[jose] Text for Issue #77
"Jim Schaad" <ietf@augustcellars.com> Thu, 26 September 2013 17:47 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F06021E80AD for <jose@ietfa.amsl.com>; Thu, 26 Sep 2013 10:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Level:
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[AWL=0.850, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccN4lAZ-R3i5 for <jose@ietfa.amsl.com>; Thu, 26 Sep 2013 10:47:07 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 0EE7721E80A8 for <jose@ietf.org>; Thu, 26 Sep 2013 10:47:06 -0700 (PDT)
Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 4ECE82CA2E; Thu, 26 Sep 2013 10:47:02 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Date: Thu, 26 Sep 2013 10:45:49 -0700
Message-ID: <010001cebae0$3d6edf40$b84c9dc0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0101_01CEBAA5.91118DE0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac66Xo4aDyP/8HDXTqmPAaeUbN4oDw==
Content-Language: en-us
Cc: jose@ietf.org
Subject: [jose] Text for Issue #77
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 17:47:13 -0000
Mike, I am not happy with the following sentence in section 3.7 of web-key because I don't believe that it correct covers the set of issues that need to be deal with. I suggest the following change: Delete the sentence "The key in the first certificate MUST match the bare public key represented by other members of the JWK." From the current paragraph. This sentence could be replaced with the sentence "The first certificate MUST be the end user certificate." If you want to keep that information. You don't really have that at present, but you do say that it must be the one that contains the key value. It is not clear to me that there would be problem by simply deleting the sentence. Add the following as a new paragraph While there is no requirement that the other fields in a JWK be populated when an "x5c" member is present, doing so will improve interoperability for those applications which do not deal with PKIX certificates. If the fields are populated, then the contents of the fields MUST be consistent with the same field in the certificate. Thus the public keys are required to match, if the use member is present then it needs to allow for only a subset of the usages that are permitted by the certificate. If the fields are populated, the fields MUST be populated with data from the end user certificate. Jim
- [jose] Text for Issue #77 Jim Schaad
- Re: [jose] Text for Issue #77 Jim Schaad