Re: [jose] How would x5u really be used with JWE?

"Matt Miller (mamille2)" <mamille2@cisco.com> Fri, 25 January 2013 23:22 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A13021F88AE for <jose@ietfa.amsl.com>; Fri, 25 Jan 2013 15:22:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ijen+KapltY for <jose@ietfa.amsl.com>; Fri, 25 Jan 2013 15:21:59 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 2A33221F84C9 for <jose@ietf.org>; Fri, 25 Jan 2013 15:21:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8750; q=dns/txt; s=iport; t=1359156119; x=1360365719; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BtNuxwwZpiwduNRRAvUepWteFU28G5CjqJ9uhvAkoio=; b=IFn4ofwtz2B8CfOoRAFVyR0Ne+0TiYjJTyjbBcTlPPvGl5QEtDkGpMR5 g2BX9/N3FZNUhV9fLMgCUvASf7eGRXgIEhevK7OOTtSx/1bjucpRrroJk Pof9Co8lgGSFdVjTpRXOOyGbC+z2SCGDOxaXlq60d5m6C6MeQTGHSBXTg s=;
X-Files: smime.p7s : 2283
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAF0SA1GtJV2b/2dsb2JhbABFvlIWc4IeAQEBAwEBAQFrCwUHBAIBCA4DBAEBAQodBwIlCxQJCAIEDgUIBod7Bgy+UZBeYQOPCYEigi+ET48sgneCJA
X-IronPort-AV: E=Sophos; i="4.84,541,1355097600"; d="p7s'?scan'208"; a="168323892"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-2.cisco.com with ESMTP; 25 Jan 2013 23:21:58 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r0PNLw7S012187 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 25 Jan 2013 23:21:58 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.138]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0318.004; Fri, 25 Jan 2013 17:21:58 -0600
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [jose] How would x5u really be used with JWE?
Thread-Index: AQHN+MvWNQFDeFAxok2Oo4nZxF+uDJhapyqAgAAS4gCAAAVWAIAAKz4AgAAt5oA=
Date: Fri, 25 Jan 2013 23:21:57 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED94115104B43@xmb-aln-x11.cisco.com>
References: <CA+k3eCRyew6xdKGQVOf27MK9AqOJ1A2jmhVYF+u=3Q3TMBtEng@mail.gmail.com> <42D3BCD6-D450-4A77-ABF5-87A5ABA874DE@bbn.com> <4E1F6AAD24975D4BA5B168042967394366A89CD9@TK5EX14MBXC285.redmond.corp.microsoft.com> <D994E08C-6C84-471C-B0D4-225E0199011A@bbn.com> <CA+k3eCQ=Wt=9V5UmPAeDbfJRLBti1bEiS3z10jg1h_TpqS1PiQ@mail.gmail.com>
In-Reply-To: <CA+k3eCQ=Wt=9V5UmPAeDbfJRLBti1bEiS3z10jg1h_TpqS1PiQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.129.24.46]
Content-Type: multipart/signed; boundary="Apple-Mail=_FAC36A5E-50B0-421E-AD16-80528E61DCCE"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Cc: Richard Barnes <rbarnes@bbn.com>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] How would x5u really be used with JWE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jan 2013 23:22:00 -0000

I personally am struggling to find a JWE use-case where x5u is useful.

As far as the XMPP-e2e proposal goes, it basically provides a key exchange protocol, where the recipients provide the sender with their public key information in order to receive the session CMK.  While it's oriented toward "user to user", there might be things to borrow from there.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

On Jan 25, 2013, at 1:37 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:

> Yes of course signaling to the recipient which private key to use for
> decryption is useful. Though it is unclear to me why one would use x5u or
> x5c in the context of encryption rather than x5t or jku and/or kid. It
> seems the later ones provide the same functionality in simpler and or more
> concise ways.
> 
> The intent of my original post to the list wasn't to question the inclusion
> of x5u or x5c in JWE (although I do think it's a fair question) but rather
> to try and better understand what folks had envisioned doing with x5u and
> encryption.  As Richard said, the key identification and roll-over are
> typically application-layer questions. And I'm trying to work though those
> very questions for OpenID Connect[1] right now. JWE dose provide some lower
> level constructs to facilitate it at the app layer though (like jku, jwk,
> x5u, x5t, x5c and kid) and, frankly, I didn't fully understand how some of
> them were intended to be used so wanted to ask this group where they had
> originated.
> 
> I haven't yet but will take a look at xmpp-e2e and see if there are any
> concepts that can be borrowed.
> 
> Thanks,
> Brian
> 
> [1] Two issues submitted against Connect on the general topic and the WG
> home page
> http://hg.openid.net/connect/issue/703/key-publication-needs-to-be-reworked
> http://hg.openid.net/connect/issue/704/provide-key-rollover-guidance
> http://openid.net/wg/connect/
> 
> 
> 
> 
> On Fri, Jan 25, 2013 at 11:02 AM, Richard Barnes <rbarnes@bbn.com> wrote:
> 
>> Ok, that sort of makes sense.
>> 
>> Note that in that case, there's no point to sending a cert chain ('x5c'),
>> since it's the recipient's cert you're talking about.  Even 'x5u' is kind
>> of overkill; all you really need is 'x5t'.
>> 
>> 
>> 
>> 
>> On Jan 25, 2013, at 12:43 PM, Mike Jones <Michael.Jones@microsoft.com>
>> wrote:
>> 
>>> They're there exactly to let the recipient known which private key to
>> use for decryption.  Hardly useless...
>>> 
>>>                              -- Mike
>>> 
>>> -----Original Message-----
>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>> Richard Barnes
>>> Sent: Friday, January 25, 2013 8:36 AM
>>> To: Brian Campbell
>>> Cc: jose@ietf.org
>>> Subject: Re: [jose] How would x5u really be used with JWE?
>>> 
>>> AFAICT, the X.509 fields in JWE are pretty useless.
>>> 
>>> If you're using key transport (i.e., wrapping the symmetric key in a
>> public key), then you would use the "jwk" or "jku" fields to reference the
>> key pair you used to do the wrapping.  The only function of the public key
>> crypto fields in a JWE is to let the recipient know which private key to
>> use for decryption.  The recipient already needs to have the private key,
>> since it obviously won't be in the message.
>>> 
>>> The question of how the encrypting party figures out which public key to
>> use for a given recipient (and in particular, roll-over), is an
>> application-layer question, not something that JWE would address.  See the
>> XMPP end-to-end security doc for an example; they use a separate exchange
>> to associate a JWK with an XMPP ID.
>>> <http://tools.ietf.org/html/draft-miller-xmpp-e2e>
>>> 
>>> --Richard
>>> 
>>> 
>>> 
>>> 
>>> On Jan 22, 2013, at 1:10 PM, Brian Campbell <bcampbell@pingidentity.com>
>> wrote:
>>> 
>>>> Is there a concrete use case for this that someone could explain to me?
>>>> 
>>>> How does an encrypting party know what URL to use to get the key to
>> encrypt? I assume some out-of-band exchange. How would key rolling work
>> then? An an encrypting party would need to a priori know all potential
>> x5u's of the decrypting party? Which seems dubious. And how would the
>> decrypting party signal a desired change of keys?
>>>> 
>>>> Am I missing something obvious here?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/jose
>>> 
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>> 
>> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose