<?xmlversion="1.0" encoding="us-ascii"?> <?xml-stylesheet type='text/xsl' href='http://xml2rfc.tools.ietf.org/authoring/rfc2629.xslt' ?>version='1.0' encoding='UTF-8'?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="4"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" number="9278" category="std" docName="draft-ietf-oauth-jwk-thumbprint-uri-03"ipr="trust200902">ipr="trust200902" obsoletes="" updates="" consensus="true" submissionType="IETF" xml:lang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.12.10 --> <front> <title abbrev="JWK Thumbprint URI">JWK Thumbprint URI</title> <seriesInfo name="RFC" value="9278" /> <author fullname="Michael B. Jones"initials="M.B."initials="M." surname="Jones"> <organization>Microsoft</organization> <address> <email>mbj@microsoft.com</email> <uri>https://self-issued.info/</uri> </address> </author> <author fullname="Kristina Yasuda" initials="K." surname="Yasuda"> <organization>Microsoft</organization> <address> <email>kryasuda@microsoft.com</email> <uri>https://twitter.com/kristinayasuda</uri> </address> </author> <dateday="1" month="Jun"month="August" year="2022"/> <area>Security</area><workgroup>OAuth Working Group</workgroup> <keyword>RFC</keyword> <keyword>Request for Comments</keyword> <keyword>I-D</keyword> <keyword>Internet-Draft</keyword><workgroup>OAuth</workgroup> <keyword>JSON Web Key</keyword> <keyword>JWK</keyword> <keyword>Thumbprint</keyword> <keyword>URI</keyword> <keyword>URN</keyword> <keyword>OAuth</keyword> <abstract> <t> This specification registers a kind of URI that represents a JSON Web Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638. This enables JWK Thumbprints to be used, for instance, as key identifiers in contexts requiring URIs. </t> </abstract> </front> <middle> <section anchor="Introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t> A JSON Web Key (JWK) Thumbprint <xreftarget="RFC7638"/>target="RFC7638" format="default"/> is a URL-safe representation of a hash value over aJSON Web Key (JWK)JWK <xreftarget="RFC7517"/>.target="RFC7517" format="default"/>. This specification defines a URI prefix indicating that the portion of the URI following the prefix is a JWK Thumbprint. This enables JWK Thumbprints to be communicated in contexts requiring URIs, including in specific JSON Web Token (JWT) <xreftarget="RFC7519"/>target="RFC7519" format="default"/> claims. </t> <t> JWKThumbprintsThumbprint URIs are being used in the <xreftarget="SIOPv2"/>target="SIOPv2" format="default"/> specification as one kind of subject identifier in a context requiring that the identifier be a URI. In this case, the subject identifier is derived from a public key represented as a JWK. Expressing the identifier as a JWK Thumbprint URI enables this kind of identifier to be differentiated from other kinds of identifiers that are also URIs, such as Decentralized Identifiers (DIDs) <xreftarget="DID-Core"/>.target="DID-Core" format="default"/>. </t> </section> <section anchor="RNC"title="Requirementsnumbered="true" toc="default"> <name>Requirements Notation andConventions">Conventions</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> <section anchor="JKTURI"title="JWKnumbered="true" toc="default"> <name>JWK ThumbprintURI">URI</name> <t> The following URI prefix is defined to indicate that the portion of the URI following the prefix is a JWK Thumbprint: </t><t> <list style="symbols"> <t><spanx style='verb'>urn:ietf:params:oauth:jwk-thumbprint</spanx></t> </list> </t><t indent="3"><tt>urn:ietf:params:oauth:jwk-thumbprint</tt></t> <t> To makeitthe hash algorithm being used explicit in aURI which hash algorithm is used,URI, the prefix is followed by a hash algorithm identifier and a JWK Thumbprint value, each separated by a colon character to form a URI representing a JWK Thumbprint. </t> </section> <section anchor="HashAlgorithms"title="Hashnumbered="true" toc="default"> <name>Hash AlgorithmsIdentifier">Identifier</name> <t> Hash algorithm identifiers used in JWK Thumbprint URIsMUST<bcp14>MUST</bcp14> be values from the "Hash Name String" column in the IANA "Named Information HashAlgorithm" registryAlgorithm Registry" <xreftarget="IANA.Hash.Algorithms"/>.target="IANA.Hash.Algorithms" format="default"/>. JWK Thumbprint URIs with hash algorithm identifiers not found in this registry are not considered valid and applications will need to detect and handle this error, should it occur. </t> </section> <section anchor="MTI"title="Mandatorynumbered="true" toc="default"> <name>Mandatory to Implement HashAlgorithm">Algorithm</name> <t> To promote interoperability among implementations, the SHA-256 hash algorithm is mandatory to implement. </t> </section> <section anchor="Example"title="Examplenumbered="true" toc="default"> <name>Example JWK ThumbprintURI">URI</name> <t>Section 3.1 of<xreftarget="RFC7638"/>target="RFC7638" sectionFormat="of" section="3.1"/> contains the following example JWK Thumbprint value: </t><figure><artwork><![CDATA[ NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs ]]></artwork></figure><t indent="3"><tt>NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs</tt></t> <t> A complete JWK Thumbprint URI using the above JWK Thumbprint and SHA-256 hash algorithmis:is as follows: </t><figure><artwork><![CDATA[ urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs ]]></artwork></figure><t indent="3"><tt>urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs</tt></t> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t> The security considerations of <xreftarget="RFC7638"/>target="RFC7638" format="default"/> also apply when using this specification. </t> <section anchor="MultiplePublicKeysPerPrivateKey"title="Multiplenumbered="true" toc="default"> <name>Multiple Public Keys per PrivateKey">Key</name> <t> There are cryptographic algorithms for which multiple public keys correspond to the same private key. This is described in the security considerations of <xreftarget="RFC7748"/>target="RFC7748" format="default"/> as follows: </t><t> <list style="empty"> <t><blockquote> Designers using these curves should be aware that for each public key, there are several publicly computable public keys that are equivalent to it, i.e., they produce the same shared secrets. Thus using a public key as an identifier and knowledge of a shared secret as proof of ownership (without including the public keys in the key derivation) might lead to subtle vulnerabilities.</t> </list> </t></blockquote> <t> This consideration for public keys as identifiers equally applies to JWK Thumbprint URIs used as identifiers. A recommended way to ensure that the JWK Thumbprint URI corresponds to the actual public key used is to sign a message containing the correct public key with the private key. This signed message could also contain the JWK Thumbprint URI (although, by definition, it could also be computed directly from the public key). </t> </section> </section> <section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <section anchor="URIReg"title="OAuthnumbered="true" toc="default"> <name>OAuth URIRegistration">Registration</name> <t> This specification registers the following value in the IANA "OAuth URI" registry <xreftarget="IANA.OAuth.Parameters"/>target="IANA.OAuth.Parameters" format="default"/> established by <xreftarget="RFC6755"/>.target="RFC6755" format="default"/>. </t> <sectiontitle="Registry Contents" anchor="URIContents"> <t> <?rfc subcompact="yes"?> <list style="symbols"> <t>URN: urn:ietf:params:oauth:jwk-thumbprint</t> <t>Common Name: JWKanchor="URIContents" numbered="true" toc="default"> <name>Registry Contents</name> <dl> <dt>URN:</dt><dd>urn:ietf:params:oauth:jwk-thumbprint</dd> <dt>Common Name:</dt><dd>JWK ThumbprintURI</t> <t>Change controller: IESG</t> <t>Specification Document: [[ this specification ]]</t> </list> </t> <?rfc subcompact="no"?>URI</dd> <dt>Change controller:</dt><dd>IESG</dd> <dt>Specification Document:</dt><dd>RFC 9278</dd> </dl> </section> </section> </section> </middle> <back><references title="Normative References"> <?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml' ?> <?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7638.xml' ?> <?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"?><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7638.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <reference anchor="IANA.OAuth.Parameters" target="http://www.iana.org/assignments/oauth-parameters"> <front> <title>OAuth Parameters</title> <author> <organization>IANA</organization> </author><date/></front> </reference> </references><references title="Informative References"> <?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6755.xml' ?> <?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7517.xml' ?> <?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml' ?> <?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml' ?><references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6755.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7517.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"/> <reference anchor="IANA.Hash.Algorithms"target="https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg">target="https://www.iana.org/assignments/named-information"> <front> <title>Named Information Hash Algorithm Registry</title> <author> <organization>IANA</organization> </author><date/></front> </reference> <reference anchor="SIOPv2" target="https://openid.net/specs/openid-connect-self-issued-v2-1_0.html"> <front> <title>Self-Issued OpenID Provider v2</title> <author fullname="Kristina Yasuda"> <organization>Microsoft</organization> </author> <author fullname="MichaelB.Jones"> <organization>Microsoft</organization> </author> <author fullname="Torsten Lodderstedt"> <organization>yes.com</organization> </author> <dateday="18" month="December" year="2021"/>month="June" year="2022"/> </front> </reference> <reference anchor="DID-Core" target="https://www.w3.org/TR/2021/PR-did-core-20210803/"> <front> <title>Decentralized Identifiers (DIDs) v1.0</title> <author fullname="Manu Sporny"> <organization>Digital Bazaar</organization> </author> <author fullname="Amy Guy"> <organization>Digital Bazaar</organization> </author> <author fullname="Markus Sabadello"> <organization>Danube Tech</organization> </author> <author fullname="Drummond Reed"> <organization>Evernym</organization> </author> <dateday="3"month="Aug" year="2021"/> </front> </reference> </references> </references> <section anchor="Acknowledgements"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t> Use cases for this specification were developed in the OpenID Connect Working Group of the OpenID Foundation. Specifically, it is being used as a key identifier in the <xreftarget="SIOPv2"/>target="SIOPv2" format="default"/> specification. </t> <t> The following individuals also contributed to the creation of this specification:John Bradley, Scott Bradner, Brian Campbell, Roman Danyliw, Vladimir Dzhuvinov, Lars Eggert, Warren Kumari, Adam Lemmon, Neil Madden, James Manger, Francesca Palombini, Aaron Parecki, Gonzalo Salgueiro, Rifaat Shekh-Yusef, Robert Sparks, David Waite, Robert Wilton,<contact fullname="John Bradley"/>, <contact fullname="Scott Bradner"/>, <contact fullname="Brian Campbell"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Vladimir Dzhuvinov"/>, <contact fullname="Lars Eggert"/>, <contact fullname="Warren Kumari"/>, <contact fullname="Adam Lemmon"/>, <contact fullname="Neil Madden"/>, <contact fullname="James Manger"/>, <contact fullname="Francesca Palombini"/>, <contact fullname="Aaron Parecki"/>, <contact fullname="Gonzalo Salgueiro"/>, <contact fullname="Rifaat Shekh-Yusef"/>, <contact fullname="Robert Sparks"/>, <contact fullname="David Waite"/>, <contact fullname="Robert Wilton"/>, andPaul Wouters. </t> </section> <section anchor="History" title="Document History"> <?rfc subcompact="yes"?> <t> [[ to be removed by the RFC Editor before publication as an RFC ]] </t> <t> -03 <list style='symbols'> <t> Addressed IESG comment by Lars Eggert on the use of inclusive language. </t> </list> </t> <t> -02 <list style='symbols'> <t> Addressed IETF last call comments by clarifying the requirement to use registered hash algorithm identifiers. </t> </list> </t> <t> -01 <list style='symbols'> <t> Added security considerations about multiple public keys coresponding to the same private key. </t> <t> Added hash algorithm identifier after the JWK thumbprint URI prefix to make it explicit in a URI which hash algorithm is used. </t> <t> Added reference to a registry for hash algorithm identifiers. </t> <t> Added SHA-256 as a mandatory to implement hash algorithm to promote interoperability. </t> </list> </t> <t> -00 <list style='symbols'> <t> Created initial working group draft from draft-jones-oauth-jwk-thumbprint-uri-01. </t> </list><contact fullname="Paul Wouters"/>. </t><?rfc subcompact="no"?></section> </back> </rfc>