IETF Logo Mail Archive

Re: [jose] Last Call: <draft-ietf-jose-jwk-thumbprint-05.txt> (JSON Web Key (JWK) Thumbprint) to Proposed Standard

"Preibisch, Sascha H" <Sascha.Preibisch@ca.com> Mon, 01 June 2015 17:46 UTC

Return-Path: <Sascha.Preibisch@ca.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A3C1B2FD3; Mon, 1 Jun 2015 10:46:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_52=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aGW2L0_76Lx3; Mon, 1 Jun 2015 10:46:54 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0624.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:624]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA6581B2FEE; Mon, 1 Jun 2015 10:46:42 -0700 (PDT)
Received: from BY2PR01CA0010.prod.exchangelabs.com (25.163.25.20) by DM2PR0101MB1088.prod.exchangelabs.com (25.160.129.28) with Microsoft SMTP Server (TLS) id 15.1.172.22; Mon, 1 Jun 2015 17:46:24 +0000
Received: from BY2FFO11FD011.protection.gbl (2a01:111:f400:7c0c::118) by BY2PR01CA0010.outlook.office365.com (2a01:111:e400:5262::20) with Microsoft SMTP Server (TLS) id 15.1.172.22 via Frontend Transport; Mon, 1 Jun 2015 17:46:23 +0000
Authentication-Results: spf=pass (sender IP is 208.232.182.88) smtp.mailfrom=ca.com; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of ca.com designates 208.232.182.88 as permitted sender) receiver=protection.outlook.com; client-ip=208.232.182.88; helo=uslims291.ca.com;
Received: from uslims291.ca.com (208.232.182.88) by BY2FFO11FD011.mail.protection.outlook.com (10.1.14.129) with Microsoft SMTP Server (TLS) id 15.1.184.11 via Frontend Transport; Mon, 1 Jun 2015 17:46:23 +0000
Received: from uslims212.ca.com (130.200.5.102) by uslims291.ca.com (208.232.182.88) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 1 Jun 2015 12:46:22 -0500
Received: from uslims210.ca.com (130.200.5.100) by uslims212.ca.com (130.200.5.102) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 1 Jun 2015 12:46:21 -0500
Received: from uslims210.ca.com ([fe80::c97f:3edd:e671:b4b4]) by uslims210.ca.com ([fe80::c97f:3edd:e671:b4b4%19]) with mapi id 15.00.1076.000; Mon, 1 Jun 2015 12:46:21 -0500
From: "Preibisch, Sascha H" <Sascha.Preibisch@ca.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [jose] Last Call: <draft-ietf-jose-jwk-thumbprint-05.txt> (JSON Web Key (JWK) Thumbprint) to Proposed Standard
Thread-Topic: [jose] Last Call: <draft-ietf-jose-jwk-thumbprint-05.txt> (JSON Web Key (JWK) Thumbprint) to Proposed Standard
Thread-Index: AQHQmWUw50IKK+E4vEGU1sx/vG4qhJ2R8cOAgAY9woD//6HngA==
Date: Mon, 01 Jun 2015 17:46:20 +0000
Message-ID: <D191E876.C861%sascha.preibisch@ca.com>
References: <20150528164042.7220.35163.idtracker@ietfa.amsl.com> <55674AA1.9040809@cs.tcd.ie> <F515B0C8-A2E0-454E-B0E1-0E984B9FA31B@ve7jtb.com>
In-Reply-To: <F515B0C8-A2E0-454E-B0E1-0E984B9FA31B@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.200.5.45]
x-wiganss: 01000000010010uslims212.ca.com ID0027<D191E876.C861%sascha.preibisch@ca.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <0391B709B790C8449EFE3EB3E4031A9C@ca.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD011; 1:2fyOtQa8knH74ntzh7aNLqqL/mxXvp072ahYUkwsKEmGu54wvfAujnoT0ARjLCKXiBbTOsNx03+qEcAENTD+nr/ndJK6G1gh0nChzD1BPbwExgefzmP5UZNCX1iaomVvtNtDt+fc/yTLWy+iAXOX50/R1emwN3iY5LbdUt9PECgw0VVsGAuAnY8jde7UM0wu9YlNV6AUOSLAa2X6euUwJ7OFFv5kAqbS9JKS1RXnzxuD13IvKzetIt/viWZggY1jq1smqUZKyJunPTNYfggBdCmk61eZXG0pAkdvmfcL4XwfAHNDRRs7jD7Vjv2qS+xVpodxatq2l6Pq9IcE2OhTsA==
X-Forefront-Antispam-Report: CIP:208.232.182.88; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(438002)(189002)(377454003)(51704005)(377424004)(199003)(24454002)(479174004)(50986999)(54356999)(76176999)(5001860100001)(5001830100001)(2950100001)(5001770100001)(97736004)(189998001)(92566002)(68736005)(102836002)(15975445007)(50466002)(36756003)(5250100002)(6806004)(106116001)(2656002)(87936001)(19580395003)(19580405001)(23756003)(86362001)(64706001)(66066001)(47776003)(2900100001)(4001540100001)(46102003)(106466001)(230783001)(53416004)(77156002)(62966003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR0101MB1088; H:uslims291.ca.com; FPR:; SPF:Pass; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(42142001); SRVR:DM2PR0101MB1088;
X-Microsoft-Antispam-PRVS: <DM2PR0101MB1088CAFFA9DA64118DB42D29EFB60@DM2PR0101MB1088.prod.exchangelabs.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(5005006)(520003)(3002001); SRVR:DM2PR0101MB1088; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0101MB1088;
X-Forefront-PRVS: 05947791E4
X-OriginatorOrg: ca.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2015 17:46:23.7487 (UTC)
X-MS-Exchange-CrossTenant-Id: 1194df16-3ae0-49aa-b48b-5c4da6e13689
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1194df16-3ae0-49aa-b48b-5c4da6e13689; Ip=[208.232.182.88]; Helo=[uslims291.ca.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0101MB1088
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/nixdlzJ36WkHmPGqUSazCI0nLFY>
X-Mailman-Approved-At: Tue, 02 Jun 2015 08:03:00 -0700
Cc: "ietf@ietf.org" <ietf@ietf.org>, "jose@ietf.org" <jose@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 20:20:15 -0000

For me that sounds reasonable. I think it can go forward as it is.


On 2015-06-01, 9:23 AM, "John Bradley" <ve7jtb@ve7jtb.com> wrote:

>I understand Stephen¹s issue.
>
>However this is intended to be a simple way to generate a keyid value
>based on a JWK.
>
>I think the document as is accomplishes that.
>
>If we want to generate a keyid based on the SubjectPublicKeyInfo format
>from x.509 people should be able to do that based on the existing specs.
>
>We did drop the jkt member from the spec a while ago based on feedback.
>
>Based on some of the discussion on creating a thumbprint from a SPKI
>there may be a need for better documenting
>how to do that.  A number of the proposals discussed for doing it without
>full processing only worked for some key-types.,
>however that should be a separate spec.
>
>I think this one is ready to go.
>
>Regards
>John B.
>
>
>
>
>> On May 28, 2015, at 2:04 PM, Stephen Farrell
>><stephen.farrell@cs.tcd.ie> wrote:
>> 
>> 
>> Hi,
>> 
>> I have one comment on this that I did raise with the WG (the
>> thread starts at [1] but the subject lines diverged so it's
>> not so easy to follow). At the end of that I think I was
>> correctly judged to be in the rough within the WG. I'm
>> raising it again now as a last-call comment (and wearing
>> no hat) as the issue is really about doing the same thing
>> in multiple protocols/WGs, so this could be a case where
>> IETF consensus maybe ought win over WG consensus, depending
>> on whether folks working on other protocols care or not.
>> (And I'm not sure if they do.)
>> 
>> Note that if the draft as-is turns into an RFC it will not
>> be the end of the world, so I'd only expect that a change
>> would be done if there're a load of people who agree that
>> changing is beneficial for some actual use-case they have
>> or may have in future. (In other words, I really don't
>> expect this change to happen and I do not want it to
>> happen on purely theoretical grounds, but I wanted to
>> check just in case;-)
>> 
>> So my issue is:...
>> 
>> We have a bunch of other protocols (DANE, CoAP and more)
>> in which we use a hash of a public key. In most of those with
>> which I'm familiar we use the SubjectPublicKeyInfo format
>> from x.509 as the input bytes to the hash function. Doing
>> so ensures that a hash generated in one protocol/application
>> could in principle be meaningful in others, even if that's
>> not a very common thing to want. Note that using that structure
>> does not imply anything about using x.509 or asn.1 really as
>> pretty much all crypto APIs (or maybe all) provide you with
>> a way to extract public keys in exactly that form regardless
>> of whether you care about x.509 or anything related to
>> that kind of PKI. (So please let's not have the "I hate
>> asn.1/x.509/whatever" argument again:-)
>> 
>> This draft defines it's own peculiar input bytes to the
>> hash function and even notes that there's no really good
>> reason for that difference:-) [2]
>> 
>> I think this would be better if it supported the use of
>> hash input bytes that are the same as are used elsewhere.
>> 
>> But, as I said before, the world won't end if this becomes
>> an RFC and we have to do another one later on with that
>> fairly trivial difference.
>> 
>> Cheers,
>> S.
>> 
>> [1] https://www.ietf.org/mail-archive/web/jose/current/msg04954.html
>> [2] 
>>https://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-05#section-5
>> 
>> 
>> On 28/05/15 17:40, The IESG wrote:
>>> 
>>> The IESG has received a request from the Javascript Object Signing and
>>> Encryption WG (jose) to consider the following document:
>>> - 'JSON Web Key (JWK) Thumbprint'
>>>  <draft-ietf-jose-jwk-thumbprint-05.txt> as Proposed Standard
>>> 
>>> The IESG plans to make a decision in the next few weeks, and solicits
>>> final comments on this action. Please send substantive comments to the
>>> ietf@ietf.org mailing lists by 2015-06-11. Exceptionally, comments may
>>>be
>>> sent to iesg@ietf.org instead. In either case, please retain the
>>> beginning of the Subject line to allow automated sorting.
>>> 
>>> Abstract
>>> 
>>> 
>>>   This specification defines a method for computing a hash value over a
>>>   JSON Web Key (JWK).  It defines which fields in a JWK are used in the
>>>   hash computation, the method of creating a canonical form for those
>>>   fields, and how to convert the resulting Unicode string into a byte
>>>   sequence to be hashed.  The resulting hash value can be used for
>>>   identifying or selecting the key represented by the JWK that is the
>>>   subject of the thumbprint.
>>> 
>>> 
>>> 
>>> 
>>> The file can be obtained via
>>> https://datatracker.ietf.org/doc/draft-ietf-jose-jwk-thumbprint/
>>> 
>>> IESG discussion can be tracked via
>>> https://datatracker.ietf.org/doc/draft-ietf-jose-jwk-thumbprint/ballot/
>>> 
>>> 
>>> No IPR declarations have been submitted directly on this I-D.
>>> 
>>> 
>>> 
>>> 
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email