Re: [jose] #16: URI identifying a specific key in a JWK set
Dick Hardt <dick.hardt@gmail.com> Sat, 30 March 2013 23:48 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F4621F872E for <jose@ietfa.amsl.com>; Sat, 30 Mar 2013 16:48:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.728
X-Spam-Level:
X-Spam-Status: No, score=-2.728 tagged_above=-999 required=5 tests=[AWL=-0.130, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WccRV+QjXXRy for <jose@ietfa.amsl.com>; Sat, 30 Mar 2013 16:48:58 -0700 (PDT)
Received: from mail-pd0-f177.google.com (mail-pd0-f177.google.com [209.85.192.177]) by ietfa.amsl.com (Postfix) with ESMTP id A322421F851C for <jose@ietf.org>; Sat, 30 Mar 2013 16:48:58 -0700 (PDT)
Received: by mail-pd0-f177.google.com with SMTP id y14so711551pdi.22 for <jose@ietf.org>; Sat, 30 Mar 2013 16:48:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer; bh=l4lkWjZWt64jRgGN5fjgQ4hg12EuePT+4MVIj2eoL70=; b=axiTJs2bvOjuFdOQ+e5mb9kwAlwDdODplBev7tYnS4HlG9GcsCwpQNQpzfbNuKXDut KKv7rHCkekNbdfOq1a+8ud1nCDbGGeM9P4vQuu8+RacSgAXqqR8JoBfsGWOlaAQqZj+g 6SzCQlTwNUTEiryd+trDLagOpAwEAkZtazf235oFUiIOCg4rYtq+WiJtPfIKi61tWN+D sBHSU8NLB6mhaoXoS5q4hfjYRuHRQT4xE1xN7z2+xK+Zb381+I4S+Gky8uhLafpAcCIk kwOHvpNXyOWcgIiaX5qONh5f3JRRU2O9tMlMyn6pXzo7YfENtPxJlVfJ9qWDOc3Sq/IX wabQ==
X-Received: by 10.66.119.202 with SMTP id kw10mr11529882pab.181.1364687338257; Sat, 30 Mar 2013 16:48:58 -0700 (PDT)
Received: from [10.0.0.89] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id i10sm8036915pbd.1.2013.03.30.16.48.55 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 30 Mar 2013 16:48:56 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_01F41A53-9A3B-4512-A5EC-C4B5BA8ECC0C"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1150BE3C554@WSMSG3153V.srv.dir.telstra.com>
Date: Sat, 30 Mar 2013 16:48:54 -0700
Message-Id: <D3068533-A5DC-400B-A45C-39A47565CE87@gmail.com>
References: <058.7d398c285ac07c1a4b2f1bfd0d8b7312@trac.tools.ietf.org> <CA+k3eCRBXsBC6qwJ5_43aa1JaBU4dgKPNu67JrX5RNjeX0be9A@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150BE3C554@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1503)
Cc: Brian Campbell <bcampbell@pingidentity.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #16: URI identifying a specific key in a JWK set
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2013 23:48:59 -0000
A related issue is that a 'kid' may not be enough to uniquely identify the key in symmetric systems. If a recipient (A) accepts tokens from multiple parties (B and C), and 'kid' is managed at those parties (B and C), then there is no guarantee that the 'kid' value will be unique at A. Knowing the issuer is required unless you force B and C to use a URI like mechanism for 'kid' On Mar 25, 2013, at 3:46 PM, "Manger, James H" <James.H.Manger@team.telstra.com> wrote: > > I'd always just assumed that, short of some other means of figuring it out, a kid header would accompany a jku to identify the specific key in the set. > > Indeed, “jku” needs to be accompanied by “kid” to work in general — but this is a crappy solution. 99% of the time that a “jku” is used you want to identify a single specific key so “jku” should be capable of doing that without requiring an extra field. > > A JOSE header does have room for “kid” as well as “jku”. However, many contexts that use URIs as identifiers expect a URI to be THE identifier. Needing two fields to do one task is inevitably awkward. > > Finally, identifying 1 item from a set is a perfect match for the whole purpose of URI fragments so merely by the principle of least astonishment JWK should specify how the fragment picks 1 key. > > -- > James Manger > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Brian Campbell > Sent: Monday, 25 March 2013 11:31 PM > To: jose issue tracker > Cc: draft-ietf-jose-json-web-key@tools.ietf.org; jose@ietf.org; james@manger.com.au > Subject: Re: [jose] #16: URI identifying a specific key in a JWK set > > I'd always just assumed that, short of some other means of figuring it out, a kid header would accompany a jku to identify the specific key in the set. > > > On Sun, Mar 24, 2013 at 6:40 PM, jose issue tracker <trac+jose@trac.tools.ietf.org> wrote: > #16: URI identifying a specific key in a JWK set > > When a public key is required to process a JOSE message, providing a URI > for the key is a useful alternative to providing the actual key or a > certificate. The URI needs to identify the specific individual public key > required for the specific JOSE message. A URI that merely identifies a set > of keys (one of which is the correct one) is not sufficient. > > Given that a "jku" field holds a URI pointing to a set of keys, we need to > define how to use the fragment part of those URIs to identify a specific > key in the set. > > Using the "kid" (key id) in the fragment would be a sensible choice. > > -- > -------------------------+------------------------------------------------- > Reporter: | Owner: draft-ietf-jose-json-web- > james@manger.com.au | key@tools.ietf.org > Type: defect | Status: new > Priority: major | Milestone: > Component: json-web- | Version: > key | Keywords: > Severity: - | > -------------------------+------------------------------------------------- > > Ticket URL: <https://tools.ietf.org/wg/jose/trac/ticket/16> > jose <http://tools.ietf.org/jose/> > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] #16: URI identifying a specific key in a J… jose issue tracker
- Re: [jose] #16: URI identifying a specific key in… Brian Campbell
- Re: [jose] #16: URI identifying a specific key in… Richard Barnes
- Re: [jose] #16: URI identifying a specific key in… Manger, James H
- Re: [jose] #16: URI identifying a specific key in… Richard Barnes
- Re: [jose] #16: URI identifying a specific key in… Peck, Michael A
- Re: [jose] #16: URI identifying a specific key in… jose issue tracker
- Re: [jose] #16: URI identifying a specific key in… Dick Hardt
- Re: [jose] #16: URI identifying a specific key in… Manger, James H
- Re: [jose] #16: URI identifying a specific key in… jose issue tracker
- Re: [jose] #16: URI identifying a specific key in… Manger, James H
- Re: [jose] #16: URI identifying a specific key in… Justin Richer
- Re: [jose] #16: URI identifying a specific key in… Mike Jones
- Re: [jose] #16: URI identifying a specific key in… Manger, James H
- Re: [jose] #16: URI identifying a specific key in… jose issue tracker