Re: [jose] JWK Parameter Registry Considerations
"Matt Miller (mamille2)" <mamille2@cisco.com> Tue, 19 March 2013 17:59 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50F9D21F8B64 for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 10:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.47
X-Spam-Level:
X-Spam-Status: No, score=-10.47 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqXYSXNa4Ufp for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 10:59:50 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1CA3221F8B4C for <jose@ietf.org>; Tue, 19 Mar 2013 10:59:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6465; q=dns/txt; s=iport; t=1363715990; x=1364925590; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=9h1rBHTiAF8ucIW9gd67CAOHlOoCP9N8zdMGhgqNdTk=; b=Qi3UeHw9sqGdlm9ctVem1RYnbmtnaOf3Z+mpb7SMdFjXE6WfbO3e0OBp NrBkWoEFO/ey2dhckrNM72oNmXSbL6HwmndBRdkx0kZa95aENy/Au+lUj ubxDtDUhOMt54TdsyiDL+lNcLHQUOhUdQsXNXd7jDJnkcQKompHJH55f6 s=;
X-Files: smime.p7s : 2283
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAFADKnSFGtJV2a/2dsb2JhbABDxRuBWhZ0giQBAQEDAXkFCwIBCA4UJAIwJQIEDgUIBogABrIHkBaOXTEHgl9hA488gSiWfYMKgig
X-IronPort-AV: E=Sophos; i="4.84,873,1355097600"; d="p7s'?scan'208"; a="189181862"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-6.cisco.com with ESMTP; 19 Mar 2013 17:59:49 +0000
Received: from xhc-aln-x05.cisco.com (xhc-aln-x05.cisco.com [173.36.12.79]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r2JHxnx1027567 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 19 Mar 2013 17:59:49 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.203]) by xhc-aln-x05.cisco.com ([173.36.12.79]) with mapi id 14.02.0318.004; Tue, 19 Mar 2013 12:59:49 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [jose] JWK Parameter Registry Considerations
Thread-Index: AQHOJKx8FqJE351Np0SzIVUR6z+Zd5itmVqAgAAINQA=
Date: Tue, 19 Mar 2013 17:59:48 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED9411517C9D7@xmb-aln-x11.cisco.com>
References: <BF7E36B9C495A6468E8EC573603ED9411517BB87@xmb-aln-x11.cisco.com> <CAL02cgQcFCabXj00jHYg6wynhY6JChvGnJHVuaxF1pc0rX4rTg@mail.gmail.com>
In-Reply-To: <CAL02cgQcFCabXj00jHYg6wynhY6JChvGnJHVuaxF1pc0rX4rTg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.129.24.68]
Content-Type: multipart/signed; boundary="Apple-Mail=_42EBDC70-D431-4076-BA18-D2D5ADE2D50C"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JWK Parameter Registry Considerations
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 17:59:51 -0000
On Mar 19, 2013, at 11:30 AM, Richard Barnes <rlb@ipv.sx> wrote: >> 1) Should JWK parameter names be absolutely unique, or are they >> potentially tied to a specific JWK type? In looking at the specs to date, >> I think there's only one case where a parameter name is re-used ("d" for >> both private RSA and ECC keys); currently syntactically and semantically >> identical, but I'm not sure that's adequate. >> > > I think it makes sense for parameter names to be potentially contingent on > key type. Emphasis on "potentially" -- there could be attributes that are > the same for all key types. I would also propose that we make "kty" a > mandatory attribute. > I do think there are attributes that have identical semantics regardless of key type ("kid", "x5c"? (-: ). Requiring "kty" is probably necessary, but I don't have a firm opinion yet. > > >> 2) Should JWK parameters be marked as private (confidential, secret, >> privileged, etc etc)? The current documentation set loosely defines this >> only because they are current split between multiple documents. However, I >> wonder if there is value in being much more explicit about it, including in >> a parameter's registration. >> > > If we fold JPSK in to JWA (which we should do), then ISTM that we should > also note which parameters are private, in the sense of "have a column in > the registry that marks this as a "private" parameter". Note that > designation as private would not necessarily imply that you MUST do any > particular thing. One can envision, for example, cases where it might be > safe to pass private keys in plaintext (e.g., over TLS). > Completely agree; it's an indicator to applications and implementations that this parameter might warrant additional considerations when present. > One other question: > > 3) Should we remove "policy" attributes from JWK? The current JWK spec > includes a variety of attributes that are not directly specifying parts of > the key, namely "use" and "alg". These are application-related fields, and > run the risk of conflicting with existing applications' attributes. For > example, the WebCrypto API has a notion of key usages and algorithm > restriction, but the values they use do not map to the "use" and "alg" > values. Should we align with WebCrypto (and risk conflicting with other > apps), or remove the policy bits altogether (and require apps to align > themselves)? FWIW, I am fine with "kid" staying there, because (1) it's > opaque, and (2) it's actually used in JOSE processing. I wouldn't consider "kid" a policy attribute anyway; it's pretty clear to me this is critical in properly referencing. Otherwise, I don't have an opinion on the others. - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc.
- [jose] JWK Parameter Registry Considerations Matt Miller (mamille2)
- Re: [jose] JWK Parameter Registry Considerations Matt Miller (mamille2)
- Re: [jose] JWK Parameter Registry Considerations Richard Barnes
- Re: [jose] JWK Parameter Registry Considerations Matt Miller (mamille2)
- Re: [jose] JWK Parameter Registry Considerations Brian Campbell
- Re: [jose] JWK Parameter Registry Considerations Richard Barnes
- Re: [jose] JWK Parameter Registry Considerations Manger, James H
- Re: [jose] JWK Parameter Registry Considerations Richard Barnes
- Re: [jose] JWK Parameter Registry Considerations Daniel Holth
- Re: [jose] JWK Parameter Registry Considerations Matt Miller (mamille2)