IETF Logo Mail Archive

Re: [jose] DISCUSS: Is KID sufficently defined

Sean Turner <turners@ieca.com> Mon, 03 September 2012 22:02 UTC

Return-Path: <turners@ieca.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E442221F854B for <jose@ietfa.amsl.com>; Mon, 3 Sep 2012 15:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.134
X-Spam-Level:
X-Spam-Status: No, score=-102.134 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wwWft0HO4yr for <jose@ietfa.amsl.com>; Mon, 3 Sep 2012 15:02:34 -0700 (PDT)
Received: from gateway03.websitewelcome.com (gateway03.websitewelcome.com [69.93.196.21]) by ietfa.amsl.com (Postfix) with ESMTP id 6D65E21F8546 for <jose@ietf.org>; Mon, 3 Sep 2012 15:02:34 -0700 (PDT)
Received: by gateway03.websitewelcome.com (Postfix, from userid 5007) id 54DDB2B93E67; Mon, 3 Sep 2012 17:02:35 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway03.websitewelcome.com (Postfix) with ESMTP id 4A7892B93E46 for <jose@ietf.org>; Mon, 3 Sep 2012 17:02:35 -0500 (CDT)
Received: from [108.18.174.220] (port=56825 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1T8ej3-0005Pt-Rd for jose@ietf.org; Mon, 03 Sep 2012 17:02:33 -0500
Message-ID: <504528F9.9010209@ieca.com>
Date: Mon, 03 Sep 2012 18:02:33 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120824 Thunderbird/15.0
MIME-Version: 1.0
To: jose@ietf.org
References: <000001cd7c46$c2ecb4a0$48c61de0$@augustcellars.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00B82A@HE111541.emea1.cds.t-internal.com> <CAGipQFkL6X3EebtV6bgVQ1GdteZBZ6GRoYm==rXnK9z5QiON6g@mail.gmail.com> <3F05CE94720C45679B743583BBE2EBD3@bbn.com> <503D0738.3050207@gmx.net>
In-Reply-To: <503D0738.3050207@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [108.18.174.220]:56825
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: Re: [jose] DISCUSS: Is KID sufficently defined
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Sep 2012 22:02:35 -0000

I've also got a question about the following:

  When used with a JWK, the "kid" value MAY be used to match a JWK
  "kid" parameter value.

Would you ever include a JWK and not use the kid value to do the match? 
  I was thinking maybe just r/MAY/is.

spt

On 8/28/12 2:00 PM, Hannes Tschofenig wrote:
> Richard has a point here. Here is the description from:
> http://tools.ietf.org/html/draft-ietf-jose-json-web-key-05#section-4.3
>
> The semantic of the kid is not defined.
>
> So the question is not so much whether it is sufficiently defined but
> more "does it matter that it is not defined?"
>
> The answer depends on what you want to use the key id for. If you ever
> have to assume a structure of the kid then you will have a problem. This
> could, for example, happen when you use it to make some authorization
> decisions and when you compare it against some existing other identities.
>
> I am not even sure what the kid references. Does it always reference a
> key that is included in the payload it self or does it reference a key
> that is external to the payload? Will you ever have the case that you
> need to use part of the identifier structure to find the key? (e.g., to
> discover the right server where the key is stored?)
>
> On 08/28/2012 11:02 AM, Richard Barnes wrote:
>> I voted "NO" on this in the room, because I don't understand it.
>> Could one of you "YES" voters explain it?
>>
>> What does "kid" mean in the context of a public-key wrapped key?  Is
>> it a public key?  If so, in what format?  How about in the context of
>> key agreement?
>>
>> Thanks,
>> --Richard
>>
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.46.0 | Report a Bug | By Email | System Status