Re: [jose] I-D Action: draft-miller-jose-pkix-key-00.txt

John Bradley <ve7jtb@ve7jtb.com> Wed, 13 February 2013 02:27 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D81AC21F8964 for <jose@ietfa.amsl.com>; Tue, 12 Feb 2013 18:27:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.32
X-Spam-Level:
X-Spam-Status: No, score=-3.32 tagged_above=-999 required=5 tests=[AWL=0.278, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2N3qRFqKGT5 for <jose@ietfa.amsl.com>; Tue, 12 Feb 2013 18:27:29 -0800 (PST)
Received: from mail-qe0-f42.google.com (mail-qe0-f42.google.com [209.85.128.42]) by ietfa.amsl.com (Postfix) with ESMTP id A707E21F8837 for <jose@ietf.org>; Tue, 12 Feb 2013 18:27:29 -0800 (PST)
Received: by mail-qe0-f42.google.com with SMTP id 2so343577qeb.1 for <jose@ietf.org>; Tue, 12 Feb 2013 18:27:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=pt1nKiuVAJqzJTZnjQSBXrLvAHXhpNQnx1dsbWjegLY=; b=eMdPKe23145B9xMGoRj7di4MKeNVyVqXSuvbjn9vziCZteDoJEGynLtqgizGs76u5+ EwBuEf2XrjS2uKE3C2g4fCJsu/J3xrWk0EUp6YegQAg3hrUjWeEgj8PsTMTKb0cNsJW6 yu25F9xza7IMPKNIxuKy4+nezK+iEJ/UU2xGkOeWOsvpuf5Wt0wZv+mYd5yqHWPWvjHV 0qm8ghN0WhuLQWngDA3FcLNA6EwtYRAeYnzp4wZ5AjcVbEN7CQ/7HENQNlhfaxImNVAe 0E5WLJCQ3DrnW1RpPzTymf2/YOVcOYf7O5hUUw3TBcgAi8Uz92H58jIVyBpUqqZH4lbN PQpg==
X-Received: by 10.229.111.154 with SMTP id s26mr1854512qcp.57.1360722448948; Tue, 12 Feb 2013 18:27:28 -0800 (PST)
Received: from [192.168.1.213] (190-20-23-212.baf.movistar.cl. [190.20.23.212]) by mx.google.com with ESMTPS id df6sm17054029qab.6.2013.02.12.18.27.24 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 12 Feb 2013 18:27:27 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_6F3AF520-BE6D-45B0-80E1-F9FC9BC8697F"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CA+k3eCTxdR2MSASDXR-_khhAysj5BOeEosq1fOA4Sx0JUaQSPg@mail.gmail.com>
Date: Tue, 12 Feb 2013 23:27:21 -0300
Message-Id: <625723FA-C5F9-419D-9A3C-4474B08EE347@ve7jtb.com>
References: <20130212183947.3748.46497.idtracker@ietfa.amsl.com> <BF7E36B9C495A6468E8EC573603ED94115134D2C@xmb-aln-x11.cisco.com> <5cc6c8726d01457187a6206e4aa5c6fd@BY2PR03MB041.namprd03.prod.outlook.com> <CA+k3eCTxdR2MSASDXR-_khhAysj5BOeEosq1fOA4Sx0JUaQSPg@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQmnDaulbI5ezDTHXbBX+aKSlh6pc1PRZZi+5coNTacVykWP9KW2IrFL4h1/EQOmasBrJcrW
Cc: Anthony Nadalin <tonynad@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, "Matt Miller (mamille2)" <mamille2@cisco.com>
Subject: Re: [jose] I-D Action: draft-miller-jose-pkix-key-00.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 02:27:31 -0000

Wether it is abuse depends on you perspective I suppose.

If only we could kill x509 and move on:)

Unfortunately that isn't going to happen any time soon.  There are a lot of tools out there for dealing with PEM encoded certificates.

One thing developers told us ion Connect was that even if they are dealing with raw keys it is easier for them to import self signed certs.

The problem we have is we have no way to provide a single key identifier for both x509 and JWK.

In SAML meta-data and even that other ancient WS metadata format someone named Tony may be responsible for there is a way to include a PEM encoded cert alongside a raw key representation.

Having a single document that can contain the raw key info along with the meta data and also reference a x509 format that some people may prefer for import has some attraction.

If you wanted to limit it to a single self signed pen encoded vert I could probably live with that, but others may want to validate the vert chain etc.

What we have now for treating JWK and x509 separately is a mess for developers to figure out.

In Connect I would like to have the server point to a single file that contains info about key identifiers, key use, perhaps expires, and the import information in raw and PEM.

Now I have to admit they Tony has a very small point in that we need to be clear on how conflicting info from the cert and JSON are treated.  However I don't think that is insurmountable.  
I do think it is better than what we have now where we have no way to roll over x509 keys and you have to publish each key in two completely separate ways.

So while it may be a bag it is I think a useful one.

John B.

On 2013-02-12, at 8:58 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:

> "Abuse" is a strong word Tony. 
> 
> 
> On Tue, Feb 12, 2013 at 4:41 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:
> This seems to abuse JWK, as we are now looking at JWK to be just a bag and now its to hold a certificate or certificate chain which are much more that keys
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Matt Miller (mamille2)
> Sent: Tuesday, February 12, 2013 10:46 AM
> To: jose@ietf.org
> Subject: [jose] Fwd: I-D Action: draft-miller-jose-pkix-key-00.txt
> 
> FYI...
> 
> 
> - m&m
> 
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
> 
> Begin forwarded message:
> 
> > From: <internet-drafts@ietf.org>
> > Subject: I-D Action: draft-miller-jose-pkix-key-00.txt
> > Date: February 12, 2013 11:39:47 AM MST
> > To: <i-d-announce@ietf.org>
> > Reply-To: <internet-drafts@ietf.org>
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >
> >
> >       Title           : JSON Web Key (JWK) for PKIX Certificates
> >       Author(s)       : Matthew Miller
> >                          Brian Campbell
> >       Filename        : draft-miller-jose-pkix-key-00.txt
> >       Pages           : 7
> >       Date            : 2013-02-12
> >
> > Abstract:
> >   This document defines a JSON Web Key (JWK) object to wrap PKIX
> >   certificate chains.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-miller-jose-pkix-key
> >
> > There's also a htmlized version available at:
> > http://tools.ietf.org/html/draft-miller-jose-pkix-key-00
> >
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > I-D-Announce mailing list
> > I-D-Announce@ietf.org
> > https://www.ietf.org/mailman/listinfo/i-d-announce
> > Internet-Draft directories: http://www.ietf.org/shadow.html or
> > ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose