Re: [jose] Rolling PKIX into JWK
Richard Barnes <rlb@ipv.sx> Fri, 15 March 2013 17:11 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47ACC21F8783 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 10:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.868
X-Spam-Level:
X-Spam-Status: No, score=-1.868 tagged_above=-999 required=5 tests=[AWL=0.508, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnP7D4Ph5li5 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 10:11:21 -0700 (PDT)
Received: from mail-oa0-f45.google.com (mail-oa0-f45.google.com [209.85.219.45]) by ietfa.amsl.com (Postfix) with ESMTP id B3EC721F8548 for <jose@ietf.org>; Fri, 15 Mar 2013 10:11:20 -0700 (PDT)
Received: by mail-oa0-f45.google.com with SMTP id o6so3705419oag.32 for <jose@ietf.org>; Fri, 15 Mar 2013 10:11:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=dcaLCY0vwTU6SJ2pzkHRRYTuScfTS8Rz9Wy6HiVDECI=; b=Wn0sACJXsiKVbK3s0izwj7ULwtTon8Zn7bBfpsbY0IVReeftmktDoHgzdQzpMrxnHZ MSOPRETjQraDSinpdBtoExQ4gwwvav0NzbrW8XeIH7nlJq/yrQd/LNsewB4XS22uU6N3 vKU4P3lmcQiK3XX922wRm3hYSmIJrDOzCT3a5inFjWo0hOFvg3tgpm8GeRXqmw/pSTsF au7dN98L7zU6zFpBQq8rsSFu6+RM7JIv93DJDHkTTIKam/sSCDDUevmYInfkU7GfKMZP h5ijKOqKjkFdpXGz3GUPW1o2+/UcQFmGYA8Er0s1kYtAOzIwhQW6j9FCmvq0W6ETSBVZ nj9w==
MIME-Version: 1.0
X-Received: by 10.60.9.1 with SMTP id v1mr3151304oea.130.1363367479546; Fri, 15 Mar 2013 10:11:19 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Fri, 15 Mar 2013 10:11:19 -0700 (PDT)
X-Originating-IP: [130.129.20.81]
In-Reply-To: <CAL02cgQ+=mUBmJa3ROMKisp0SOmRY97Kn5TebLDX_k2phDAQyw@mail.gmail.com>
References: <BF7E36B9C495A6468E8EC573603ED9411516EF1E@xmb-aln-x11.cisco.com> <255B9BB34FB7D647A506DC292726F6E1150B9AE08C@WSMSG3153V.srv.dir.telstra.com> <CAL02cgQ+=mUBmJa3ROMKisp0SOmRY97Kn5TebLDX_k2phDAQyw@mail.gmail.com>
Date: Fri, 15 Mar 2013 13:11:19 -0400
Message-ID: <CAL02cgQ_vLyah7SaOSgn-qLS2LZW-fCiKkDCJoCwUS-KFXenmw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="e89a8fb20318511fa604d7f9baca"
X-Gm-Message-State: ALoCoQmADPwHLup9JCvKek06z9EqofA3dAYH53EpiyguQ3J8mdSnFfrYz0/XwZijadQiVCTw0nVB
Cc: "<jose@ietf.org>" <jose@ietf.org>, "Matt Miller (mamille2)" <mamille2@cisco.com>
Subject: Re: [jose] Rolling PKIX into JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 17:11:22 -0000
Just to clarify, what I'm suggesting is to have "x5c" as an attribute for JWK, with the same syntax as in JWS. As Brian suggested in his slides. IF we want to go down the path of having "chained" JWKs, the syntax would be something like the following: "jwkc": [ jws(jwk1, jwk0), jws(jwk2, jwk1), ... ] Where jws(kx, ky) indicates a JWS with ky as the body and kx as the signing key. IF we build something like this, it would be used in the same manner as "x5c", as an attribute of a JWK. However, I think designing such a thing would be a significant deviation from our charter, so we would need to recharter or even form a new WG (PKIJ?) --Richard On Fri, Mar 15, 2013 at 12:49 PM, Richard Barnes <rlb@ipv.sx> wrote: > On Fri, Mar 15, 2013 at 2:43 AM, Manger, James H < > James.H.Manger@team.telstra.com> wrote: > >> I agree, a certificate as an optional field of any JWK sounds like a >> decent approach. >> > > +1, although it's not mutually exclusive with having a "PKIX" key type. > > >> Putting a whole cert chain in one JWK is not ideal. >> Each cert is about 1 key so really should be in its own JWK. >> Otherwise you will duplicate the chain of intermediate CA certs in each >> JWK in a set. >> >> It might be useful to define a issuer key-id field ("isskid"). A JWK >> could include a cert for its own key and (with "isskid") a link to the next >> cert along the chain. That makes it quick-n-easy to build a chain from the >> JWKs in a set. >> >> It would also help if JWKs in a set where held in a >> object/dictionary/associative-array with the kid as the name. That would be >> better than using an array of JWKs with no defined meaning for the order. >> > > This proposal seems much, much worse than having a cert chain in one JWK. > If you're going to have all the public keys as JWKs, you might as well > just re-invent X.509 in JWK, in which case you would probably use JWS over > JWK, which solves the "isskid" problem using the "kid" in the JWS. The > benefit of having the cert chain is that you don't have to re-invent X.509, > you just pass the cert chain to your existing X.509 library. > > In other words, let's have the trust chain be fully X.509 or fully JOSE, > even if it starts from a JWK. > > --Richard > > > > >> >> -- >> James Manger >> >> > -----Original Message----- >> > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >> > Matt Miller (mamille2) >> > Sent: Friday, 15 March 2013 12:48 AM >> > To: <jose@ietf.org> >> > Subject: [jose] Rolling PKIX into JWK >> > >> > [hoping this topic is the least controversial...] >> > >> > In some IRL discussions on moving forward on PKIX in JWK, I've been >> > convinced the concerns are mostly the same regardless of how the PKIX >> > is packaged. Given that, I would suggest we make "x5c" an optional >> > field of JWK, rather than defining a new JWK type. I can propose >> > various text additions after this meeting. >> > >> > >> > Thoughts? >> > >> > - m&m >> > >> > Matt Miller < mamille2@cisco.com > >> > Cisco Systems, Inc. >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> > >
- [jose] Rolling PKIX into JWK Matt Miller (mamille2)
- Re: [jose] Rolling PKIX into JWK Brian Campbell
- Re: [jose] Rolling PKIX into JWK Richard Barnes
- Re: [jose] Rolling PKIX into JWK Manger, James H
- Re: [jose] Rolling PKIX into JWK Manger, James H
- Re: [jose] Rolling PKIX into JWK John Bradley
- Re: [jose] Rolling PKIX into JWK Richard Barnes
- Re: [jose] Rolling PKIX into JWK John Bradley
- Re: [jose] Rolling PKIX into JWK Richard Barnes
- Re: [jose] Rolling PKIX into JWK Brian Campbell
- Re: [jose] Rolling PKIX into JWK Matt Miller (mamille2)
- Re: [jose] Rolling PKIX into JWK John Bradley