IETF Logo Mail Archive

Re: [jose] How would x5u really be used with JWE?

Mike Jones <Michael.Jones@microsoft.com> Fri, 25 January 2013 17:44 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4001721F883A for <jose@ietfa.amsl.com>; Fri, 25 Jan 2013 09:44:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GaXvae0afE2o for <jose@ietfa.amsl.com>; Fri, 25 Jan 2013 09:44:44 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.31]) by ietfa.amsl.com (Postfix) with ESMTP id 9AB0221F874B for <jose@ietf.org>; Fri, 25 Jan 2013 09:44:44 -0800 (PST)
Received: from BY2FFO11FD015.protection.gbl (10.1.15.203) by BY2FFO11HUB020.protection.gbl (10.1.14.140) with Microsoft SMTP Server (TLS) id 15.0.596.13; Fri, 25 Jan 2013 17:44:42 +0000
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD015.mail.protection.outlook.com (10.1.14.131) with Microsoft SMTP Server (TLS) id 15.0.596.13 via Frontend Transport; Fri, 25 Jan 2013 17:44:42 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.211]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.02.0318.003; Fri, 25 Jan 2013 17:43:49 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rbarnes@bbn.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [jose] How would x5u really be used with JWE?
Thread-Index: AQHN+MvjT0HqmSvELEufqCh/4UUkBZhaQpWAgAASiDA=
Date: Fri, 25 Jan 2013 17:43:48 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366A89CD9@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <CA+k3eCRyew6xdKGQVOf27MK9AqOJ1A2jmhVYF+u=3Q3TMBtEng@mail.gmail.com> <42D3BCD6-D450-4A77-ABF5-87A5ABA874DE@bbn.com>
In-Reply-To: <42D3BCD6-D450-4A77-ABF5-87A5ABA874DE@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.70]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(199002)(189002)(51704002)(24454001)(13464002)(74502001)(44976002)(59766001)(31966008)(23726001)(74662001)(51856001)(77982001)(46406002)(63696002)(56776001)(33656001)(5343635001)(4396001)(79102001)(56816002)(5343655001)(46102001)(55846006)(53806001)(47736001)(47446002)(50986001)(54356001)(550184003)(16406001)(76482001)(54316002)(20776003)(50466001)(49866001)(47776003)(47976001)(57646002)(42413001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB020; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0737B96801
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] How would x5u really be used with JWE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jan 2013 17:44:45 -0000

They're there exactly to let the recipient known which private key to use for decryption.  Hardly useless...

				-- Mike

-----Original Message-----
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: Friday, January 25, 2013 8:36 AM
To: Brian Campbell
Cc: jose@ietf.org
Subject: Re: [jose] How would x5u really be used with JWE?

AFAICT, the X.509 fields in JWE are pretty useless.

If you're using key transport (i.e., wrapping the symmetric key in a public key), then you would use the "jwk" or "jku" fields to reference the key pair you used to do the wrapping.  The only function of the public key crypto fields in a JWE is to let the recipient know which private key to use for decryption.  The recipient already needs to have the private key, since it obviously won't be in the message.

The question of how the encrypting party figures out which public key to use for a given recipient (and in particular, roll-over), is an application-layer question, not something that JWE would address.  See the XMPP end-to-end security doc for an example; they use a separate exchange to associate a JWK with an XMPP ID.
<http://tools.ietf.org/html/draft-miller-xmpp-e2e>

--Richard




On Jan 22, 2013, at 1:10 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:

> Is there a concrete use case for this that someone could explain to me?
> 
> How does an encrypting party know what URL to use to get the key to encrypt? I assume some out-of-band exchange. How would key rolling work then? An an encrypting party would need to a priori know all potential x5u's of the decrypting party? Which seems dubious. And how would the decrypting party signal a desired change of keys?  
> 
> Am I missing something obvious here?  
> 
> 
> 
> 
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email