"x5c" helps because you can represent a bare key as a self-signed cert in PEM
format in the "x5c" parameter. The JOSE specs already support PEM-encoded keys.
-- Mike
From: Axel Nennker [mailto:[email protected]]
Sent: Wednesday, October 24, 2012 2:14 PM
To: Mike Jones
Cc: [email protected]
Subject: Re: jwk
In the case where I generate the keypair on the fly I do not have an URL to put
in x5u. And a cert in not a public key. I want bare keys.
I don't know how x5u and x5c help here.
I have the problem that I don't know how to convert (exp,mod) into a pubkey on
one platform (Firefox). I think that PEM is easier.
I think the same might be true an other platforms too.
Another reason I think that PEM is better is that there are command line tools
to produce PEM-encoded keys while I don't know any tool to produce (exp, mod).
--Axel
2012/10/24 Mike Jones
<[email protected]<mailto:[email protected]>>
To be clear, JWS and JWE already support the use of PEM encoded keys through
the "x5c" and "x5u" parameters. Therefore, I don't see any need to also add
X.509-based key formats to JWK itself.
-- Mike
From: Axel Nennker [mailto:[email protected]<mailto:[email protected]>]
Sent: Wednesday, October 24, 2012 12:55 PM
To: [email protected]<mailto:[email protected]>
Cc: Mike Jones
Subject: jwk
I think that having more choices other than (xpo, mod) is useful.
I believe that it is easier for me to implement keys in Firefox if I have PEM
encoded keys.
So the format could be:
user_jwk : {"pub":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4OTqe0p1tgEoOVtDzjQI
yP1Ipo8ivqTIeH4yH9kLzI4fCKx6ggZJ3h9ecj4p5E355umCThN/1doBc/tq18VGlNtyDNxCh45Z1zGYJKwZxaVaWQXlB2gfgnko1D+Zw9KIlipQHtnhJw/qREEIp4YOgaGcSZBCcQQ4DYCOjfTTbKUXSTlrlOgflfgTiyhUFuiKWkoeivwASigL76PtYNYc
n+dlYKYB/vSQ2CY7FtaDcr22EdqUDVPLNg1+K1rsvHvllP7iTnXA5IgxT5JELdrk
KX9Ek68zDzelOaJxs2tbkkwbqSLQfREzQ/yGAIOW9rZVqlaVBEBzUYzREmeybVq3 gwIDAQAB" }
// PEM encoded public key without linebreaks
A more general format would be:
jwk: { "-----BEGIN PUBLIC KEY-----":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4OTqe0p1tgEoOVtDzjQI
yP1Ipo8ivqTIeH4yH9kLzI4fCKx6ggZJ3h9ecj4p5E355umCThN/1doBc/tq18VGlNtyDNxCh45Z1zGYJKwZxaVaWQXlB2gfgnko1D+Zw9KIlipQHtnhJw/qREEIp4YOgaGcSZBCcQQ4DYCOjfTTbKUXSTlrlOgflfgTiyhUFuiKWkoeivwASigL76PtYNYc
n+dlYKYB/vSQ2CY7FtaDcr22EdqUDVPLNg1+K1rsvHvllP7iTnXA5IgxT5JELdrk
KX9Ek68zDzelOaJxs2tbkkwbqSLQfREzQ/yGAIOW9rZVqlaVBEBzUYzREmeybVq3 gwIDAQAB"
}
This general format could be used for private keys too.
What do you think?
Axel
ps: Don't know whether I can post from this email address.... Mike, would you
lease post it if it does appear in your inbox but not on the list. Thanks.
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
