Re: [jose] Discuss on

"Jim Schaad" <> Mon, 10 November 2014 23:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 467341ACFC7; Mon, 10 Nov 2014 15:12:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6bMGEkyNIMRg; Mon, 10 Nov 2014 15:12:23 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0C88A1ACF90; Mon, 10 Nov 2014 15:12:23 -0800 (PST)
Received: from Philemon ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id B97DF2CA26; Mon, 10 Nov 2014 15:12:21 -0800 (PST)
From: Jim Schaad <>
To: 'Justin Richer' <>
References: <>
In-Reply-To: <>
Date: Mon, 10 Nov 2014 13:11:59 -1000
Message-ID: <03aa01cffd3b$bc18e680$344ab380$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_03AB_01CFFCE7.EA7031E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG+ydWlFvg8ElSkPaCLv2CqZIXQv5x847nQ
Content-Language: en-us
Cc:,, 'Stephen Farrell' <>
Subject: Re: [jose] Discuss on
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Nov 2014 23:12:25 -0000

What level of testing have you done on this?





From: Justin Richer [] 
Sent: Monday, November 10, 2014 11:32 AM
To: Jim Schaad; 'Richard Barnes'
Cc:;; 'Stephen Farrell'
Subject: Re: [jose] Discuss on


It's implemented in some libraries, such as the NimbusDS JOSE-JWT library on Java. However, I don't know of any uses in applications.



-- Justin


/ Sent from my phone /

-------- Original message --------
From: Jim Schaad <> 
Date:11/10/2014 11:03 AM (GMT-10:00) 
To: 'Richard Barnes' <> 
Cc:,, 'Stephen Farrell' <> 
Subject: Re: [jose] Discuss on 

Oh – your right.  My head is not processing fast enough.


In that case I don’t know of any implementation at the moment for the “oth” parameter


I am not sure if Stephen is going to force a removal based on that or not.





From: jose [] On Behalf Of Richard Barnes
Sent: Monday, November 10, 2014 10:39 AM
To: Jim Schaad
Cc:; Stephen Farrell
Subject: Re: [jose] Discuss on


What?  I can't speak for Chrome, but Firefox completely ignores the "oth" parameter.

I think you're thinking of the extended, technically not-required RSA private parameters "p", "q", "dp", "dq", "qi".  Firefox and Chrome DO both require those, because the underlying library requires them and we didn't want to implement factoring above the library layer (at least for Firefox).

I'm not sure it makes sense for those parameters to be required at the JWK layer.



On Mon, Nov 10, 2014 at 10:14 AM, Jim Schaad <> wrote:

Based on email that has been sent to the list.  It appears that both Chrome and Firefox have fully implemented the “oth” parameter of RSA private keys.  They actually appear to require that it be present rather than be optional as the document specifies.  However this would mean to me that this parameters is used and you can clear you discuss on that basis.




jose mailing list