Re: [jose] JOSE WG request from W3C WebCrypto API

["Jim Schaad" <ietf@augustcellars.com>]

> -----Original Message-----
> From: Harry Halpin [mailto:hhalpin@w3.org]
> Sent: Sunday, August 12, 2012 8:03 AM
> To: Jim Schaad; Karen O'Donoghue; jose-chairs@tools.ietf.org; Michael
Jones
> Subject: JOSE WG request from W3C WebCrypto API
> 
> [cc'ing Mike Jones and Richard Barnes, who participate inboth WGs]
> 
> JOSE Chairs,
> 
> The Web Cryptography Working group has noted that the API requires some
> access to raw key material, and the issue of whether or not to use JWK or
> ASN.1 as the default format came up. Two issues have come out that we'd
> like to know the answer to:
> 
> 1) JWK does not define a private key format. Does the JOSE WG plan to
> support a JOSE-format for private keys? If so, when? Or 'maybe'?

The working group policy is that there will be no private key format defined
for JWK.  This issue has been explicitly discussed by the working group and
there are no plans to change that going forward.

> 
>   2) While we'd like encourage the use of JOSE over ASN.1, it seems like
for
> backwards compatibility having some level of ASN.1 support would be useful
> and we *need* a format that allows key material (both private and
> public) to be exported. Folks seem to leaning towards ASN.1 as a default
> format in the low-level API, and having JWK as a format that can be built
on
> top of that in a possible high-level API. Would that be OK?

It would probably be preferable to be able to import/export private key
material as ASN.1.  But to allow for the import/export of public key
material in either the ASN.1 or JOSE format.  This would simplify the
implementation efforts for JOSE developers.  

I don't believe that it would be good to have systems that use JOSE to need
to download script that did the ASN.1 to JOSE conversions.  If you supported
the ASN.1 blob at the SubjectPublicKeyInfo structure level, then an
independent function could be placed in systems to do the conversion between
the two formats.  If you make it a high-level API, I would be worried about
the support level provided by browsers.

> 
>   3) How stable do you believe the JOSE formats are right now? Do you
think
> they are stable enough now we can reference them in our API draft at end
of
> August? If not, when?  The W3C would like to and plan to use these formats
> where possible.

There are currently no open issues for discussion on the formats for
asymmetric key formats; however there are some questions about the set of
algorithms and key sizes for symmetric keys.  While I have no reason to
believe that there will be a change in the key formats, I cannot promise
that there will not be one.

Jim Schaad
Jose WG Chair

> 
> Feel free to forward this by JOSE WG for discussion. We'd like an answer
> before we send our document to FPWD at end of August.
> 
>   cheers,
>       harry