IETF Logo Mail Archive

[jose] JWK Elliptic Curve key representations and new curves

Mike Jones <Michael.Jones@microsoft.com> Thu, 14 August 2014 01:40 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9E731A06DA for <jose@ietfa.amsl.com>; Wed, 13 Aug 2014 18:40:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8WZEk2VnPPoR for <jose@ietfa.amsl.com>; Wed, 13 Aug 2014 18:40:45 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0183.outbound.protection.outlook.com [207.46.163.183]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C3821A06D4 for <jose@ietf.org>; Wed, 13 Aug 2014 18:40:44 -0700 (PDT)
Received: from BN3PR0301CA0009.namprd03.prod.outlook.com (25.160.180.147) by BY2PR03MB619.namprd03.prod.outlook.com (10.255.93.41) with Microsoft SMTP Server (TLS) id 15.0.1005.10; Thu, 14 Aug 2014 01:40:42 +0000
Received: from BL2FFO11FD022.protection.gbl (2a01:111:f400:7c09::132) by BN3PR0301CA0009.outlook.office365.com (2a01:111:e400:4000::19) with Microsoft SMTP Server (TLS) id 15.0.1005.10 via Frontend Transport; Thu, 14 Aug 2014 01:40:42 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD022.mail.protection.outlook.com (10.173.161.101) with Microsoft SMTP Server (TLS) id 15.0.1010.11 via Frontend Transport; Thu, 14 Aug 2014 01:40:41 +0000
Received: from TK5EX14MBXC293.redmond.corp.microsoft.com ([169.254.2.111]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0195.002; Thu, 14 Aug 2014 01:39:58 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "jose@ietf.org" <jose@ietf.org>
Thread-Topic: JWK Elliptic Curve key representations and new curves
Thread-Index: Ac+3YKPoN/N5liajT+icFbBFv1/9ng==
Date: Thu, 14 Aug 2014 01:39:58 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439AE1989B@TK5EX14MBXC293.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.74]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439AE1989BTK5EX14MBXC293r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(6009001)(438002)(189002)(199003)(68736004)(110136001)(104016003)(86362001)(31966008)(74502001)(74662001)(229853001)(71186001)(85306004)(54356999)(81342001)(80022001)(66066001)(44976005)(106466001)(50986999)(95666004)(81156004)(20776003)(77096002)(97736001)(76482001)(83322001)(6806004)(2351001)(81542001)(19300405004)(19580395003)(83072002)(21056001)(64706001)(46102001)(16236675004)(87936001)(86612001)(15975445006)(2656002)(84676001)(69596002)(4396001)(26826002)(79102001)(15202345003)(107046002)(55846006)(512954002)(99396002)(77982001)(84326002)(85852003)(33656002)(92566001)(92726001)(19625215002)(2501001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB619; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03030B9493
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/bo7luONYI_quBMRIQ9Q8DgiqdQo
Cc: Trevor Perrin <trevp@trevp.net>
Subject: [jose] JWK Elliptic Curve key representations and new curves
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 01:40:49 -0000

It has come up in recent discussions in the CRFG, the W3C WebCrypto working group, and the TLS working group that not all elliptic curves or curve protocols use two coordinates (x and y) in their public key representations.  For instance, a Curve25519 public key is a single 32-byte value.  Especially in light of the request by TLS to the CRFG to recommend new curves, and that some of the curves in consideration use only a single value in their public key representation, I believe that JOSE should consider how to represent such keys as JWKs.

I see there being two logical ways to address this:

CHOICE 1 - MAKE THE "EC" KEY TYPE MORE FLEXIBLE:  One obvious possibility is to make it a property of the "crv" parameter for JWKs with "kty": "EC" what fields are required.  So for instance, when "crv" is "P-256", "P-384", or "P-521", both "x" and "y" members would be used, but other curves might use a different set of members, such as just "x" for public keys.

CHOICE 2 - USE A DIFFERENT KEY TYPE:  Another possibility is to leave the "kty": "EC" definition as it is but to define a related "kty": "EC1" value to be used by elliptic curves for which only one value "x" is used in the public key representation and an additional value "d" is used in the private key representation.

Within choice 2, there are actually two sub-choices available to us:

CHOICE 2A - DEFINE A NEW KEY TYPE VALUE IN JWA NOW:  If we think that there are only two kinds of elliptic curve key representations that we will ever care about, we could define the second one in JWA now.  However, this would almost certainly start a debate within JOSE about whether we should add any additional curve definitions using this new key type.  If we do, it should almost certainly be because we have followed the CFRG's and TLS's lead in the new curve choices, although doing so would almost certainly further delay our completion.
CHOICE 2B - DEFINE THE NEW KEY TYPE IN A NEW SPEC:   This could be done by writing an individual draft that registers "kty": "EC1" and later possibly adopting it as a working group item.  This would allow our current specs to proceed as-is, while giving us time to sync with CFRG and TLS as their curve choices move forwards.

One additional pesky detail worth noting is that the normal Curve25519 key representation uses little-endian 32-bit numbers whereas SEC1 (which we use for "x", "y", and "d") uses big-endian numbers.  So for any of these choices above, we'd also have to decide whether to allow different curves to specify different endianness, require all to use big-endian representations, or to say that for some curves, the value is an octet array of a given size and be silent on endianness.

While I'm reluctant to even bring this up at this point in the development of our specs, I also don't want those designing potential applications of JWKs to believe that their choices of curves are limited by decisions that JOSE has made.  It's clear that JWK can be extended to accommodate curves using only a single value in their public key representations.

How do you think we should do that?

                                                                -- Mike

P.S.  Thanks to Trevor Perrin for private discussions that informed some of the contents of this note.

v2.23.0 | Report a Bug | By Email