Re: [POSH] What's the point of using JWKs in POSH?
Matt Miller <mamille2@cisco.com> Wed, 04 June 2014 22:18 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3DC51A0373 for <posh@ietfa.amsl.com>; Wed, 4 Jun 2014 15:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Level:
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2T_v0ggbkBB4 for <posh@ietfa.amsl.com>; Wed, 4 Jun 2014 15:18:07 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 533EC1A035D for <posh@ietf.org>; Wed, 4 Jun 2014 15:18:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3117; q=dns/txt; s=iport; t=1401920281; x=1403129881; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=mz2c8PkUSjH2cAuKVQ9hlsLMvQLPmLNXR8CfCsgA9es=; b=a34sv7CcdVG5EPRS66vStoLBpkTruDbaUmLdBg0RAfqExR0t5px1OW+L UwuuWPiiuerdKw4sS/c8lKfoOeE8sgxhjUD0hFVTxB+o7XB1um1weez4c ITM5T99eQR5gwyNv0lJTP061sMkhEfzHa8zalR8JlNfAhEe5oVSCbJC/T o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AsILAPaZj1OtJV2Q/2dsb2JhbABZgwdSWKpFAQEBAQEFAZBuhzkBgRAWdIIlAQEBBAEBAWsKEQsOCgkWDwkDAgECARUwBgEMBgIBAYg+DdIsF4VViEo6hEABA4lxOo9ogT+ReoNXgVAkHA
X-IronPort-AV: E=Sophos;i="4.98,975,1392163200"; d="scan'208";a="330629464"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-3.cisco.com with ESMTP; 04 Jun 2014 22:18:00 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id s54MI0vA002874 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 4 Jun 2014 22:18:00 GMT
Received: from MAMILLE2-M-T03K.CISCO.COM (10.129.24.57) by xhc-rcd-x05.cisco.com (173.37.183.79) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 4 Jun 2014 17:18:00 -0500
Message-ID: <538F9B16.2060505@cisco.com>
Date: Wed, 04 Jun 2014 16:17:58 -0600
From: Matt Miller <mamille2@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Thijs Alkemade <me@thijsalkema.de>, posh@ietf.org
References: <B840DF08-6478-41AC-8894-51B0524ED622@thijsalkema.de>
In-Reply-To: <B840DF08-6478-41AC-8894-51B0524ED622@thijsalkema.de>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.129.24.57]
Archived-At: http://mailarchive.ietf.org/arch/msg/posh/TcE81mfVi8EN2Cjixs-meQ2ViB0
Subject: Re: [POSH] What's the point of using JWKs in POSH?
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh/>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2014 22:18:14 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This discussion is moved to xmpp@ietf.org, which is the working group where this work will continue forward. Everyone is still welcome to discuss this draft, and should join the xmpp@ietf.org mailing list. - -- - - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. On 5/20/14, 12:42 PM, Thijs Alkemade wrote: > Hello, > > Today, I've spent some time on trying to implement POSH-checking > for xmpp.net. My implementation aimed to do two things: doing the > validation as described and showing someone how they could set up > their .well-known file by converting their X509 certificates to > JSON Web Keys. > > The latter part was a lot more work than the former and made me > wonder why it is defined the way it is. > > From draft-ietf-xmpp-posh: > > Each included JWK object MUST possess the following information: > > o The "kty" field set to the appropriate key type used for TLS > connections (e.g., "RSA" for a certificate using an RSA key). > > o The required public parameters for the key type (e.g., "n" and > "e" for a certificate using an RSA key). > > o The "x5t" field set to the certificate thumbprint, as described > in section 3.6 of [JOSE-JWK]. > > Yet the data that is required in the first and second bullet is > never used. It doesn't specify if and how clients should verify it. > Verification only uses the x5t field and optionally x5c. > > There are good arguments for "pinning" just the public key. > draft-ietf-websec- key-pinning only uses the SPKI field, DANE can > use either the full cert or its SPKI field (and optionally hashed). > But the way it is specified here won't allow that: the x5t field > always needs to be present and clients should verify it. > > So the public parameters of the key are useless here, but they make > a key >10x as large is they have to be. Generating them is also not > as easy: most certificate viewers show a SHA1 fingerprint and it's > really easy to do with the openssl cli tool, but extracting n and e > and base64-encoding them is a lot more work. I wouldn't even know > what to do for ECDSA keys. > > Are there any interoperability reasons for using JWKs that I'm not > aware of? Couldn't it just use a list of SHA1 hashes? > > Best regards, Thijs > > > > _______________________________________________ posh mailing list > posh@ietf.org https://www.ietf.org/mailman/listinfo/posh > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTj5sWAAoJEDWi+S0W7cO1jR8IALP3IUg19Y83h9XJyTWxbhik 6vy/gCPqCOfYHz5276ZoiCX3LdZ/+0sDC/Thdv5xb+fDGT2pXIabPH/sp7AZFoiq uk2CakhCx5TuajcaxK0DpTLqPeiOGHBVKPXmFUggSvqiLnhGNzy8fa3a9S5kdZMt AiRWumNL2NJkInk3B7AyFV0NMwXGR6PSxU4F+nc5oHVUntT1+6hfO7u6Tq/uTUXo sHQsp4prZHqKBHteWsI6wtyhcHAWjiSs2DVr7aNVz/4pI8xVpRVgriH3Lt9WGMuQ qpqao4YwRQU1FtPDSFibfHO2/cr563de7ITpGN6X7TIA979zb6VcgrQCkcAauC8= =V9n0 -----END PGP SIGNATURE-----
- [POSH] What's the point of using JWKs in POSH? Thijs Alkemade
- Re: [POSH] What's the point of using JWKs in POSH? Matt Miller
- Re: [POSH] What's the point of using JWKs in POSH? Matt Miller