[jose] Encrypted JWK in JWK set

Richard Barnes <rlb@ipv.sx> Fri, 11 October 2013 15:30 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AF01611E81CA for <jose@ietfa.amsl.com>; Fri, 11 Oct 2013 08:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.882
X-Spam-Status: No, score=-2.882 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id SqjWFcwAyYUB for <jose@ietfa.amsl.com>; Fri, 11 Oct 2013 08:30:03 -0700 (PDT)
Received: from mail-oa0-f43.google.com (mail-oa0-f43.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 99C9B11E8216 for <jose@ietf.org>; Fri, 11 Oct 2013 08:30:03 -0700 (PDT)
Received: by mail-oa0-f43.google.com with SMTP id i3so2545113oag.16 for <jose@ietf.org>; Fri, 11 Oct 2013 08:30:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=1jikOby5B8PiPPhfOn1pvPlvNPwTagNDLLlsXZndmag=; b=YI6ACVeHMz1eXBvx/F7exdQJaaP/DOrBBB2ufauI8Iz9KVr6u+rLbbnErWbbFkt8vm ziRArjNUJAPJttzj6Sf19UxoECP6TWoafiyOKoH+O7rbciUUF4mr48/d1AOfD7Hx8oue seQbaRWQKRyZ98+cPEEf2+xerhTN+Qnuldp5GV87WKmAvzSpuhiMuVtRJ0CT9Ck7xEhw 1JxcnrjdA5YqGKRD0o/n6aUkf+OfxzRGGZqKwwjgwo98926lMSWUxCfKWncppOzTP5Vl UlV39cnERfkBv+8hTNOlwBWD7tuBS3Yo6uC6Voniec4kzWad6AxSHhG43MtBF78i4EqY zHgA==
X-Gm-Message-State: ALoCoQnpLeKkINIK0b1myJiq6AsKPKw624Uou725p66X40IYLaMVny83DJllFetJcYD1V3EPfL0+
MIME-Version: 1.0
X-Received: by with SMTP id xt7mr14757519obc.16.1381505402408; Fri, 11 Oct 2013 08:30:02 -0700 (PDT)
Received: by with HTTP; Fri, 11 Oct 2013 08:30:02 -0700 (PDT)
Date: Fri, 11 Oct 2013 11:30:02 -0400
Message-ID: <CAL02cgS2iyXu_R5TXiJOzeEKd=1d6BdJ_amAN-8z29E6D_SbhA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c2e224c4208f04e878ca1a"
Subject: [jose] Encrypted JWK in JWK set
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2013 15:30:08 -0000

Hey all,

I was thinking today about how it would be nice to replace PKCS#12 with
something JWK-based.  For background, PKCS#12 is a format that can store a
certificate (unencrypted) alongside an encrypted private key.

It seems to me like the obvious thing would be to replace this with a JWK
Set containing two keys: (1) a public key with the certificate in the "x5t"
attribute, and (2) the corresponding private key as an Encrypted JWK.

However, it's not immediately clear to me that the JWK Set format in -17
allows this.  Proposed edit to clarify:

OLD: "The value of the "keys" member is an array of JWK values"
NEW: "The value of the "keys" member is an array of JWK and/or Encrypted
JWK values"