Re: [jose] The role of JWK
Justin Richer <jricher@mitre.org> Thu, 14 August 2014 17:53 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C651A095F for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 10:53:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.868
X-Spam-Level:
X-Spam-Status: No, score=-4.868 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrxxahPArRWg for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 10:53:50 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 652241A0396 for <jose@ietf.org>; Thu, 14 Aug 2014 10:53:50 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id D4A921F0A30; Thu, 14 Aug 2014 13:53:49 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C1B9B1F0A26; Thu, 14 Aug 2014 13:53:49 -0400 (EDT)
Received: from [10.146.15.61] (10.140.19.249) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 14 Aug 2014 13:53:49 -0400
Message-ID: <53ECF765.4090004@mitre.org>
Date: Thu, 14 Aug 2014 13:52:37 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Sergey Beryozkin <sberyozkin@gmail.com>, Richard Barnes <rlb@ipv.sx>
References: <4E1F6AAD24975D4BA5B16804296739439AE1989B@TK5EX14MBXC293.redmond.corp.microsoft.com> <53EC868E.4000000@gmail.com> <CAL02cgS7LxLBWNRdh5EOKwyuiBSsR0jsmMz49c9xztfZehZP_A@mail.gmail.com> <53ECCFF8.9090305@mitre.org> <53ECE6F6.8000400@gmail.com> <53ECEE85.4010505@mitre.org> <53ECF476.9020009@gmail.com>
In-Reply-To: <53ECF476.9020009@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.140.19.249]
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/u2jL-X4anUBq6sO1TJsLrU5Lpyw
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] The role of JWK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 17:53:52 -0000
> Can you please give me a favor and address a couple of questions I > asked in the previous message too ? Sure, I missed those before. > > Cheers, Sergey >>> >>>> Services are starting to publish their public keys as JWK instead of >>>> X509, since a JWK doesn't require a trusted CA and can be much more >>>> easily rotated at runtime. >>> Sorry if it is off-topic, is JWK representing a public key (the public >>> exponent) is effectively a self-signed public key/cert ? What provides >>> the extra trust into such JWK ? I've heard here about JWK Thumbprints ? It's all based on how you get the JWK -- either from a trusted HTTPS URI, or out of band in a configuration, or what have you. Don't think of the JWK as a certificate, think of it as a keypair. It's not signed or issued with a certification chain or anything that you'd expect from X509. Instead, it's literally the raw keys. If you're fetching it from a URL, it's going to be the public keys only. If you're using it for configuring an app or building a local keypair store, it's going to have both the public and private key parts. >>> >>>> >>>> Whenever we deploy a new copy of our server somewhere, we also pull >>>> down >>>> this program and run it to generate a new JWK key set (with public and >>>> private keys) that we use to start up the server. The alternative, >>>> which >>>> we used to do, was to use OpenSSL to generate a self-signed X509 >>>> certificate that we effectively threw away the trust chain for -- lots >>>> of extra effort to create information that we didn't want and then >>>> ignore it on the far end, all to get a simple keypair. It was >>>> unnecessarily complex from all ends, and the switch to JWK has been >>>> much >>>> nicer to deal with. >>>> >>> Is the simplicity of making a demo application running fast a major >>> factor of preferring JWK to self-signed X509 ? What about the >>> synchronization between the existing X509-based key storage and the >>> new JWK-aware storages ? >>> It's not runtime execution that's driving things for us, it's ease of development, lower code complexity, and deployment management. We haven't needed to synchronize the two kinds of storage mechanisms, but you could always do what we used to do when we were using a Java x509 keystore for our server: parse the certificates, dutifully ignore all of the certificate chain validation (since they were self-signed anyway), and extract the bare keys. These keys can be easily represented in JWK for JWK-aware apps, while X509 apps can use the existing certs directly. Alternatively you could programmatically generate self-signed X509 certs based on the raw keys from a JWK. We looked into doing that at one point, but the APIs for handling this (in Java, at least) were absolutely awful. So now we just use JWKs in our OAuth infrastructure, both clients and servers. The keystore is a JSON text file that we can squirrel away on a safe part of the server, remote keys are fetched over HTTPS and easily parsed, and everything works quite swimmingly. -- Justin -- Justin
- [jose] JWK Elliptic Curve key representations and… Mike Jones
- Re: [jose] JWK Elliptic Curve key representations… Daniel Holth
- Re: [jose] JWK Elliptic Curve key representations… Mike Scott
- [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Stephen Farrell
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Mike Jones
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Brian Campbell
- Re: [jose] The role of JWK Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Kathleen Moriarty
- Re: [jose] JWK Elliptic Curve key representations… Mike Jones
- Re: [jose] JWK Elliptic Curve key representations… Justin Richer
- Re: [jose] JWK Elliptic Curve key representations… Richard Barnes
- Re: [jose] JWK Elliptic Curve key representations… Brian Campbell
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Sergey Beryozkin
- Re: [jose] The role of JWK Anders Rundgren
- Re: [jose] The role of JWK Sergey Beryozkin
- [jose] Does A128GCMKW qualify as key wrap or encr… Sergey Beryozkin
- Re: [jose] Does A128GCMKW qualify as key wrap or … Mike Jones