Re: [jose] Encrypted JWK in JWK set

"Manger, James H" <> Mon, 14 October 2013 07:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D38611E811B for <>; Mon, 14 Oct 2013 00:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.633
X-Spam-Status: No, score=-0.633 tagged_above=-999 required=5 tests=[AWL=0.268, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UqYtBaA2puMD for <>; Mon, 14 Oct 2013 00:09:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7626011E8162 for <>; Mon, 14 Oct 2013 00:09:43 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.93,490,1378821600"; d="scan'208";a="154303541"
Received: from unknown (HELO ([]) by with ESMTP; 14 Oct 2013 18:09:41 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7227"; a="117558496"
Received: from ([]) by with ESMTP; 14 Oct 2013 18:09:41 +1100
Received: from ([]) by ([]) with mapi; Mon, 14 Oct 2013 18:09:41 +1100
From: "Manger, James H" <>
To: Richard Barnes <>, "" <>
Date: Mon, 14 Oct 2013 18:09:40 +1100
Thread-Topic: [jose] Encrypted JWK in JWK set
Thread-Index: Ac7GluuLl+0hOFc2TGGF39JHW0tj6wCBSZoQ
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [jose] Encrypted JWK in JWK set
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Oct 2013 07:09:55 -0000

> I was thinking today about how it would be nice to replace PKCS#12 with
> something JWK-based.  For background, PKCS#12 is a format that can
> store a certificate (unencrypted) alongside an encrypted private key.

I agree. A JWK-based alternative for PKCS#12 for Java keystores should be possible.

> It seems to me like the obvious thing would be to replace this with a
> JWK Set containing two keys: (1) a public key with the certificate in
> the "x5t" attribute, and (2) the corresponding private key as an
> Encrypted JWK.

I'm not so sure about that design.
It means a public/private key pair are 2 key entries, whereas currently they are 1.

It means an Encrypted JWK and a plain key entry can both appear in the same slot (entries in the "keys" array) so they need to be distinguished. I guess by "Encrypted JWK" you mean the JOSE serialization of a JWE whose content is a JWK. Will you look for a "kty" field? Looking at an "alg" field is unlikely to work.

PKCS#12 (and Java keystores) can store a certificate in the clear, but it is still integrity-protected by a MAC keyed with a password. Mixing plain JWKs and Encrypted JWKs does not give the same security properties.

Another option could be to put an JWE as a field in a JWK. Or to expect people to protect all the private keys and associated public keys together in a single JWE (Encrypted JWK) when any part needs protection. It means you cannot get the public key without the password. Does that kill the required functionality, or is that ok in 99% of cases?

> However, it's not immediately clear to me that the JWK Set format in -
> 17 allows this.  Proposed edit to clarify:
> OLD: "The value of the "keys" member is an array of JWK values"
> NEW: "The value of the "keys" member is an array of JWK and/or
> Encrypted JWK values"
> Thoughts?

James Manger