Re: [jose] jwk

[Mike Jones]

Sitting next to Eric Rescorla and Richard Barnes at the WebCrypto F2F, they 
just provided additional useful information on your question, Axel.  
Specifically, they pointed out that a standard ASN.1 representation of bare 
keys is the DER encoding of the RFC 5280 SubjectPublicKeyInfo element (which 
contains an algorithm and a key representation) - often referred to as SPKI.  
Just to be clear, this is not a certificate (containing no signature, subject, 
etc.).

So a fair question is whether JOSE also wants to support SPKI public keys, 
rather than just X.509 certificates and JWK keys.  I hear you saying "yes", 
Axel, and I think Nat was saying "yes" as well.  Discussions last week at the 
F2F OpenID Connect working meeting also makes me think that some others would 
also answer this "yes".

If we want to do this, would people suggest that we do this with a new header 
parameter containing a SPKI key value?  Also, would we always pass SPKI keys by 
value, or do people believe that it's also important to pass them by reference 
(just like we have both x5c and x5u parameters)?

                                                            -- Mike

From: jose-boun...@ietf.org [mailto:jose-boun...@ietf.org] On Behalf Of Axel 
Nennker
Sent: Monday, October 29, 2012 4:56 PM
To: Mike Jones
Cc: jose@ietf.org
Subject: Re: [jose] jwk

Encoding public keys as self-signed certs: That is a hack. Not that I am 
opposed to hacks but this is too much.
2012/10/29 Mike Jones 
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>>
"x5c" helps because you can represent a bare key as a self-signed cert in PEM 
format in the "x5c" parameter.  The JOSE specs already support PEM-encoded keys.

                                                            -- Mike

From: Axel Nennker [mailto:ignisvul...@gmail.com<mailto:ignisvul...@gmail.com>]
Sent: Wednesday, October 24, 2012 2:14 PM
To: Mike Jones
Cc: jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: jwk

In the case where I generate the keypair on the fly I do not have an URL to put 
in x5u. And a cert in not a public key. I want bare keys.
I don't know how x5u and x5c help here.

I have the problem that I don't know how to convert (exp,mod) into a pubkey on 
one platform (Firefox). I think that PEM is easier.
I think the same might be true an other platforms too.

Another reason I think that PEM is better is that there are command line tools 
to produce PEM-encoded keys while I don't know any tool to produce (exp, mod).

--Axel
2012/10/24 Mike Jones 
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>>

To be clear, JWS and JWE already support the use of PEM encoded keys through 
the "x5c" and "x5u" parameters.  Therefore, I don't see any need to also add 
X.509-based key formats to JWK itself.



                                                            -- Mike

From: Axel Nennker [mailto:ignisvul...@gmail.com<mailto:ignisvul...@gmail.com>]
Sent: Wednesday, October 24, 2012 12:55 PM
To: jose@ietf.org<mailto:jose@ietf.org>
Cc: Mike Jones
Subject: jwk


I think that having more choices other than (xpo, mod) is useful.
I believe that it is easier for me to implement keys in Firefox if I have PEM 
encoded keys.

So the format could be:

user_jwk : {"pub": 
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4OTqe0p1tgEoOVtDzjQI 
yP1Ipo8ivqTIeH4yH9kLzI4fCKx6ggZJ3h9ecj4p5E355umCThN/1doBc/tq18VGlNtyDNxCh45Z1zGYJKwZxaVaWQXlB2gfgnko1D+Zw9KIlipQHtnhJw/qREEIp4YOgaGcSZBCcQQ4DYCOjfTTbKUXSTlrlOgflfgTiyhUFuiKWkoeivwASigL76PtYNYc
 n+dlYKYB/vSQ2CY7FtaDcr22EdqUDVPLNg1+K1rsvHvllP7iTnXA5IgxT5JELdrk 
KX9Ek68zDzelOaJxs2tbkkwbqSLQfREzQ/yGAIOW9rZVqlaVBEBzUYzREmeybVq3 gwIDAQAB" }
// PEM encoded public key without linebreaks

A more general format would be:

jwk: { "-----BEGIN PUBLIC KEY-----": 
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4OTqe0p1tgEoOVtDzjQI 
yP1Ipo8ivqTIeH4yH9kLzI4fCKx6ggZJ3h9ecj4p5E355umCThN/1doBc/tq18VGlNtyDNxCh45Z1zGYJKwZxaVaWQXlB2gfgnko1D+Zw9KIlipQHtnhJw/qREEIp4YOgaGcSZBCcQQ4DYCOjfTTbKUXSTlrlOgflfgTiyhUFuiKWkoeivwASigL76PtYNYc
 n+dlYKYB/vSQ2CY7FtaDcr22EdqUDVPLNg1+K1rsvHvllP7iTnXA5IgxT5JELdrk 
KX9Ek68zDzelOaJxs2tbkkwbqSLQfREzQ/yGAIOW9rZVqlaVBEBzUYzREmeybVq3 gwIDAQAB"
}

This general format could be used for private keys too.

What do you think?

Axel

ps: Don't know whether I can post from this email address.... Mike, would you 
lease post it if it does appear in your inbox but not on the list. Thanks.



_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose