| Internet-Draft | JWS Signature Validation Token | March 2022 |
| Santesson & Housley | Expires 22 September 2022 | [Page] |
This document defines a JSON Web Signature (JWS) profile for the Signature Validation Token defined in [SVT].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 22 September 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The "Signature Validation Token" specification [SVT] defines the basic token to support signature validation in a way that can significantly extend the lifetime of a signature.¶
This specification defines a profile for implementing SVT with a JWS signed payload according to [RFC7515], and defines the following aspects of SVT usage:¶
A JWS may have one or more signatures depending on its serialization format, signing the same payload data. A JWS either contains the data to be signed (enveloping) or may sign any externally associated payload data (detached).¶
To provide a generic solution for JWS, an SVT is added to each present signature as a JWS Unprotected Header. If a JWS includes multiple signatures, then each signature includes its own SVT.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The definitions in [SVT] and [RFC7515] apply also to this document.¶
An SVT token MAY be added to any signature of a JWS to support validation of that signature. If more than one signature is present then each present SVT MUST provide information exclusively related to one associated signature and MUST NOT include information about any other signature in the JWS.¶
Each SVT is stored in its associated signature's "svt" header as defined in Section 3.1.¶
The "svt" (Signature Validation Token) Header Parameter is used to contain an array of SVT tokens to support validation of the associated signature. Each SVT token in the array has the format of a JWT as defined in [RFC7519] and is stored using its natural string representation without further wrapping or encoding.¶
The "svt" Header Parameter, when used, MUST be included as a JWS Unprotected Header.¶
Note: JWS Unprotected Header is not supported with JWS Compact Serialization. A consequence of adding an SVT token to a JWS is therefore that JWS JSON Serialization MUST be used, either in the form of general JWS JSON Serialization (for one or more signatures) or in the form of flattened JWS JSON Serialization (optionally used when only one signature is present in the JWS).¶
If a new SVT is stored in a signature which already contains a previously issued SVT, implementations can choose to either replace the existing SVT or to store the new SVT in addition to the existing SVT.¶
If a JWS signature already contains an array of SVTs and a new SVT is to be added, then the new SVT MUST be added to the array of SVT tokens in the existing "svt" Header Parameter.¶
When this profile is used the SigValidation object MUST contain a "profile" claim with the value "JWS".¶
The SVT Signature object MUST contain a "sig_ref" claim (SigReference object) with the following elements:¶
The SVT Signature object MUST contain one instance of the "sig_data" claim (SignedData object) with the following elements:¶
"ref" -- This parameter MUST hold one of the following thee possible values.¶
The SVT Signature object MUST contain a "signer_cert_ref" claim (CertReference object). The "type" parameter of the "signer_cert_ref" claim MUST be either "chain" or "chain_hash".¶
The SVT JOSE header must contain one of the following header parameters in accordance with [RFC7515], for storing a reference to the public key used to verify the signature on the SVT:¶
alg header parameter.¶
This section registers the "svt" Header Parameter in the IANA "JSON Web Signature and Encryption Header Parameters" registry established by [RFC7515].¶
NOTE to RFC editor: Please replace {this document} with its assigned RFC number.¶
The security considerations of [SVT] applies also to this document.¶