Re: [jose] JWK Generator Service

Justin Richer <jricher@mit.edu> Tue, 04 November 2014 14:57 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4776B1A702A for <jose@ietfa.amsl.com>; Tue, 4 Nov 2014 06:57:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.794
X-Spam-Level:
X-Spam-Status: No, score=-4.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpsCogVev1O7 for <jose@ietfa.amsl.com>; Tue, 4 Nov 2014 06:57:32 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BD0F1A0358 for <jose@ietf.org>; Tue, 4 Nov 2014 06:57:32 -0800 (PST)
X-AuditID: 12074425-f79e46d000002583-d1-5458e95b10cc
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 18.03.09603.B59E8545; Tue, 4 Nov 2014 09:57:31 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id sA4EvUNR024999; Tue, 4 Nov 2014 09:57:31 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sA4EvTNI015073 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 4 Nov 2014 09:57:30 -0500
Message-ID: <5458E955.3090700@mit.edu>
Date: Tue, 04 Nov 2014 09:57:25 -0500
From: Justin Richer <jricher@mit.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>
References: <5458E645.9020904@mit.edu> <CAL02cgTVHkGmB2+L90EaqpBT26+FqsNsvkvsV0Tig45tDJLjaw@mail.gmail.com>
In-Reply-To: <CAL02cgTVHkGmB2+L90EaqpBT26+FqsNsvkvsV0Tig45tDJLjaw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080403030002010306070704"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplleLIzCtJLcpLzFFi42IR4hRV1o1+GRFisGeqvMWaNd1MFlP7bB2Y PJYs+cnkMXnjLJYApigum5TUnMyy1CJ9uwSujIfX/7IWvLev2DHrEEsD4zfdLkZODgkBE4mv zTMZIWwxiQv31rN1MXJxCAnMZpI4cbeZBcLZwCjxdNM8dgjnFpPEnK+rgTIcHLwCahL7l1uD dLMIqEq0/3jLDmKzAdnT17QwgdiiAlESdy71s4LYvAKCEidnPmEBsUUE5CVOX3/ACjKGWUBZ 4kafKYgpLKApsftLOkiFkEC2xL5rd5hBbE6BQIkne6aygdjMAmES8xZMZZ/AKDALydBZSFIQ tplE19YuRghbXmL72znMELaaxO1tV9lh4s1bZzMvYGRbxSibklulm5uYmVOcmqxbnJyYl5da pGuhl5tZopeaUrqJERTq7C6qOxgnHFI6xCjAwajEwxsgFBEixJpYVlyZe4hRkoNJSZR35kOg EF9SfkplRmJxRnxRaU5q8SFGCQ5mJRFe9cdAOd6UxMqq1KJ8mJQ0B4uSOO+mH3whQgLpiSWp 2ampBalFMFkZDg4lCd7nz4EaBYtS01Mr0jJzShDSTBycIMN5gIY/BanhLS5IzC3OTIfIn2JU lBLn5XwBlBAASWSU5sH1wlLRK0ZxoFeEeV+CtPMA0xhc9yugwUxAgy16wAaXJCKkpBoYNYJa J5i55Mx9yX0tN7b/3uFJ/8QeNu4Xz1ksfnnxnYd6x2c96BR0+3XsSuBquUrheX8b+W1WJwR7 vy08ZVd29MLVf25OlquZOpiO9awJsBeX4TexS17tv+1pg3X29hXcswykur+G739RdnLin7JP 0zbbLW7Q2eN4+mdf3KJ4GcWN1ften/tmocRSnJFoqMVcVJwIAPSkFCsgAwAA
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/gE5dToG_RLAI5SS9OzW1g2fLkfM
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JWK Generator Service
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 14:57:35 -0000

That will be great to have a Javascript version widely available as 
well, when it's ready. I also know someone working on a Python app to 
handle the same task on the commandline, and I look forward to people 
having their pick of tools to do this job. If key generation isn't easy, 
people will get lazy and re-use keys, fail to rotate them when needed, 
or other, worse things.

  -- Justin

On 11/4/2014 9:54 AM, Richard Barnes wrote:
> Note that with WebCrypto, the crypto parts of this become one-liners.
>
> crypto.subtle.generateKey({name: "RSA-OAEP", hash: "SHA-1"}, true, 
> ["encrypt", "decrypt"])
>   .then( function(keyPair) {
>
>   })
>
> On Tue, Nov 4, 2014 at 9:44 AM, Justin Richer <jricher@mit.edu 
> <mailto:jricher@mit.edu>> wrote:
>
>     A while ago, I was fed up with creating self-signed X.509
>     certificates just to manage the bare keys used in JOSE processing.
>     There's a lot of extraneous effort that goes into making fake
>     certificate chains that are then dutifully ignored by the
>     application, especially when the JWK format can hold both public
>     and private keys natively already. So we switched our apps over to
>     reading the JWK format instead of X.509, but we still needed
>     something to securely generate the keys themselves. So I created a
>     commandline Java application to generate keys in JWK format (based
>     on the NimbusDS JOSE library):
>
>     https://github.com/mitreid-connect/json-web-key-generator
>
>     It's slightly unwieldy to compile and run but it gets the job
>     done. Last night, I wrapped that commandline application with a
>     webapp and made it publicly available:
>
>     https://mkjwk.org/
>
>     This simple service will generate a JWK in RSA, EC, or Oct (shared
>     secret) format for you, using Java's cryptographic engine. You can
>     add in the use, kid, and alg parameters, and the results are
>     formatted into easily-copyable JSON. It will even wrap the key in
>     a keyset and pull out the public key separately for you, in case
>     you need those.
>
>     We don't log any of the keys being generated by the service, but
>     to be extra safe I would still recommend using a local generation
>     mechanism (like the commandline app above) for production systems.
>
>     Finally, I put the code to the site online in the name of
>     transparency:
>
>     https://github.com/mitreid-connect/mkjwk.org
>
>     I hope that people can find this useful, and we can start moving
>     off of X.509 for bare key storage in applications. Much thanks to
>     MIT KIT for providing hosting and support.
>
>      -- Justin
>
>     _______________________________________________
>     jose mailing list
>     jose@ietf.org <mailto:jose@ietf.org>
>     https://www.ietf.org/mailman/listinfo/jose
>
>