IETF Logo Mail Archive

Re: [jose] Working Group last call on draft-ietf-jose-jwk-thumbprint

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 23 January 2015 23:13 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7083E1AD0CC for <jose@ietfa.amsl.com>; Fri, 23 Jan 2015 15:13:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0eGE90zknRfA for <jose@ietfa.amsl.com>; Fri, 23 Jan 2015 15:13:01 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E9231AD0CB for <jose@ietf.org>; Fri, 23 Jan 2015 15:13:01 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B29DABEC9; Fri, 23 Jan 2015 23:12:59 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VD2P3-CNYfMm; Fri, 23 Jan 2015 23:12:58 +0000 (GMT)
Received: from [10.87.48.73] (unknown [86.42.29.136]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 28912BE9F; Fri, 23 Jan 2015 23:12:58 +0000 (GMT)
Message-ID: <54C2D579.9000505@cs.tcd.ie>
Date: Fri, 23 Jan 2015 23:12:57 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: ⌘ Matt Miller <mamille2@cisco.com>, John Bradley <ve7jtb@ve7jtb.com>, Michael Jones <Michael.Jones@microsoft.com>
References: <046701d036af$c74ec7b0$55ec5710$@augustcellars.com> <CAL02cgSvp7d14B2Yan2-CHsi__ZedHfrvOAGbJRmnU93i33jbA@mail.gmail.com> <54C284C3.7070902@cisco.com> <601AAE53-0A77-4582-B56D-B126ECBEEFBE@ve7jtb.com> <4E1F6AAD24975D4BA5B1680429673943A21EB5D7@TK5EX14MBXC291.redmond.corp.microsoft.com> <CAL02cgQgV+b6rdOn9nHRS0cNgrb4-1A669vr9Q9L_XyMQ9BO6A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943A21EB6E9@TK5EX14MBXC291.redmond.corp.microsoft.com> <CAL02cgQQUo6P3XD7QDADNhrXkcmSL9X0oxMmXAiMkgJh78eQ-Q@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943A21EBD4B@TK5EX14MBXC291.redmond.corp.microsoft.com> <325597BB-8A06-4410-85F8-E01906B399F4@ve7jtb.com> <54C2C223.2040302@cisco.com>
In-Reply-To: <54C2C223.2040302@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/u3SvRw1RMg86Kp21913UyQM5q0c>
Cc: Richard Barnes <rlb@ipv.sx>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Working Group last call on draft-ietf-jose-jwk-thumbprint
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 23:13:02 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 23/01/15 21:50, ⌘ Matt Miller wrote:
> Or maybe we seriously consider SPKI.

Yes. It works. It's used elsewhere so offers better
interop. All libraries support it so coding up the
thumbprint stuff with that is trivial and far less
error prone. It avoids any need for (even more)
pointless debate about hash-input nitpicking. There's
less spec text needed too. All useful asymmetric
algs will have a well defined SPKI for the next
decade because those are used in TLS and for the
WebPKI which is not going away no matter how much
you want it to go away. That is a pile of advantages.

And, most important, there is zero advantage in
pointlessly inventing a new variation. Frankly the
supposed advantages offered so far:

- - a line or two less code, (maybe, maybe not,
  unimportant in any case)
- - "not asn.1" (nonsense, SPKI needs no generic
  asn.1 support, we've known for decades how
  to do without that, and your library constructs
  the octets from the key already)
- - "it should be json" (more nonsense, it's a hash
  input and never sent or stored, nobody cares what
  format it has)

...are utterly unconvincing in any rational view.

S.

PS: As another data point, the W3C sub-resource
integrity spec [1] uses ni URIs today. I've no idea
if that's likely to last into a W3C REC or get
deployed, but seems to me like not-reinventing in
this space is one sensible thing those folks have
(sensibly:-) done, given the utter lack of benefit
from re-inventing.

[1] http://www.w3.org/TR/SRI/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUwtVxAAoJEC88hzaAX42iiyAH/2IBfml30CcQzUiFyFO0zzZZ
lCiaMy+Iy+ZmVtXNGGTQlA7xt+EK060TgG0Aj+vWOMJpxGabxniseJf6RnrSGL2D
M3VL+Tcbx4EDbGTUAyjf8lQ+kAuAbj9xBY3VPG8r1qNrqh8chtRwRSU2O7+plBuJ
qSx+A+8KORzMPhpan+XlcTjnDoSClBnI7+Ajt4T9LozVN4Z0Pl4S2Nnrr8lbgyiH
g8T+u1GTvcT542kL/+Q9g+rUyzVJNE/F+VwvraueTUdkCu+hxhWIUwFZnek27gSk
g4NDwmouzS/0hr3hkM2eqrGyfjpmvTL/VnrfjhKeIKkpBDL2Fvt0hNUlLlhReIU=
=cnGe
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email