[jose] x5c, x5u, x5t don't apply to all key types

Brian Campbell <bcampbell@pingidentity.com> Wed, 17 July 2013 19:34 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C4C9511E80F0 for <jose@ietfa.amsl.com>; Wed, 17 Jul 2013 12:34:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DGGQFEsuCEgP for <jose@ietfa.amsl.com>; Wed, 17 Jul 2013 12:34:48 -0700 (PDT)
Received: from na3sys009aog129.obsmtp.com (na3sys009aog129.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0255811E80E2 for <jose@ietf.org>; Wed, 17 Jul 2013 12:34:47 -0700 (PDT)
Received: from mail-ie0-f176.google.com ([]) (using TLSv1) by na3sys009aob129.postini.com ([]) with SMTP ID DSNKUebx15IyP22DQEP8nmmaB3IVuf3IvkEK@postini.com; Wed, 17 Jul 2013 12:34:48 PDT
Received: by mail-ie0-f176.google.com with SMTP id ar20so4985646iec.21 for <jose@ietf.org>; Wed, 17 Jul 2013 12:34:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type :x-gm-message-state; bh=7bFFQ+rifpJuuhEVez8qimnoA3M8rr+XdFarbvQ02js=; b=If/nALkKX9WcEUy04VRO+LABtSi1YIqDj/kt0DJRR6cWl9jkZOqPZ/yjdO/gatP1Oj sR0NP4nEYnXv7O7eFVDX1cnM/ALlV5SyfhbNk93wwvn6Z9JlnsotJrWuAis+n6kgQGaB +IvFPnndhvBPkFH8iw2PlIbF2uImL+Lt4WcYkUKt4s6ZmlTRqv0eJIBub/0JQzYBFJ2q M82EMIoYoM5Pxz4uHHERvjU3cV88RW6y5DuDFDrT/4x43Q2sItvFFYFnIRiOX5whyWDp zG6fN11sHDRnmJ+58JMeAVciTaQKkfjdeT6SJIFSHhuZ0cm3I7HRSeG1TX1AaZRLOXTb hZ4Q==
X-Received: by with SMTP id s11mr5356189icr.82.1374089680608; Wed, 17 Jul 2013 12:34:40 -0700 (PDT)
X-Received: by with SMTP id s11mr5356185icr.82.1374089680437; Wed, 17 Jul 2013 12:34:40 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 17 Jul 2013 12:34:10 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 17 Jul 2013 13:34:10 -0600
Message-ID: <CA+k3eCSDiV3mYxZsieR1o5ryTBWM=JnwBDRgbkifLbKs3tm11g@mail.gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary=20cf3010e7194ad77904e1ba2f12
X-Gm-Message-State: ALoCoQnv5Tms9x6Sx5zrWBPn96jw8IpoTBGcfvc/N/osWULgmEMm/i5M+lbtDHzthJ5N8JWWvZ7XPe13UkjKVc0hz5yhQ8QTUpumiSWDArRg7X4VjcxwHqCoJkb+OY9WN9Fj4wUoHUaO
Subject: [jose] x5c, x5u, x5t don't apply to all key types
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 19:34:52 -0000

Section 3 of JWK [1] defines "members that are common to all key types" and
includes among those members x5c, x5u and x5t. However, the x5X parameters
are relevant only for half the key types defined in JWA - they don't really
make sense for "oct" [2] or "PBKDF2" [3].

Not sure the best way to address this but it seems kind of awkward as it
is. Maybe move them into the EC and RSA type definitions (or something
common to both) or somehow add some qualifying text saying that they can
only be used with key types utilizing public keys?

As I was looking up the URLs below I noticed that the section alignment in
section 5 of JWA is a little off. I think 5.3.3 and 5.3.4 should probably
be 5.4 and 5.5 respectively. Right now they line up as though they were
part of the RSA key type.

[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-key-13#section-3