Re: [jose] The role of JWK
Sergey Beryozkin <sberyozkin@gmail.com> Thu, 14 August 2014 22:49 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6AEB1A8948 for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 15:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dbt1sAquyhfQ for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 15:49:36 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EC721A8947 for <jose@ietf.org>; Thu, 14 Aug 2014 15:49:36 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id n3so151658wiv.5 for <jose@ietf.org>; Thu, 14 Aug 2014 15:49:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=EVG+kkNyYS2LGH8mhJj16angx5GQBheHEx2BF5ID5o4=; b=ozAZJspPavUcsDN+BlfQ+zofWllRAIpCz15eYVlpYJ0XWopxyxJdrZKDFBR6x6NO6O HnqRcvxgZsvT8hPjPzLp8NOYQ1aVa92BLsXcO6nyJCN4HR4a2CVeaUQPHVUjTMmj9kxt 6e+lY0vFeiaC2EDP4+qZIbpEi0dhVaswfOMKY06GdCafYVtwMM+bE+1OYjms+1/1fnBb cYTng6yMoV33g0gdhyue/yeFdwLa6SZAWK3gSFjvB8wDGtu1Rqg/PMS5d2t/8ltzchtl tUTsHfnogjyE+UzkWpLa7fmCwOQq571ZsS2SMYeNouFZW9ARh/DAIPjsuYgcUBTMuI1n CWnA==
X-Received: by 10.194.104.72 with SMTP id gc8mr14037475wjb.105.1408056574827; Thu, 14 Aug 2014 15:49:34 -0700 (PDT)
Received: from [192.168.2.7] ([109.255.231.6]) by mx.google.com with ESMTPSA id ga2sm14261100wjb.44.2014.08.14.15.49.33 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Aug 2014 15:49:34 -0700 (PDT)
Message-ID: <53ED3CFA.7040108@gmail.com>
Date: Thu, 14 Aug 2014 23:49:30 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>, Richard Barnes <rlb@ipv.sx>
References: <4E1F6AAD24975D4BA5B16804296739439AE1989B@TK5EX14MBXC293.redmond.corp.microsoft.com> <53EC868E.4000000@gmail.com> <CAL02cgS7LxLBWNRdh5EOKwyuiBSsR0jsmMz49c9xztfZehZP_A@mail.gmail.com> <53ECCFF8.9090305@mitre.org> <53ECE6F6.8000400@gmail.com> <53ECEE85.4010505@mitre.org> <53ECF476.9020009@gmail.com> <53ECF765.4090004@mitre.org>
In-Reply-To: <53ECF765.4090004@mitre.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/5TH2zRxekoneu3W8GJDv6sqxSTA
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] The role of JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 22:49:38 -0000
Hi Justin, and all, thanks again, I've got plenty of information real fast, very nice, As far as I understand the regular browser would not support public JWKs natively (just) yet which is what I was curious about; but I got the points about JWK being the standard container of the public or public/private key properties providing for the ease of use & storage. Look forward to reviewing the all the additional material I've got the links too Cheers, Sergey On 14/08/14 18:52, Justin Richer wrote: > >> Can you please give me a favor and address a couple of questions I >> asked in the previous message too ? > > Sure, I missed those before. > >> >> Cheers, Sergey >>>> >>>>> Services are starting to publish their public keys as JWK instead of >>>>> X509, since a JWK doesn't require a trusted CA and can be much more >>>>> easily rotated at runtime. >>>> Sorry if it is off-topic, is JWK representing a public key (the public >>>> exponent) is effectively a self-signed public key/cert ? What provides >>>> the extra trust into such JWK ? I've heard here about JWK Thumbprints ? > > It's all based on how you get the JWK -- either from a trusted HTTPS > URI, or out of band in a configuration, or what have you. Don't think of > the JWK as a certificate, think of it as a keypair. It's not signed or > issued with a certification chain or anything that you'd expect from > X509. Instead, it's literally the raw keys. If you're fetching it from a > URL, it's going to be the public keys only. If you're using it for > configuring an app or building a local keypair store, it's going to have > both the public and private key parts. > >>>> >>>>> >>>>> Whenever we deploy a new copy of our server somewhere, we also pull >>>>> down >>>>> this program and run it to generate a new JWK key set (with public and >>>>> private keys) that we use to start up the server. The alternative, >>>>> which >>>>> we used to do, was to use OpenSSL to generate a self-signed X509 >>>>> certificate that we effectively threw away the trust chain for -- lots >>>>> of extra effort to create information that we didn't want and then >>>>> ignore it on the far end, all to get a simple keypair. It was >>>>> unnecessarily complex from all ends, and the switch to JWK has been >>>>> much >>>>> nicer to deal with. >>>>> >>>> Is the simplicity of making a demo application running fast a major >>>> factor of preferring JWK to self-signed X509 ? What about the >>>> synchronization between the existing X509-based key storage and the >>>> new JWK-aware storages ? >>>> > > It's not runtime execution that's driving things for us, it's ease of > development, lower code complexity, and deployment management. > > We haven't needed to synchronize the two kinds of storage mechanisms, > but you could always do what we used to do when we were using a Java > x509 keystore for our server: parse the certificates, dutifully ignore > all of the certificate chain validation (since they were self-signed > anyway), and extract the bare keys. These keys can be easily represented > in JWK for JWK-aware apps, while X509 apps can use the existing certs > directly. Alternatively you could programmatically generate self-signed > X509 certs based on the raw keys from a JWK. We looked into doing that > at one point, but the APIs for handling this (in Java, at least) were > absolutely awful. > > So now we just use JWKs in our OAuth infrastructure, both clients and > servers. The keystore is a JSON text file that we can squirrel away on a > safe part of the server, remote keys are fetched over HTTPS and easily > parsed, and everything works quite swimmingly. > > -- Justin > > -- Justin
- [jose] JWK Elliptic Curve key representations and… Mike Jones
- Re: [jose] JWK Elliptic Curve key representations… Daniel Holth
- Re: [jose] JWK Elliptic Curve key representations… Mike Scott
- [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Stephen Farrell
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Mike Jones
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Brian Campbell
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Kathleen Moriarty
- Re: [jose] JWK Elliptic Curve key representations… Mike Jones
- Re: [jose] JWK Elliptic Curve key representations… Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Brian Campbell
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Anders Rundgren
- Re: [jose] The role of JWK Sergey Beryozkin
- [jose] Does A128GCMKW qualify as key wrap or encr… Sergey Beryozkin
- Re: [jose] Does A128GCMKW qualify as key wrap or … Mike Jones