IETF Logo Mail Archive

Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

Mike Jones <Michael.Jones@microsoft.com> Mon, 15 September 2014 20:49 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8E51A875C; Mon, 15 Sep 2014 13:49:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sgXnOBAovjzu; Mon, 15 Sep 2014 13:49:13 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0727.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:727]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6D2D1A6F7F; Mon, 15 Sep 2014 13:48:48 -0700 (PDT)
Received: from BN3PR0301CA0014.namprd03.prod.outlook.com (25.160.180.152) by BN3PR0301MB0836.namprd03.prod.outlook.com (25.160.154.146) with Microsoft SMTP Server (TLS) id 15.0.1024.12; Mon, 15 Sep 2014 20:48:25 +0000
Received: from BY2FFO11FD032.protection.gbl (2a01:111:f400:7c0c::193) by BN3PR0301CA0014.outlook.office365.com (2a01:111:e400:4000::24) with Microsoft SMTP Server (TLS) id 15.0.1029.13 via Frontend Transport; Mon, 15 Sep 2014 20:48:25 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD032.mail.protection.outlook.com (10.1.14.210) with Microsoft SMTP Server (TLS) id 15.0.1019.14 via Frontend Transport; Mon, 15 Sep 2014 20:48:24 +0000
Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.60]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.03.0195.002; Mon, 15 Sep 2014 20:47:44 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Tim Bray <tbray@textuality.com>, Stephen Kent <kent@bbn.com>
Thread-Topic: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
Thread-Index: AQHP0QAJrqBafxnciEq+15U92qOPJ5wCX4gggAAqrwCAAAC8AIAAFg3w
Date: Mon, 15 Sep 2014 20:47:43 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439AECE40B@TK5EX14MBXC292.redmond.corp.microsoft.com>
References: <CAHbuEH4Ccn2Z=8kEECzvgjmtshwsFoa-EH_NpkJPos7zirGeaQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AEC00DB@TK5EX14MBXC292.redmond.corp.microsoft.com> <5416FE10.3060608@bbn.com> <CAHBU6iu3GfsLCAint3z7risZUnVW4EK0WrGVW6Dv=gvppiHSxQ@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AECCCDD@TK5EX14MBXC292.redmond.corp.microsoft.com> <54173546.5000400@bbn.com> <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com>
In-Reply-To: <CAHBU6ivb3BeEufcnJB+eSk8wgETMx+qzH3miE6Z1jtrQkXNR3w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.20]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439AECE40BTK5EX14MBXC292r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(189002)(377454003)(24454002)(199003)(99396002)(15975445006)(6806004)(46102001)(83322001)(20776003)(92566001)(16236675004)(69596002)(86612001)(230783001)(85306004)(55846006)(74502001)(106466001)(80022001)(44976005)(107046002)(84326002)(74662001)(93886004)(68736004)(85806002)(87936001)(19580405001)(106116001)(26826002)(86362001)(54356999)(64706001)(71186001)(15202345003)(19300405004)(66066001)(4396001)(97736003)(31966008)(95666004)(15395725005)(85852003)(16297215004)(76482001)(77982001)(79102001)(81156004)(76176999)(92726001)(19625215002)(19580395003)(77096002)(512874002)(19617315012)(33656002)(2656002)(21056001)(81542001)(90102001)(83072002)(50986999)(84676001)(81342001)(104016003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB0836; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03355EE97E
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/xf8PLxMWt5mLRbA2TwHdcvLs0QM
Cc: "draft-ietf-jose-json-web-key.all@tools.ietf.org" <draft-ietf-jose-json-web-key.all@tools.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "jose-chairs@tools.ietf.org" <jose-chairs@tools.ietf.org>, "jose@ietf.org" <jose@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 20:49:15 -0000

Replies inline below…

From: Tim Bray [mailto:tbray@textuality.com]
Sent: Monday, September 15, 2014 11:54 AM
To: Stephen Kent
Cc: Mike Jones; Kathleen Moriarty; jose@ietf.org; jose-chairs@tools.ietf.org; draft-ietf-jose-json-web-key.all@tools.ietf.org; secdir@ietf.org
Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31

​When I talk about existing software I’m referring to generic JSON parsers such as are included in the basic library set of every programming language now, and which are unfortunately idiosyncratic and inconsistent in their handling of dupe keys, but in almost no cases actually inform the calling software whether or not dupe keys were encountered.

On Mon, Sep 15, 2014 at 11:51 AM, Stephen Kent <kent@bbn.com<mailto:kent@bbn.com>> wrote:
OK, I'm a bit confused.

I thought the JOSE specs were intended to create standards for transport of keys, and for sigs,
MACs, and encryption of JSON objects.

Actually, the payloads of JWS and JWE objects can be any octet sequence – not just those representing JSON objects.

What is the existing software to which you and Tim refer, when referring to keys (vs.
JSON parsing in general)?

JWK objects are already used in production to distribute public keys.  For instance, the keys for Salesforce’s identity services are in JWK format at https://login.salesforce.com/id/keys.  (Note that I’m not saying that just because the current specs are in use, that no changes are possible.)
The existing JSON parsers include every existing JavaScript implementation, for starters, plus the JSON implementations in Java, PHP, Ruby, Python, Perl, .NET, Objective C, Scala, etc.  There’s a pretty large list at http://json.org/.  Any of these could be used to consume these keys.

Steve

--
- Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)

                                                            -- Mike

v2.23.0 | Report a Bug | By Email