Introduction to the JSON Spec Suite

Session Topic: JSON SPECS Suite & OpenID ABC (T1A)

Convener:Mike Jones

Notes-taker(s):Nat Sakimura

Tags for the session - technology discussed/ideas considered:

JSON, Signature, Encryption, Token, OpenID

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Topics Today

Token: JWT Signature: JWS Encryption: JWE / JSMS Key: JWK Simple Web Discovery (JWS) OAuth 2.0 spec OpenID AB/Connect

Some depends on others. e.g, OpenID ABC depends on all the above.

JWT

- Consolidated several spec proposals. - No canonicalization - Common sets of registry would be useful?

- Main Goal: JSON Representation for claims to support signature securely. - Schema? -- Binding specific.

JWS

- Algorithms: 3 HMACS, RSA, ECDSA. -- HS256 is mandatory.

JWE

- Again, several proposals, e.g., draft-rescorla-jsms. - Sitting down this week to come up with the JWS like spec.

JWK

- Not a replacement to X.509 but for the cases that requires just public key representation.

SWD

- Modular very simple disco spec. - OpenID ABC depends on it.

- No current draft to "push" content into discovery service.

OAuth

Currently, the followings are discussed in IETF.

- OAuth 2.0 Framework Spec.

- OAuth 2.0 Bearer Token Spec.

- SAML Grant OAuth 2 Profile

- JWT Grant OAuth 2 Profile (Private Draft)

- MAC Signature OAuth 2 Profile (Private Draft)

OpenID ABC

Spec are in three layers: Building Blocks, Protocol Bindings, Profiles.

- Goto OpenID blog. http://openid.net/2011/04/29/a-map-for-openid-abc/

- Open Spec Issues

-- Kinds of identifiers supported

-- Permissioning distributed attribute providers

-- Claims specification and integration

-- Trust metadata formtas and transport

-- OAuth 2 spec completion.

Q. Why so complex? A. Being modular does not mean complex. Being a single spec does not mean simple. Not everybody needs to reed crypto spec. Most should use libraries.