Re: [jose] JWK Parameter Registry Considerations
Richard Barnes <rlb@ipv.sx> Tue, 19 March 2013 17:30 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D7C521F8DE1 for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 10:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.108
X-Spam-Level:
X-Spam-Status: No, score=-1.108 tagged_above=-999 required=5 tests=[AWL=-0.683, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oosCzYr2ixuF for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 10:30:26 -0700 (PDT)
Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 9A85221F8DAE for <jose@ietf.org>; Tue, 19 Mar 2013 10:30:26 -0700 (PDT)
Received: by mail-ob0-f178.google.com with SMTP id wd20so710790obb.9 for <jose@ietf.org>; Tue, 19 Mar 2013 10:30:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=hfQOdmia1WRfmozGhRZfVfKBIXvYMT1eO+nAolWU1vs=; b=MFWg/zFgF/zUJyFhBlmzIJiYzrPy9O9JQoFf8WwpViaevuT3o555GQcZ3hedb4oXmN Iu9+louaIu/RCu8mkLdkclC2YF15m7i+kVFk7oWyfyil2ndeb8XxR4BFKJJx5sw2+aYI C9sLWJ0tsZEKilD8FI3vRODTrHrgiemPd2TwE7fI+dx0AYJs01M/+YorkOj5fhwZRCxS IYxj/d9eRUVzUJtrqAUbJJsgPBDSF+j0xEw3p7pP1ZmnfxfBHfSj2cGfsT1nYoyb94zS 51xuGhUXUdjD9n4T9W5msjqqLLMlDeTVzJjMTzPVDU/wBPtCwz7yhuHnixFY0VeEqdq9 SO0w==
MIME-Version: 1.0
X-Received: by 10.60.14.71 with SMTP id n7mr1820488oec.135.1363714226079; Tue, 19 Mar 2013 10:30:26 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Tue, 19 Mar 2013 10:30:25 -0700 (PDT)
X-Originating-IP: [192.1.255.184]
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED9411517BB87@xmb-aln-x11.cisco.com>
References: <BF7E36B9C495A6468E8EC573603ED9411517BB87@xmb-aln-x11.cisco.com>
Date: Tue, 19 Mar 2013 13:30:25 -0400
Message-ID: <CAL02cgQcFCabXj00jHYg6wynhY6JChvGnJHVuaxF1pc0rX4rTg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
Content-Type: multipart/alternative; boundary="e89a8f2353bf055eaa04d84a76f2"
X-Gm-Message-State: ALoCoQkrKMKb/32VY4zSxu5SLyOfpdeDk0Wb2xzoawBBlat0TNMUEyVjeDgc//44opgzwRgJnypD
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JWK Parameter Registry Considerations
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 17:30:28 -0000
> 1) Should JWK parameter names be absolutely unique, or are they
> potentially tied to a specific JWK type? In looking at the specs to date,
> I think there's only one case where a parameter name is re-used ("d" for
> both private RSA and ECC keys); currently syntactically and semantically
> identical, but I'm not sure that's adequate.
>
I think it makes sense for parameter names to be potentially contingent on
key type. Emphasis on "potentially" -- there could be attributes that are
the same for all key types. I would also propose that we make "kty" a
mandatory attribute.
> 2) Should JWK parameters be marked as private (confidential, secret,
> privileged, etc etc)? The current documentation set loosely defines this
> only because they are current split between multiple documents. However, I
> wonder if there is value in being much more explicit about it, including in
> a parameter's registration.
>
If we fold JPSK in to JWA (which we should do), then ISTM that we should
also note which parameters are private, in the sense of "have a column in
the registry that marks this as a "private" parameter". Note that
designation as private would not necessarily imply that you MUST do any
particular thing. One can envision, for example, cases where it might be
safe to pass private keys in plaintext (e.g., over TLS).
One other question:
3) Should we remove "policy" attributes from JWK? The current JWK spec
includes a variety of attributes that are not directly specifying parts of
the key, namely "use" and "alg". These are application-related fields, and
run the risk of conflicting with existing applications' attributes. For
example, the WebCrypto API has a notion of key usages and algorithm
restriction, but the values they use do not map to the "use" and "alg"
values. Should we align with WebCrypto (and risk conflicting with other
apps), or remove the policy bits altogether (and require apps to align
themselves)? FWIW, I am fine with "kid" staying there, because (1) it's
opaque, and (2) it's actually used in JOSE processing.
- [jose] JWK Parameter Registry Considerations Matt Miller (mamille2)
- Re: [jose] JWK Parameter Registry Considerations Matt Miller (mamille2)
- Re: [jose] JWK Parameter Registry Considerations Richard Barnes
- Re: [jose] JWK Parameter Registry Considerations Matt Miller (mamille2)
- Re: [jose] JWK Parameter Registry Considerations Brian Campbell
- Re: [jose] JWK Parameter Registry Considerations Richard Barnes
- Re: [jose] JWK Parameter Registry Considerations Manger, James H
- Re: [jose] JWK Parameter Registry Considerations Richard Barnes
- Re: [jose] JWK Parameter Registry Considerations Daniel Holth
- Re: [jose] JWK Parameter Registry Considerations Matt Miller (mamille2)