Re: [jose] Rolling PKIX into JWK
John Bradley <ve7jtb@ve7jtb.com> Fri, 15 March 2013 16:58 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 092ED21F858B for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 09:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kKJoJKKG+yyK for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 09:58:55 -0700 (PDT)
Received: from mail-pb0-f45.google.com (mail-pb0-f45.google.com [209.85.160.45]) by ietfa.amsl.com (Postfix) with ESMTP id D6D5321F8883 for <jose@ietf.org>; Fri, 15 Mar 2013 09:57:58 -0700 (PDT)
Received: by mail-pb0-f45.google.com with SMTP id ro8so4078422pbb.32 for <jose@ietf.org>; Fri, 15 Mar 2013 09:57:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=IrRE2RQI8Pd9Mbtd0tyvA3aU1TVwxM8dg3YncpMCT0I=; b=Qrnz4I06L24+eyU7vZ4aV+AUPcVSx9GagOVbh7mX3IqQqYrJGf8aDDIKBAaOC8RKEJ OIZgkM7/XylW4uhzwRWGP9a+nAybaQNtG3oBvhXoCrUjxKdPL1159t6TvPCpPQ8vm7/a YTUu7LyqoLVb3PaGe3oGpwKN7xR1dPatt84gMpUQgn2Tx3J27g0fO6I++dxaI14Ap5YM gFzpSKG3xPDPbOt3G6ovPxu2FvYin/uEWI6T8X0cMhZqgsN4q+2ooVSDopVAWYrtFyW4 hoJ7MBLh7R3r40Y7cX3SjnW7fAB/PCH9vc1/ha7CxmR5ZYtuOG5sxj6Lii6s/FPbSAia AWlQ==
X-Received: by 10.68.223.138 with SMTP id qu10mr17820104pbc.89.1363366675132; Fri, 15 Mar 2013 09:57:55 -0700 (PDT)
Received: from dhcp-543c.meeting.ietf.org (dhcp-543c.meeting.ietf.org. [130.129.84.60]) by mx.google.com with ESMTPS id ax3sm9600527pbd.42.2013.03.15.09.57.50 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 15 Mar 2013 09:57:52 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_5FA65C53-F30B-4DCB-9159-67F9258A2B98"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAL02cgQ+=mUBmJa3ROMKisp0SOmRY97Kn5TebLDX_k2phDAQyw@mail.gmail.com>
Date: Fri, 15 Mar 2013 12:57:48 -0400
Message-Id: <40C9C629-E2B9-4612-A86F-61482A176FF2@ve7jtb.com>
References: <BF7E36B9C495A6468E8EC573603ED9411516EF1E@xmb-aln-x11.cisco.com> <255B9BB34FB7D647A506DC292726F6E1150B9AE08C@WSMSG3153V.srv.dir.telstra.com> <CAL02cgQ+=mUBmJa3ROMKisp0SOmRY97Kn5TebLDX_k2phDAQyw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQmC3wpKtTI3hAqN/wTIrOnbx556sgQXIr8J97qtKuqGumafh5neuH/MAAtsF57Zs9qdhunW
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, "<jose@ietf.org>" <jose@ietf.org>, "Matt Miller (mamille2)" <mamille2@cisco.com>
Subject: Re: [jose] Rolling PKIX into JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 16:58:58 -0000
Agreed, having the cert chain in the x5u is optional, having it for validation if you want that trust chain is not a problem. Trying to optimize that for size is going to be too complicated. John B. On 2013-03-15, at 12:49 PM, Richard Barnes <rlb@ipv.sx> wrote: > On Fri, Mar 15, 2013 at 2:43 AM, Manger, James H <James.H.Manger@team.telstra.com> wrote: > I agree, a certificate as an optional field of any JWK sounds like a decent approach. > > +1, although it's not mutually exclusive with having a "PKIX" key type. > > Putting a whole cert chain in one JWK is not ideal. > Each cert is about 1 key so really should be in its own JWK. > Otherwise you will duplicate the chain of intermediate CA certs in each JWK in a set. > > It might be useful to define a issuer key-id field ("isskid"). A JWK could include a cert for its own key and (with "isskid") a link to the next cert along the chain. That makes it quick-n-easy to build a chain from the JWKs in a set. > > It would also help if JWKs in a set where held in a object/dictionary/associative-array with the kid as the name. That would be better than using an array of JWKs with no defined meaning for the order. > > This proposal seems much, much worse than having a cert chain in one JWK. If you're going to have all the public keys as JWKs, you might as well just re-invent X.509 in JWK, in which case you would probably use JWS over JWK, which solves the "isskid" problem using the "kid" in the JWS. The benefit of having the cert chain is that you don't have to re-invent X.509, you just pass the cert chain to your existing X.509 library. > > In other words, let's have the trust chain be fully X.509 or fully JOSE, even if it starts from a JWK. > > --Richard > > > > > -- > James Manger > > > -----Original Message----- > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of > > Matt Miller (mamille2) > > Sent: Friday, 15 March 2013 12:48 AM > > To: <jose@ietf.org> > > Subject: [jose] Rolling PKIX into JWK > > > > [hoping this topic is the least controversial...] > > > > In some IRL discussions on moving forward on PKIX in JWK, I've been > > convinced the concerns are mostly the same regardless of how the PKIX > > is packaged. Given that, I would suggest we make "x5c" an optional > > field of JWK, rather than defining a new JWK type. I can propose > > various text additions after this meeting. > > > > > > Thoughts? > > > > - m&m > > > > Matt Miller < mamille2@cisco.com > > > Cisco Systems, Inc. > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] Rolling PKIX into JWK Matt Miller (mamille2)
- Re: [jose] Rolling PKIX into JWK Brian Campbell
- Re: [jose] Rolling PKIX into JWK Richard Barnes
- Re: [jose] Rolling PKIX into JWK Manger, James H
- Re: [jose] Rolling PKIX into JWK Manger, James H
- Re: [jose] Rolling PKIX into JWK John Bradley
- Re: [jose] Rolling PKIX into JWK Richard Barnes
- Re: [jose] Rolling PKIX into JWK John Bradley
- Re: [jose] Rolling PKIX into JWK Richard Barnes
- Re: [jose] Rolling PKIX into JWK Brian Campbell
- Re: [jose] Rolling PKIX into JWK Matt Miller (mamille2)
- Re: [jose] Rolling PKIX into JWK John Bradley