[jose] How would x5u really be used with JWE?

Brian Campbell <bcampbell@pingidentity.com> Tue, 22 January 2013 18:10 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8D6D721F8A77 for <jose@ietfa.amsl.com>; Tue, 22 Jan 2013 10:10:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id BdkNeHGye9zF for <jose@ietfa.amsl.com>; Tue, 22 Jan 2013 10:10:59 -0800 (PST)
Received: from na3sys009aog136.obsmtp.com (na3sys009aog136.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id 112CC21F8A6F for <jose@ietf.org>; Tue, 22 Jan 2013 10:10:58 -0800 (PST)
Received: from mail-ie0-f197.google.com ([]) (using TLSv1) by na3sys009aob136.postini.com ([]) with SMTP ID DSNKUP7WMhK9on13S03kP9xUqlpIx0nJ4iyL@postini.com; Tue, 22 Jan 2013 10:10:59 PST
Received: by mail-ie0-f197.google.com with SMTP id 16so36483867iea.4 for <jose@ietf.org>; Tue, 22 Jan 2013 10:10:58 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:from:date:message-id:subject:to :content-type:x-gm-message-state; bh=V6J6hn3aYzJRcLfI1zRFh0PMm9QweuwWB0b665lZ9vA=; b=Yghnahwm9dkpqgG5i6L4SGcv+RuRJn+yuDKq0WppYpRkTqq5X0dvslFGWjqWOk+JGG 9XuMTBDjhMxizl04RKtEzkOEmJvVjEWNemnpZFq1/X+nRn0JOcyyiuSZmtgd9nw8ICMI 0ZJXBxyJwzoEUUc5y48XKoh3iYavfuAdOUaiT/nkL1SRIYh+Pv0wXtRxlV9q2uCkRMqJ sezgkfACCcuyc2gQRG0ef55OJES1wEBAaa04axA0X+ycDom7hpp6rR3Q2wjopxChSGqm iAzaIVlSx2aZNN5N8nrXqVr+eIZUfmmWf9LPahZQOo0OBNOqyYQz6H8Htn3KauOnW+qd CPZA==
X-Received: by with SMTP id ad10mr12593045igc.88.1358878258167; Tue, 22 Jan 2013 10:10:58 -0800 (PST)
X-Received: by with SMTP id ad10mr12593041igc.88.1358878258104; Tue, 22 Jan 2013 10:10:58 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 22 Jan 2013 10:10:28 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 22 Jan 2013 11:10:28 -0700
Message-ID: <CA+k3eCRyew6xdKGQVOf27MK9AqOJ1A2jmhVYF+u=3Q3TMBtEng@mail.gmail.com>
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="e89a8f2346bbde0a2f04d3e47f95"
X-Gm-Message-State: ALoCoQmBwWd+4CVHH6q9Y/Q9CcdE9CFQoRN+pEnPCreP8GCy0PtWmSLM5i9nvZuKzixbUDOWb+arWYGFlG4P2Zm4vrxPOnDw+rvaarzhx2ZH2EPM/cC9Kg+JlwPmcAYBeN45gvD610R+
Subject: [jose] How would x5u really be used with JWE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jan 2013 18:10:59 -0000

Is there a concrete use case for this that someone could explain to me?

How does an encrypting party know what URL to use to get the key to
encrypt? I assume some out-of-band exchange. How would key rolling work
then? An an encrypting party would need to a priori know all potential
x5u's of the decrypting party? Which seems dubious. And how would the
decrypting party signal a desired change of keys?

Am I missing something obvious here?