[jose] Text for Issue #77

"Jim Schaad" <ietf@augustcellars.com> Thu, 26 September 2013 17:47 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F06021E80AD for <jose@ietfa.amsl.com>; Thu, 26 Sep 2013 10:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Level:
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[AWL=0.850, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccN4lAZ-R3i5 for <jose@ietfa.amsl.com>; Thu, 26 Sep 2013 10:47:07 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 0EE7721E80A8 for <jose@ietf.org>; Thu, 26 Sep 2013 10:47:06 -0700 (PDT)
Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 4ECE82CA2E; Thu, 26 Sep 2013 10:47:02 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Date: Thu, 26 Sep 2013 10:45:49 -0700
Message-ID: <010001cebae0$3d6edf40$b84c9dc0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0101_01CEBAA5.91118DE0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac66Xo4aDyP/8HDXTqmPAaeUbN4oDw==
Content-Language: en-us
Cc: jose@ietf.org
Subject: [jose] Text for Issue #77
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 17:47:13 -0000

Mike,

 

I am not happy with the following sentence in section 3.7 of web-key because
I don't believe that it correct covers the set of issues that need to be
deal with.  I suggest the following change:

 

Delete the sentence "The key in the first certificate MUST match the bare

   public key represented by other members of the JWK." From the current
paragraph.  This sentence could be replaced with the sentence "The first
certificate MUST be the end user certificate." If you want to keep that
information.  You don't really have that at present, but you do say that it
must be the one that contains the key value.  It is not clear to me that
there would be problem by simply deleting the sentence. 

 

Add the following as a new paragraph

 

While there is no requirement that the other fields in a JWK be populated
when an "x5c" member is present, doing so will improve interoperability for
those applications which do not deal with PKIX certificates.  If the fields
are populated, then the contents of the fields MUST be consistent with the
same field in the certificate.   Thus the public keys are required to match,
if the use member is present then it needs to allow for only a subset of the
usages that are permitted by the certificate.  If the fields are populated,
the fields MUST be populated with data from the end user certificate.

 

Jim