IETF Logo Mail Archive

Re: [jose] #12: x5c incorrect in JWE

"Manger, James H" <James.H.Manger@team.telstra.com> Mon, 01 April 2013 10:48 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BCEF21F88E8 for <jose@ietfa.amsl.com>; Mon, 1 Apr 2013 03:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.588
X-Spam-Level:
X-Spam-Status: No, score=0.588 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRENh7o15mFv for <jose@ietfa.amsl.com>; Mon, 1 Apr 2013 03:48:37 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id 5780C21F88D8 for <jose@ietf.org>; Mon, 1 Apr 2013 03:48:36 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.87,385,1363093200"; d="scan'208";a="126900823"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipobvi.tcif.telstra.com.au with ESMTP; 01 Apr 2013 21:48:34 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7031"; a="123295387"
Received: from wsmsg3703.srv.dir.telstra.com ([172.49.40.171]) by ipcdvi.tcif.telstra.com.au with ESMTP; 01 Apr 2013 21:48:34 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3703.srv.dir.telstra.com ([172.49.40.171]) with mapi; Mon, 1 Apr 2013 21:48:33 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: jose issue tracker <trac+jose@trac.tools.ietf.org>, "michael.jones@microsoft.com" <michael.jones@microsoft.com>, "bcampbell@pingidentity.com" <bcampbell@pingidentity.com>
Date: Mon, 01 Apr 2013 21:48:32 +1100
Thread-Topic: [jose] #12: x5c incorrect in JWE
Thread-Index: Ac4tjS4kfEUHdy3XT6WQdzexh51OEgBMzs+g
Message-ID: <255B9BB34FB7D647A506DC292726F6E1150C06EA61@WSMSG3153V.srv.dir.telstra.com>
References: <065.7762ca21750ef2a07382e66a81acadef@trac.tools.ietf.org> <080.fec3c931ff7caa6172df3c6f437eb638@trac.tools.ietf.org>
In-Reply-To: <080.fec3c931ff7caa6172df3c6f437eb638@trac.tools.ietf.org>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #12: x5c incorrect in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 10:48:38 -0000

> #12: x5c incorrect in JWE
> 
> 
> Comment (by michael.jones@microsoft.com):
> 
>  For generality, I'll note that if people believe that "x5c" should be
> removed from JWE, then the same logic probably suggests that "x5u",
> "jku"
>  should be removed, as all are ways of including or referencing public
> key  values corresponding to the private key used to encrypt the
> content.  And  by that logic, if we don't need a way to reference or
> include public key  values for JWEs, then the "x5t" and possibly "kid"
> parameters would then  also be of dubious value.  At least by that
> reasoning, the inclusion of  all the key reference parameters would
> likely stand or fall together.

Yay! Drop the lot ("jku", "jwk", "x5u", "x5t", "x5c") from JWE; keep "kid".


Should we describe how to get a "kid" value from a certificate or a raw public key (in case an explicit "kid" value is not available to a JWE originator)? If you only have a cert you can look for a subjectKeyIdentifier extension -- though that is an OCTET STRING so it may need to be base64url-encoded (without padding) to give a "kid" string. A raw public key could be hashed to synthetise a "kid" value, but then you need a canonical form of the public key to hash.

--
James Manger

v2.23.0 | Report a Bug | By Email