Re: [jose] Discuss on

Justin Richer <> Mon, 10 November 2014 21:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 457CA1A1B26; Mon, 10 Nov 2014 13:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.794
X-Spam-Status: No, score=-4.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id diiqf_hHzNYO; Mon, 10 Nov 2014 13:31:57 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DE08F1A1F70; Mon, 10 Nov 2014 13:31:54 -0800 (PST)
X-AuditID: 12074425-f79e46d000002583-11-54612ec904e0
Received: from ( []) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 15.FD.09603.9CE21645; Mon, 10 Nov 2014 16:31:53 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id sAALVqIT001008; Mon, 10 Nov 2014 16:31:53 -0500
Received: from [IPv6:2607:fb90:2209:f65e:0:3f:8785:d601] ([]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id sAALVkOX024698 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 10 Nov 2014 16:31:49 -0500
Date: Mon, 10 Nov 2014 11:31:45 -1000
Message-ID: <>
Importance: normal
From: Justin Richer <>
To: Jim Schaad <>, 'Richard Barnes' <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=""
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjleLIzCtJLcpLzFFi42IRYrdT1z2plxhicKVV22LGn4nMFqunf2ez WLOmm8liap+txfS919gdWD02zpnO5rG2+yqbx5IlP5k8Jm+cxRLAEsVlk5Kak1mWWqRvl8CV sfjvROaCnaEVE17NYGxgbA/uYuTkkBAwkVh39SAjhC0mceHeerYuRi4OIYHZTBItM26zQzgb GSUad59mgnD2MEnce7qEHaSFRUBV4sbiNUAtHBzCAqkStz9ogIR5Bdwk7m1vAwtzCghJdO2S AAmzAVVPX9PCBGKLCHhILHx+lxXEZhaIkdg+vZMJolVQ4uTMJywQ8SCJP/2b2Ccw8s1CkpqF JAVhq0v8mXeJGcJWlJjS/RAozgFkq0ksa1VCFl7AyLaKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI 10IvN7NELzWldBMjONhdVHcwTjikdIhRgINRiYfX4W18iBBrYllxZe4hRkkOJiVR3kfiiSFC fEn5KZUZicUZ8UWlOanFhxglOJiVRHh9NIByvCmJlVWpRfkwKWkOFiVx3k0/+EKEBNITS1Kz U1MLUotgsjIcHEoSvGt1gRoFi1LTUyvSMnNKENJMHJwgw3mAhruA1PAWFyTmFmemQ+RPMSpK ifP+0gFKCIAkMkrz4HphyegVozjQK8K8v0HaeYCJDK77FdBgJqDB70oSQAaXJCKkpBoYVXVe Grp035Uv/m1pdzL7aOQPo/jfMxYnO20TP3b3uVPWLNnPRmLPM/affyylHWncMXnJW7dey4LX 68MeXw6dla3nHbA0bn9SeyP7R0v1MAbLqw6bJKfK9O7jeXw2/OOb3l9htVw/VKV/SMxhXbGu 4NCOvA8fJ/14oruoO3NHvuYpBiUhv/O3lFiKMxINtZiLihMBfBdVkCEDAAA=
Cc:,, 'Stephen Farrell' <>
Subject: Re: [jose] Discuss on
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Nov 2014 21:32:09 -0000

It's implemented in some libraries, such as the NimbusDS JOSE-JWT library on Java. However, I don't know of any uses in applications.

-- Justin

/ Sent from my phone /

-------- Original message --------
From: Jim Schaad <> 
Date:11/10/2014  11:03 AM  (GMT-10:00) 
To: 'Richard Barnes' <> 
Cc:,, 'Stephen Farrell' <> 
Subject: Re: [jose] Discuss on 

Oh – your right.  My head is not processing fast enough.
In that case I don’t know of any implementation at the moment for the “oth” parameter
I am not sure if Stephen is going to force a removal based on that or not.
From: jose [] On Behalf Of Richard Barnes
Sent: Monday, November 10, 2014 10:39 AM
To: Jim Schaad
Cc:; Stephen Farrell
Subject: Re: [jose] Discuss on
What?  I can't speak for Chrome, but Firefox completely ignores the "oth" parameter.

I think you're thinking of the extended, technically not-required RSA private parameters "p", "q", "dp", "dq", "qi".  Firefox and Chrome DO both require those, because the underlying library requires them and we didn't want to implement factoring above the library layer (at least for Firefox).

I'm not sure it makes sense for those parameters to be required at the JWK layer.
On Mon, Nov 10, 2014 at 10:14 AM, Jim Schaad <> wrote:
Based on email that has been sent to the list.  It appears that both Chrome and Firefox have fully implemented the “oth” parameter of RSA private keys.  They actually appear to require that it be present rather than be optional as the document specifies.  However this would mean to me that this parameters is used and you can clear you discuss on that basis.

jose mailing list