Re: [jose] x5c, x5u, x5t don't apply to all key types

Mike Jones <Michael.Jones@microsoft.com> Tue, 30 July 2013 11:06 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790B911E810D for <jose@ietfa.amsl.com>; Tue, 30 Jul 2013 04:06:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.56
X-Spam-Level:
X-Spam-Status: No, score=-3.56 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rtWVZEdGneE for <jose@ietfa.amsl.com>; Tue, 30 Jul 2013 04:06:23 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe006.messaging.microsoft.com [216.32.180.189]) by ietfa.amsl.com (Postfix) with ESMTP id 2186511E814F for <jose@ietf.org>; Tue, 30 Jul 2013 04:06:22 -0700 (PDT)
Received: from mail121-co1-R.bigfish.com (10.243.78.250) by CO1EHSOBE034.bigfish.com (10.243.66.99) with Microsoft SMTP Server id 14.1.225.22; Tue, 30 Jul 2013 11:06:11 +0000
Received: from mail121-co1 (localhost [127.0.0.1]) by mail121-co1-R.bigfish.com (Postfix) with ESMTP id C22E4700189; Tue, 30 Jul 2013 11:06:11 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -10
X-BigFish: VS-10(z1091vz98dI9371Ic85fh148cI111aIzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1d7338h1de098h1033IL17326ah18c673h1de096h18de19h8275bh8275dh1de097hz2fh2a8h668h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail121-co1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail121-co1 (localhost.localdomain [127.0.0.1]) by mail121-co1 (MessageSwitch) id 1375182356861895_14842; Tue, 30 Jul 2013 11:05:56 +0000 (UTC)
Received: from CO1EHSMHS003.bigfish.com (unknown [10.243.78.240]) by mail121-co1.bigfish.com (Postfix) with ESMTP id B6AD54C0047; Tue, 30 Jul 2013 11:05:56 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by CO1EHSMHS003.bigfish.com (10.243.66.13) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 30 Jul 2013 11:05:54 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.38]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0136.001; Tue, 30 Jul 2013 11:05:54 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [jose] x5c, x5u, x5t don't apply to all key types
Thread-Index: Ac6NBEzmCN9N3RpfREyDdDnJ6ah39QACXbwAAAGbjgA=
Date: Tue, 30 Jul 2013 11:05:53 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B730D6D@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436B730979@TK5EX14MBXC284.redmond.corp.microsoft.com> <CA+k3eCQVVZq67hOAS35tkERSJaZ0-VQfxHezvraLsScOj9hqCA@mail.gmail.com>
In-Reply-To: <CA+k3eCQVVZq67hOAS35tkERSJaZ0-VQfxHezvraLsScOj9hqCA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B730D6DTK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] x5c, x5u, x5t don't apply to all key types
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 11:06:28 -0000

You're right - 5.3.3 should be 5.4.  This is now fixed in my editor's draft.  Thanks again for your diligence.

                                                            -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Tuesday, July 30, 2013 3:16 AM
To: Mike Jones
Cc: jose@ietf.org
Subject: Re: [jose] x5c, x5u, x5t don't apply to all key types



On Tue, Jul 30, 2013 at 11:08 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Draft -14 now says "members that are common to multiple key types".

WFM. Thanks.

And the incorrectly numbered sections are actually gone.

Actually, 3.3.3 still looks problematic, "JWK Parameters for Symmetric Keys" lines up as though it's part of RSA.

   5<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5>.  Cryptographic Algorithms for JWK . . . . . . . . . . . . . . . 33<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-33>

     5.1<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.1>.  "kty" (Key Type) Parameter Values for JWK  . . . . . . . . 33<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-33>

     5.2<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.2>.  JWK Parameters for Elliptic Curve Keys . . . . . . . . . . 33<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-33>

       5.2.1<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.2.1>.  JWK Parameters for Elliptic Curve Public Keys  . . . . 33<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-33>

        [...]

       5.2.2<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.2.2>.  JWK Parameters for Elliptic Curve Private Keys . . . . 34<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-34>

         5.2.2.1<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.2.2.1>.  "d" (ECC Private Key) Parameter  . . . . . . . . . 34<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-34>

     5.3<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.3>.  JWK Parameters for RSA Keys  . . . . . . . . . . . . . . . 35<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-35>

       5.3.1<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.3.1>.  JWK Parameters for RSA Public Keys . . . . . . . . . . 35<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-35>

        [...]

       5.3.2<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.3.2>.  JWK Parameters for RSA Private Keys  . . . . . . . . . 35<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-35>

        [...]

       5.3.3<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.3.3>.  JWK Parameters for Symmetric Keys  . . . . . . . . . . 37<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-37>

         5.3.3.1<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-5.3.3.1>.  "k" (Key Value) Parameter  . . . . . . . . . . . . 37<http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#page-37>



From: Mike Jones
Sent: Wednesday, July 17, 2013 1:55 PM
To: 'Brian Campbell'; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] x5c, x5u, x5t don't apply to all key types

Thanks for noticing this.  How about "members that are common to all public key types"?

You're right about the section numbering.  I'll fix that.

                                                            Thanks again,
                                                            -- Mike

From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Wednesday, July 17, 2013 12:34 PM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: [jose] x5c, x5u, x5t don't apply to all key types

Section 3 of JWK [1] defines "members that are common to all key types" and includes among those members x5c, x5u and x5t. However, the x5X parameters are relevant only for half the key types defined in JWA - they don't really make sense for "oct" [2] or "PBKDF2" [3].
Not sure the best way to address this but it seems kind of awkward as it is. Maybe move them into the EC and RSA type definitions (or something common to both) or somehow add some qualifying text saying that they can only be used with key types utilizing public keys?
As I was looking up the URLs below I noticed that the section alignment in section 5 of JWA is a little off. I think 5.3.3 and 5.3.4 should probably be 5.4 and 5.5 respectively. Right now they line up as though they were part of the RSA key type.

[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-13#section-3
[2] http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-13#section-5.3.3
[3] http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-13#section-5.3.4