Skip to content
This repository has been archived by the owner on Feb 25, 2019. It is now read-only.

Certificating JWK public keys (JWC) #29

Open
christiansmith opened this issue Jul 3, 2017 · 1 comment
Open

Certificating JWK public keys (JWC) #29

christiansmith opened this issue Jul 3, 2017 · 1 comment

Comments

@christiansmith
Copy link
Member

We've been experimenting with certificating JWK public key values. Like X.509 certificates, this key sharing scheme minimizes the need for fetching public keys used for encryption and signature verification. We're calling this JSON Web Certificates (JWC).

A JSON Web Certificate is created by adding descriptive properties to a JSON Web Key, representing the issuer (iss), subject (sub), and other key metadata, such as time of issue (iat), expiration (exp), and certificate identifier (jti). This JWK is then used as the payload of a JSON Web Token or JSON Web Document.

The following JWC is represented as a JSON Web Document signed with KS256.

{
  "payload": {
    "jti": "a49a290a8f185b3c30ab",
    "kid": "0f88678c349d41e4fd3e", 
    "iss": "https://example.org”, 
    "sub": "me@anvil.io",
    "kty": "EC",
    "crv": "K-256",
    "x": "wAa1grkJ4BLUJdNgRUG4ovcz3zXK6BeA3sDP3VT66As",
    "y": "fbZJQJgvxcgLupPb7Qp_7gL43FfTUHwBGNHJoProq34",
    "key_ops": [ "verify" ],
    "ext": true,
    "Iat": 1498398688,
    "exp": 1529934688
  },
  "signatures": [
    {
      "protected": {
        "alg": "KS256",
        "kid": "LGm6w06md1w",
        "jku": "https://example.org/jwks"
      },
      "signature": "MEYCIQDEwsaHMKPlH0teADyn5gs9CPY8c3O7z70N-xjwmM_JJwIhAPzzkSOuJ2..."
    }
  ]
}

A certificate can also be serialized as a compact JWT (line breaks for readability):

eyJhbGciOiJLUzI1NiIsImtpZCI6Ims1VHd4Y2UwYlJjIiwiamt1IjoiaHR0cDovL2xvY2FsaG9
zdDo1MTUwL2p3a3MifQ.eyJqdGkiOiJkMzkyNDE0NThjMjNiN2JmYjk1ZiIsImtpZCI6ImU
5N2M2MDZjMjliYWRjNWRhNDBkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MTUwIiwic
3ViIjoic21pdGhAYW52aWwuaW8iLCJrdHkiOiJFQyIsImNydiI6IkstMjU2IiwieCI6IndBYTF
ncmtKNEJMVUpkTmdSVUc0b3ZjejN6WEs2QmVBM3NEUDNWVDY2QXMiLCJ5IjoiZmJ
aSlFKZ3Z4Y2dMdXBQYjdRcF83Z0w0M0ZmVFVId0JHTkhKb1Byb3EzNCIsImtleV9vcH
MiOlsidmVyaWZ5Il0sImV4dCI6dHJ1ZSwiaWF0IjoxNDk4NDI0NTQ2LCJleHAiOjE1Mjk5
NjA1NDZ9.MEUCIQD2WRGkcZd-50q-jZtIl9tHqVmyOQ1zRLVTym2hAFyfLAIgVgZmI_5
7ouVwg5cZFHvPViIMo0u4kuDHY_YDGXGn6r0

A JWC can be included in a JOSE Protected Header object like so:

{
  "payload": {
    "hello": "world"
  },
  "signatures": [
    {
      "protected": {
        "alg": "KS256",
        "jwc": "eyJhbGciOiJLUzI1NiIsImtpZCI6Ims1VHd4Y2UwYlJjIiwiamt1IjoiaHR0cDovL2xvY2FsaG9zdDo1MTUwL2p3a3MifQ.eyJqdGkiOiJkMzkyNDE0NThjMjNiN2JmYjk1ZiIsImtpZCI6ImU5N2M2MDZjMjliYWRjNWRhNDBkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MTUwIiwic3ViIjoic21pdGhAYW52aWwuaW8iLCJrdHkiOiJFQyIsImNydiI6IkstMjU2IiwieCI6IndBYTFncmtKNEJMVUpkTmdSVUc0b3ZjejN6WEs2QmVBM3NEUDNWVDY2QXMiLCJ5IjoiZmJaSlFKZ3Z4Y2dMdXBQYjdRcF83Z0w0M0ZmVFVId0JHTkhKb1Byb3EzNCIsImtleV9vcHMiOlsidmVyaWZ5Il0sImV4dCI6dHJ1ZSwiaWF0IjoxNDk4NDI0NTQ2LCJleHAiOjE1Mjk5NjA1NDZ9.MEUCIQD2WRGkcZd-50q-jZtIl9tHqVmyOQ1zRLVTym2hAFyfLAIgVgZmI_57ouVwg5cZFHvPViIMo0u4kuDHY_YDGXGn6r0"
      },
      "signature": "MEUCIAThnzOzVUFzv7CyZnNOou9xjrkk_4CYfpwRUF0j4OWyAiEAyOZFETZojdRjvaB-sLjIX7xOPn8_1w6CMuDy8AU1Plk"
    }
  ]
}

We now need to consider drafting a specification targeting IETF and incorporating necessary functions into this package.
@EternalDeiwos EternalDeiwos changed the title Certificating JWK public keys Certificating JWK public keys (JWC) Jul 5, 2017
@EternalDeiwos
Copy link
Member

We'll probably be doing a separate repo for this soon (tm). Leaving this issue open until we get around to it.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@christiansmith @EternalDeiwos