Re: [jose] The role of JWK
Justin Richer <jricher@mitre.org> Thu, 14 August 2014 15:05 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E331A6F0E for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 08:05:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.867
X-Spam-Level:
X-Spam-Status: No, score=-4.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1syUPeaIHzFD for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 08:05:38 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id F171E1A6F0B for <jose@ietf.org>; Thu, 14 Aug 2014 08:05:37 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 528DE1F04DE; Thu, 14 Aug 2014 11:05:37 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 2C1EA1F0462; Thu, 14 Aug 2014 11:05:37 -0400 (EDT)
Received: from [10.146.15.61] (10.140.19.249) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 14 Aug 2014 11:05:36 -0400
Message-ID: <53ECCFF8.9090305@mitre.org>
Date: Thu, 14 Aug 2014 11:04:24 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>, Sergey Beryozkin <sberyozkin@gmail.com>
References: <4E1F6AAD24975D4BA5B16804296739439AE1989B@TK5EX14MBXC293.redmond.corp.microsoft.com> <53EC868E.4000000@gmail.com> <CAL02cgS7LxLBWNRdh5EOKwyuiBSsR0jsmMz49c9xztfZehZP_A@mail.gmail.com>
In-Reply-To: <CAL02cgS7LxLBWNRdh5EOKwyuiBSsR0jsmMz49c9xztfZehZP_A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080001050905020907090200"
X-Originating-IP: [10.140.19.249]
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/s3Q0adMtslufr0Bja-kqGP0bE_E
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] The role of JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 15:05:41 -0000
Services are starting to publish their public keys as JWK instead of X509, since a JWK doesn't require a trusted CA and can be much more easily rotated at runtime. This is the class from our OAuth/OpenID Connect system that builds signers and validators off of a public-key JWK (using the Nimbus-DS JOSE library): https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java To add to that, with the private/shared key components of JWK, it can be a very effective key store. Our OAuth server uses this for its keys, this is the class that reads the file and makes the keys available as Java key objects to the rest of the system: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-common/src/main/java/org/mitre/jose/keystore/JWKSetKeyStore.java As you can see, these are both exceedingly simple classes because they simple read the URL (in the first case) or file (in the second case) and parse the JSON found there into a JWK set, which is then used to create the bare keys in the Java security framework. This is the RSA public key parser for example: https://bitbucket.org/connect2id/nimbus-jose-jwt/src/0d5b12b4d4b84c822bec4af368b3bea5120cb310/src/main/java/com/nimbusds/jose/jwk/RSAKey.java?at=master#cl-1395 Finally, in order to make these keys more easy to deal with, we wrote a simple key generator program that will spin up a new RSA, EC, or Oct key and print it out as a JWK: https://github.com/mitreid-connect/json-web-key-generator Whenever we deploy a new copy of our server somewhere, we also pull down this program and run it to generate a new JWK key set (with public and private keys) that we use to start up the server. The alternative, which we used to do, was to use OpenSSL to generate a self-signed X509 certificate that we effectively threw away the trust chain for -- lots of extra effort to create information that we didn't want and then ignore it on the far end, all to get a simple keypair. It was unnecessarily complex from all ends, and the switch to JWK has been much nicer to deal with. -- Justin On 08/14/2014 09:25 AM, Richard Barnes wrote: > Hey Sergey, > > JWK isn't necessarily tied to JWE or JWS. It can be used to represent > the public key that was used to encrypt a JWE (so that the recipient > can look up the private key), or the public key that should be used to > verify a JWS. But it can also be used in other contexts. For > example, WebCrypto uses JWK (among others) as a format for serializing > keys. > https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#subtlecrypto-interface-datatypes > > As that link suggests, JWK is effectively the same as the PKCS#8 > format for private keys and the SubjectPublicKeyInfo format for public > keys -- just in JSON instead of ASN.1. It's a way to ship a key from > one place to another, for whatever reason you need to do that. > > Hope that helps, > --Richard > > > > > > On Thu, Aug 14, 2014 at 5:51 AM, Sergey Beryozkin > <sberyozkin@gmail.com <mailto:sberyozkin@gmail.com>> wrote: > > Hi, > > This is very likely a newbie question. What is the role of JWK ? > According to [1] it is "... a (JSON) data structure that > represents a cryptographic key". > > I can see plenty examples of JWK in the JWE specification. JWS and > JWE headers can have a "jwk" property representing a given JWK. > > What confuses me is that the examples in JWE use JWK to describe > the private parts of a given key. For example, when we talk about > the RSA OAEP key encryption, JWK would show a private exponent of > a given RSA key (JWE A1). Same for Aes Wrap secret key (JWE A3). Etc. > > So clearly one would not use a "jwk" JWE header to pass around a > JWK representation of the key which was used to encrypt the > content encryption key. > > So I'm thinking a JWK is: > - a convenient way to describe a cryptographic key for JWE/JWS > specifications to refer to it in the spec examples. > - perhaps there's a long-term vision that the key stores would > support JWK format directly ? > - JWK is a 'container' for various key properties, some of those > 'public' properties can be passed around as a JWE/JWS header; > > Am I on the right track, can someone please clarify it further ? > > Thanks, Sergey > > > [1] > http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-1 > > _______________________________________________ > jose mailing list > jose@ietf.org <mailto:jose@ietf.org> > https://www.ietf.org/mailman/listinfo/jose > > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] JWK Elliptic Curve key representations and… Mike Jones
- Re: [jose] JWK Elliptic Curve key representations… Daniel Holth
- Re: [jose] JWK Elliptic Curve key representations… Mike Scott
- [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Stephen Farrell
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Mike Jones
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Brian Campbell
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Kathleen Moriarty
- Re: [jose] JWK Elliptic Curve key representations… Mike Jones
- Re: [jose] JWK Elliptic Curve key representations… Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Brian Campbell
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Anders Rundgren
- Re: [jose] The role of JWK Sergey Beryozkin
- [jose] Does A128GCMKW qualify as key wrap or encr… Sergey Beryozkin
- Re: [jose] Does A128GCMKW qualify as key wrap or … Mike Jones