Re: [jose] jwk
Mike Jones <Michael.Jones@microsoft.com> Thu, 01 November 2012 11:38 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F106721F84C9 for <jose@ietfa.amsl.com>; Thu, 1 Nov 2012 04:38:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EKNc0uyXL1Vl for <jose@ietfa.amsl.com>; Thu, 1 Nov 2012 04:38:33 -0700 (PDT)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.29]) by ietfa.amsl.com (Postfix) with ESMTP id 22B2E21F84BE for <jose@ietf.org>; Thu, 1 Nov 2012 04:38:32 -0700 (PDT)
Received: from BL2FFO11FD008.protection.gbl (10.173.161.203) by BL2FFO11HUB032.protection.gbl (10.173.161.56) with Microsoft SMTP Server (TLS) id 15.0.545.8; Thu, 1 Nov 2012 11:38:29 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD008.mail.protection.outlook.com (10.173.161.4) with Microsoft SMTP Server (TLS) id 15.0.545.8 via Frontend Transport; Thu, 1 Nov 2012 11:38:28 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.15]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0318.003; Thu, 1 Nov 2012 11:38:10 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Axel Nennker <ignisvulpis@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] jwk
Thread-Index: AQHNsiF/w0zq/rO+/0GqJ4iKlhRQdpfI5BAggAAQvQCAB5mvgIAAbyUAgAPWBDA=
Date: Thu, 01 Nov 2012 11:38:09 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436688578C@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <CAHcDwFziH9QF1TgbywGzi2VPiwADpgdOxzrN1xtTN2pjLJOXOw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436687BCEB@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAHcDwFysxev670hgiq7HxSAsNQ+9vbw5727yoTfMQrBr2p+j8A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943668828D9@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAHcDwFxy2f99Eb2Lz5jq0wpqWFSLOB5POG+uZZVWqtFAmF6mOA@mail.gmail.com>
In-Reply-To: <CAHcDwFxy2f99Eb2Lz5jq0wpqWFSLOB5POG+uZZVWqtFAmF6mOA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.35]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436688578CTK5EX14MBXC285r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51444002)(377454001)(479174001)(4396001)(54316001)(16406001)(550184003)(47976001)(5343655001)(44976002)(5343635001)(47446002)(46102001)(47736001)(15202345001)(31966008)(49866001)(53806001)(51856001)(74502001)(33656001)(512954001)(74662001)(50986001)(54356001); DIR:OUT; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0652EA5565
Subject: Re: [jose] jwk
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 11:38:36 -0000
Sitting next to Eric Rescorla and Richard Barnes at the WebCrypto F2F, they just provided additional useful information on your question, Axel. Specifically, they pointed out that a standard ASN.1 representation of bare keys is the DER encoding of the RFC 5280 SubjectPublicKeyInfo element (which contains an algorithm and a key representation) - often referred to as SPKI. Just to be clear, this is not a certificate (containing no signature, subject, etc.).
So a fair question is whether JOSE also wants to support SPKI public keys, rather than just X.509 certificates and JWK keys. I hear you saying "yes", Axel, and I think Nat was saying "yes" as well. Discussions last week at the F2F OpenID Connect working meeting also makes me think that some others would also answer this "yes".
If we want to do this, would people suggest that we do this with a new header parameter containing a SPKI key value? Also, would we always pass SPKI keys by value, or do people believe that it's also important to pass them by reference (just like we have both x5c and x5u parameters)?
-- Mike
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Axel Nennker
Sent: Monday, October 29, 2012 4:56 PM
To: Mike Jones
Cc: jose@ietf.org
Subject: Re: [jose] jwk
Encoding public keys as self-signed certs: That is a hack. Not that I am opposed to hacks but this is too much.
2012/10/29 Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
"x5c" helps because you can represent a bare key as a self-signed cert in PEM format in the "x5c" parameter. The JOSE specs already support PEM-encoded keys.
-- Mike
From: Axel Nennker [mailto:ignisvulpis@gmail.com<mailto:ignisvulpis@gmail.com>]
Sent: Wednesday, October 24, 2012 2:14 PM
To: Mike Jones
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: jwk
In the case where I generate the keypair on the fly I do not have an URL to put in x5u. And a cert in not a public key. I want bare keys.
I don't know how x5u and x5c help here.
I have the problem that I don't know how to convert (exp,mod) into a pubkey on one platform (Firefox). I think that PEM is easier.
I think the same might be true an other platforms too.
Another reason I think that PEM is better is that there are command line tools to produce PEM-encoded keys while I don't know any tool to produce (exp, mod).
--Axel
2012/10/24 Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
To be clear, JWS and JWE already support the use of PEM encoded keys through the "x5c" and "x5u" parameters. Therefore, I don't see any need to also add X.509-based key formats to JWK itself.
-- Mike
From: Axel Nennker [mailto:ignisvulpis@gmail.com<mailto:ignisvulpis@gmail.com>]
Sent: Wednesday, October 24, 2012 12:55 PM
To: jose@ietf.org<mailto:jose@ietf.org>
Cc: Mike Jones
Subject: jwk
I think that having more choices other than (xpo, mod) is useful.
I believe that it is easier for me to implement keys in Firefox if I have PEM encoded keys.
So the format could be:
user_jwk : {"pub": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4OTqe0p1tgEoOVtDzjQI yP1Ipo8ivqTIeH4yH9kLzI4fCKx6ggZJ3h9ecj4p5E355umCThN/1doBc/tq18VGlNtyDNxCh45Z1zGYJKwZxaVaWQXlB2gfgnko1D+Zw9KIlipQHtnhJw/qREEIp4YOgaGcSZBCcQQ4DYCOjfTTbKUXSTlrlOgflfgTiyhUFuiKWkoeivwASigL76PtYNYc n+dlYKYB/vSQ2CY7FtaDcr22EdqUDVPLNg1+K1rsvHvllP7iTnXA5IgxT5JELdrk KX9Ek68zDzelOaJxs2tbkkwbqSLQfREzQ/yGAIOW9rZVqlaVBEBzUYzREmeybVq3 gwIDAQAB" }
// PEM encoded public key without linebreaks
A more general format would be:
jwk: { "-----BEGIN PUBLIC KEY-----": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4OTqe0p1tgEoOVtDzjQI yP1Ipo8ivqTIeH4yH9kLzI4fCKx6ggZJ3h9ecj4p5E355umCThN/1doBc/tq18VGlNtyDNxCh45Z1zGYJKwZxaVaWQXlB2gfgnko1D+Zw9KIlipQHtnhJw/qREEIp4YOgaGcSZBCcQQ4DYCOjfTTbKUXSTlrlOgflfgTiyhUFuiKWkoeivwASigL76PtYNYc n+dlYKYB/vSQ2CY7FtaDcr22EdqUDVPLNg1+K1rsvHvllP7iTnXA5IgxT5JELdrk KX9Ek68zDzelOaJxs2tbkkwbqSLQfREzQ/yGAIOW9rZVqlaVBEBzUYzREmeybVq3 gwIDAQAB"
}
This general format could be used for private keys too.
What do you think?
Axel
ps: Don't know whether I can post from this email address.... Mike, would you lease post it if it does appear in your inbox but not on the list. Thanks.
- [jose] jwk Axel Nennker
- Re: [jose] jwk Dirkjan Ochtman
- Re: [jose] jwk Mike Jones
- Re: [jose] jwk Axel Nennker
- Re: [jose] jwk Mike Jones
- Re: [jose] jwk Axel Nennker
- Re: [jose] jwk Mike Jones
- Re: [jose] jwk Axel.Nennker