IETF Logo Mail Archive

Re: [jose] jwk

<Axel.Nennker@telekom.de> Thu, 01 November 2012 12:41 UTC

Return-Path: <Axel.Nennker@telekom.de>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DDA621F8C1A for <jose@ietfa.amsl.com>; Thu, 1 Nov 2012 05:41:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.248
X-Spam-Level:
X-Spam-Status: No, score=-3.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dn2qQh3pCe4C for <jose@ietfa.amsl.com>; Thu, 1 Nov 2012 05:41:25 -0700 (PDT)
Received: from tcmail83.telekom.de (tcmail83.telekom.de [62.225.183.131]) by ietfa.amsl.com (Postfix) with ESMTP id 21DB221F8C28 for <jose@ietf.org>; Thu, 1 Nov 2012 05:41:23 -0700 (PDT)
Received: from he113415.emea1.cds.t-internal.com ([10.125.65.81]) by tcmail81.telekom.de with ESMTP/TLS/AES128-SHA; 01 Nov 2012 13:41:21 +0100
Received: from HE111541.emea1.cds.t-internal.com ([10.125.90.94]) by HE113415.emea1.cds.t-internal.com ([2002:7cd:4151::7cd:4151]) with mapi; Thu, 1 Nov 2012 13:41:21 +0100
From: Axel.Nennker@telekom.de
To: Michael.Jones@microsoft.com, ignisvulpis@gmail.com, jose@ietf.org
Date: Thu, 01 Nov 2012 13:41:20 +0100
Thread-Topic: [jose] jwk
Thread-Index: AQHNsiF/w0zq/rO+/0GqJ4iKlhRQdpfI5BAggAAQvQCAB5mvgIAAbyUAgAPWBDCAACHEIA==
Message-ID: <CE8995AB5D178F44A2154F5C9A97CAF4025219A6572E@HE111541.emea1.cds.t-internal.com>
References: <CAHcDwFziH9QF1TgbywGzi2VPiwADpgdOxzrN1xtTN2pjLJOXOw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436687BCEB@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAHcDwFysxev670hgiq7HxSAsNQ+9vbw5727yoTfMQrBr2p+j8A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943668828D9@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAHcDwFxy2f99Eb2Lz5jq0wpqWFSLOB5POG+uZZVWqtFAmF6mOA@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436688578C@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436688578C@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE
Content-Type: multipart/alternative; boundary="_000_CE8995AB5D178F44A2154F5C9A97CAF4025219A6572EHE111541eme_"
MIME-Version: 1.0
Subject: Re: [jose] jwk
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 12:41:28 -0000

I think that the example public keys that I used in my email (Oct 24) are exactly that. Base64-encoded-subjectpublickeyinfo

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Thursday, November 01, 2012 12:38 PM
To: Axel Nennker; jose@ietf.org
Subject: Re: [jose] jwk

Sitting next to Eric Rescorla and Richard Barnes at the WebCrypto F2F, they just provided additional useful information on your question, Axel.  Specifically, they pointed out that a standard ASN.1 representation of bare keys is the DER encoding of the RFC 5280 SubjectPublicKeyInfo element (which contains an algorithm and a key representation) - often referred to as SPKI.  Just to be clear, this is not a certificate (containing no signature, subject, etc.).

So a fair question is whether JOSE also wants to support SPKI public keys, rather than just X.509 certificates and JWK keys.  I hear you saying "yes", Axel, and I think Nat was saying "yes" as well.  Discussions last week at the F2F OpenID Connect working meeting also makes me think that some others would also answer this "yes".

If we want to do this, would people suggest that we do this with a new header parameter containing a SPKI key value?  Also, would we always pass SPKI keys by value, or do people believe that it's also important to pass them by reference (just like we have both x5c and x5u parameters)?

                                                            -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Axel Nennker
Sent: Monday, October 29, 2012 4:56 PM
To: Mike Jones
Cc: jose@ietf.org
Subject: Re: [jose] jwk

Encoding public keys as self-signed certs: That is a hack. Not that I am opposed to hacks but this is too much.
2012/10/29 Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
"x5c" helps because you can represent a bare key as a self-signed cert in PEM format in the "x5c" parameter.  The JOSE specs already support PEM-encoded keys.

                                                            -- Mike

From: Axel Nennker [mailto:ignisvulpis@gmail.com<mailto:ignisvulpis@gmail.com>]
Sent: Wednesday, October 24, 2012 2:14 PM
To: Mike Jones
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: jwk

In the case where I generate the keypair on the fly I do not have an URL to put in x5u. And a cert in not a public key. I want bare keys.
I don't know how x5u and x5c help here.

I have the problem that I don't know how to convert (exp,mod) into a pubkey on one platform (Firefox). I think that PEM is easier.
I think the same might be true an other platforms too.

Another reason I think that PEM is better is that there are command line tools to produce PEM-encoded keys while I don't know any tool to produce (exp, mod).

--Axel
2012/10/24 Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>

To be clear, JWS and JWE already support the use of PEM encoded keys through the "x5c" and "x5u" parameters.  Therefore, I don't see any need to also add X.509-based key formats to JWK itself.



                                                            -- Mike

From: Axel Nennker [mailto:ignisvulpis@gmail.com<mailto:ignisvulpis@gmail.com>]
Sent: Wednesday, October 24, 2012 12:55 PM
To: jose@ietf.org<mailto:jose@ietf.org>
Cc: Mike Jones
Subject: jwk


I think that having more choices other than (xpo, mod) is useful.
I believe that it is easier for me to implement keys in Firefox if I have PEM encoded keys.

So the format could be:

user_jwk : {"pub": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4OTqe0p1tgEoOVtDzjQI yP1Ipo8ivqTIeH4yH9kLzI4fCKx6ggZJ3h9ecj4p5E355umCThN/1doBc/tq18VGlNtyDNxCh45Z1zGYJKwZxaVaWQXlB2gfgnko1D+Zw9KIlipQHtnhJw/qREEIp4YOgaGcSZBCcQQ4DYCOjfTTbKUXSTlrlOgflfgTiyhUFuiKWkoeivwASigL76PtYNYc n+dlYKYB/vSQ2CY7FtaDcr22EdqUDVPLNg1+K1rsvHvllP7iTnXA5IgxT5JELdrk KX9Ek68zDzelOaJxs2tbkkwbqSLQfREzQ/yGAIOW9rZVqlaVBEBzUYzREmeybVq3 gwIDAQAB" }
// PEM encoded public key without linebreaks

A more general format would be:

jwk: { "-----BEGIN PUBLIC KEY-----": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4OTqe0p1tgEoOVtDzjQI yP1Ipo8ivqTIeH4yH9kLzI4fCKx6ggZJ3h9ecj4p5E355umCThN/1doBc/tq18VGlNtyDNxCh45Z1zGYJKwZxaVaWQXlB2gfgnko1D+Zw9KIlipQHtnhJw/qREEIp4YOgaGcSZBCcQQ4DYCOjfTTbKUXSTlrlOgflfgTiyhUFuiKWkoeivwASigL76PtYNYc n+dlYKYB/vSQ2CY7FtaDcr22EdqUDVPLNg1+K1rsvHvllP7iTnXA5IgxT5JELdrk KX9Ek68zDzelOaJxs2tbkkwbqSLQfREzQ/yGAIOW9rZVqlaVBEBzUYzREmeybVq3 gwIDAQAB"
}

This general format could be used for private keys too.

What do you think?

Axel

ps: Don't know whether I can post from this email address.... Mike, would you lease post it if it does appear in your inbox but not on the list. Thanks.

v2.23.0 | Report a Bug | By Email