<author fullname="Nat Sakimura" initials="N." surname="Sakimura">
<organization>Nomura Research Institute</organization>
<address>
<email>n-sakimura@nri.co.jp</email>
</address>
</author>
<date day="27" month="December" year="2012" />
<area>Security</area>
<workgroup>JOSE Working Group</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>JavaScript Object Notation</keyword>
<keyword>JSON</keyword>
<keyword>JSON Web Token</keyword>
<keyword>JWT</keyword>
<keyword>JSON Web Signature</keyword>
<keyword>JWS</keyword>
<keyword>JSON Web Encryption</keyword>
<keyword>JWE</keyword>
<keyword>JSON Web Key</keyword>
<keyword>JWK</keyword>
<keyword>JSON Web Algorithms</keyword>
<keyword>JWA</keyword>
<abstract>
<t>
The JSON Web Signature JSON Serialization (JWS-JS) is a means of
representing content secured with digital signatures or
Message Authentication Codes (MACs)
using JavaScript Object Notation (JSON) data structures.
This specification describes a means of representing
secured content as a JSON data object
(as opposed to the JWS specification, which uses a
compact serialization with a URL-safe representation).
It enables multiple digital signatures and/or MACs to
be applied to the same content (unlike JWS).
Cryptographic algorithms and identifiers used with this
specification are described in the separate
JSON Web Algorithms (JWA) specification.
The JSON Serialization for
related encryption functionality is described in the separate
JSON Web Encryption JSON Serialization (JWE-JS) specification.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The JSON Web Signature JSON Serialization (JWS-JS) is a format for
representing content secured with digital signatures or
Message Authentication Codes (MACs) as a
JavaScript Object Notation (JSON) <xref target="RFC4627"/> object.
It enables multiple digital signatures and/or MACs to
be applied to the same content (unlike JWS <xref target="JWS" />).
The digital signature and MAC mechanisms used are independent of
the type of content being secured, allowing arbitrary content
to be secured.
Cryptographic algorithms and identifiers used with this
specification are described in the separate
JSON Web Algorithms (JWA) <xref target="JWA" /> specification.
The JSON Serialization for
related encryption functionality is described in the separate
JSON Web Encryption JSON Serialization (JWE-JS) <xref target="JWE-JS" />
specification.
</t>
<section title='Notational Conventions'>
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in
Key words for use in RFCs to Indicate Requirement Levels <xref target='RFC2119' />.
</t>
</section>
</section>
<section title="Terminology">
<t>
This specification uses the same terminology as the
JSON Web Signature (JWS) <xref target="JWS" />
specification.
</t>
</section>
<section title="JSON Serialization">
<t>
The JSON Serialization represents secured content as a JSON object with
a <spanx style="verb">recipients</spanx> member
containing an array of per-recipient information
and a <spanx style="verb">payload</spanx> member
containing a shared Encoded JWS Payload value.
Each member of the <spanx style="verb">recipients</spanx> array is a JSON object with
a <spanx style="verb">header</spanx> member
containing an Encoded JWS Header value
and a <spanx style="verb">signature</spanx> member
containing an Encoded JWS Signature value.
</t>
<t>
Unlike the compact serialization used by JWSs, content using
the JSON Serialization MAY be secured with more than one
digital signature and/or MAC value. Each is represented as
an Encoded JWS Signature value in the <spanx style="verb">signature</spanx> member
of an object in the <spanx style="verb">recipients</spanx> array.
For each, there is an Encoded JWS Encoded Header value in the
<spanx style="verb">header</spanx> member
of the same object in the <spanx style="verb">recipients</spanx> array.
This specifies the
digital signature or MAC applied to the Encoded JWS Header
value and the shared Encoded JWS Payload value to create the JWS
Signature value. Therefore, the syntax is:
</t>
<figure><artwork><![CDATA[
{"recipients":[
{"header":"<header 1 contents>",
"signature":"<signature 1 contents>"},
...
{"header":"<header N contents>",
"signature":"<signature N contents>"}],
"payload":"<payload contents>"
}
]]></artwork></figure>
<t>
The contents of the Encoded JWS Header, Encoded JWS Payload,
and Encoded JWS Signature values are exactly as specified in
JSON Web Signature (JWS) <xref target="JWS" />. They are
interpreted and validated in the same manner, with each
corresponding <spanx style="verb">header</spanx> and <spanx
style="verb">signature</spanx> value being created
and validated together.
</t>
<t>
Each JWS Signature value is computed on the JWS Secured
Input corresponding to the concatenation of the Encoded
JWS Header, a period ('.') character, and the Encoded JWS
Payload in the same manner described in the JWS specification.
This has the desirable result that each Encoded JWS signature
value in the <spanx style="verb">recipients</spanx> array is
identical to the value that would be used for the same
parameters in a JWS.
</t>
</section>
<section title="Example JWS-JS" anchor="JSONSerializationExample">
<t>
This section contains an example using the JWS JSON
Serialization. This example demonstrates the capability for
conveying multiple digital signatures and/or MACs for the
same payload.
</t>
<t>
The Encoded JWS Payload used in this example is the same as
used in the examples in Appendix A of JWS
(with line breaks for display purposes only):
</t>
<figure><artwork><![CDATA[
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
]]></artwork></figure>
<t>
Two digital signatures are used in this example: an RSA SHA-256
signature, for which the header and signature values are
the same as in Appendix A.2 of JWS, and an
ECDSA P-256 SHA-256 signature, for which the header and
signature values are the same as in Appendix A.3 of JWS.
The two Decoded JWS Header Segments used are:
</t>
<figure><artwork><![CDATA[
{"alg":"RS256"}
]]></artwork></figure>
<t>
and:
</t>
<figure><artwork><![CDATA[
{"alg":"ES256"}
]]></artwork></figure>
<t>
Since the computations of the JWS Header and JWS Signature
values are the same as in Appendix A.2 and Appendix A.3 of
JWS, they are not repeated here.
</t>
<t>
The complete JSON Web Signature JSON Serialization (JWS-JS)
for these values is as follows
(with line breaks for display purposes only):
</t>
<figure><artwork><![CDATA[
{"recipients":[
{"header":"eyJhbGciOiJSUzI1NiJ9",
"signature":
"cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZ
mh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjb
KBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHl
b1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZES
c6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AX
LIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw"},
{"header":"eyJhbGciOiJFUzI1NiJ9",
"signature":
"DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS
lSApmWQxfKTUJqPP3-Kg6NU1Q"}],
"payload":
"eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGF
tcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
}
]]></artwork></figure>
</section>
<section title="IANA Considerations" anchor="IANA">
<t>
This specification makes no requests of IANA.
</t>
</section>
<section title="Security Considerations" anchor="Security">
<t>
The security considerations for this specification are the
same as those for the JSON Web Signature (JWS) <xref
target="JWS" /> specification.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml' ?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.4627.xml' ?>
<reference anchor="JWS">
<front>
<title>JSON Web Signature (JWS)</title>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization>Microsoft</organization>
<address>
<email>mbj@microsoft.com</email>
<uri>http://self-issued.info/</uri>
</address>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization>independent</organization>
<address>
<email>ve7jtb@ve7jtb.com</email>
</address>
</author>
<author fullname="Nat Sakimura" initials="N." surname="Sakimura">
<organization>Nomura Research Institute</organization>
<address>
<email>n-sakimura@nri.co.jp</email>
</address>
</author>
<date day="27" month="December" year="2012" />
</front>
<seriesInfo value="draft-ietf-jose-json-web-signature" name="Internet-Draft"/>
<format target="http://tools.ietf.org/html/draft-ietf-jose-json-web-signature" type="HTML" />
</reference>
<reference anchor="JWA">
<front>
<title>JSON Web Algorithms (JWA)</title>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization>Microsoft</organization>
<address>
<email>mbj@microsoft.com</email>
<uri>http://self-issued.info/</uri>
</address>
</author>
<date day="27" month="December" year="2012" />
</front>
<seriesInfo value="draft-ietf-jose-json-web-algorithms" name="Internet-Draft"/>
<format target="http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms" type="HTML" />
</reference>
</references>
<references title="Informative References">
<reference anchor="JWE-JS">
<front>
<title abbrev="JWE JSON Serialization (JWE-JS)">JSON Web Encryption JSON Serialization (JWE-JS)</title>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization>Microsoft</organization>
<address>
<email>mbj@microsoft.com</email>
<uri>http://self-issued.info/</uri>
</address>
</author>
<date day="27" month="December" year="2012" />
</front>
<seriesInfo value="draft-jones-jose-jwe-json-serialization" name="Internet-Draft"/>
<format target="http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization" type="HTML" />
</reference>
<reference anchor="MagicSignatures">
<front>
<title>Magic Signatures</title>
<author fullname="John Panzer (editor)" initials="J." surname="Panzer (editor)"></author>
<author fullname="Ben Laurie" initials="B." surname="Laurie"></author>
<author fullname="Dirk Balfanz" initials="D." surname="Balfanz"></author>
<date day="7" month="January" year="2011" />
</front>
<format target="http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-01.html" type="HTML" />
</reference>
<reference anchor="JSS">
<front>
<title>JSON Simple Sign</title>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization>independent</organization>
</author>
<author fullname="Nat Sakimura (editor)" initials="N. " surname="Sakimura (editor)">
<organization>Nomura Research Institute</organization>
</author>
<date month="September" year="2010" />
</front>
<format target="http://jsonenc.info/jss/1.0/" type="HTML" />
</reference>
</references>
<section title="Acknowledgements" anchor="Acknowledgements">
<t>
JSON serializations for secured content were previously explored by
<xref target="MagicSignatures">Magic Signatures</xref> and <xref
target="JSS">JSON Simple Sign</xref>.
</t>
</section>
<section title="Open Issues" anchor="TBD">
<t>
[[ to be removed by the RFC editor before publication as an RFC ]]
</t>
<t>
The following items remain to be considered or done in this draft:
<list style="symbols">
<t>
Track changes that occur in the JWS spec.
</t>
</list>
</t>
</section>
<section title='Document History'>
<t>
[[ to be removed by the RFC editor before publication as an RFC ]]
</t>
<t>
-04
<list style='symbols'>
<t>
Added seriesInfo information to Internet Draft references.
</t>
</list>
</t>
<t>
-03
<list style='symbols'>
<t>
Updated references.
</t>
</list>
</t>
<t>
-02
<list style='symbols'>
<t>
Changed to use an array of structures for per-recipient values,
rather than a set of parallel arrays.
</t>
</list>
</t>
<t>
-01
<list style='symbols'>
<t>
Generalized language to refer to Message Authentication Codes (MACs)
rather than Hash-based Message Authentication Codes (HMACs).
</t>
</list>
</t>
<t>
-00
<list style='symbols'>
<t>
Renamed draft-jones-json-web-signature-json-serialization
to draft-jones-jose-jws-json-serialization to have "jose"
be in the document name so it can be included in the
Related Documents list at http://datatracker.ietf.org/wg/jose/.
No normative changes.
</t>
</list>
</t>
<t>
draft-jones-json-web-signature-json-serialization-02
<list style='symbols'>
<t>
Tracked editorial changes made to the JWS spec.
</t>
</list>
</t>
<t>
draft-jones-json-web-signature-json-serialization-01
<list style='symbols'>
<t>
Corrected the Magic Signatures reference.
</t>
</list>
</t>
<t>
draft-jones-json-web-signature-json-serialization-00
<list style='symbols'>
<t>
Created the initial version incorporating JOSE working
group input and drawing from the JSON Serialization
previously proposed in draft-jones-json-web-token-01.
</t>
</list>
</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-22 21:50:02 |