On Nov 11, 2012, at 5:36 PM, Richard L. Barnes wrote: > Hey Mark, > > Do you mind if I incorporate these in the JOSE use cases document? > <http://tools.ietf.org/html/draft-barnes-jose-use-cases>
Please go ahead! …Mark > > --Richard > > > > On Nov 7, 2012, at 4:45 PM, Mark Watson <[email protected]> wrote: > >>> All, I was hoping to get this to you before your meeting, but get repeated >>> delivery failures. One more try ... >>> >>> Begin forwarded message: >>> >>>> From: Mark Watson <[email protected]> >>>> Subject: JSON Web Key support for private and symmetric keys >>>> Date: November 5, 2012 11:31:53 AM PST >>>> To: <[email protected]> >>>> >>>> All, >>>> >>>> First let me introduce myself. I work for Netflix and have been working on >>>> standardization of various components that we need for support of our >>>> service in pure HTML/Javascript. Specifically, the HTML Encrypted Media >>>> Extensions [1], Media Source Extension [1] and the WebCrypto API [3] in >>>> W3C (the latter to provide us the ability to implement a secure >>>> application protocol in Javascript). >>>> >>>> At last week's W3C meeting in Lyon, two requirements came up that we >>>> believe could be met very well by the extension of JWK to support private >>>> and symmetric keys: >>>> >>>> (1) Key wrap/unwrap in the WebCrypto API >>>> >>>> The WebCrypto API can manage keys below the API boundary, avoiding the >>>> sharing of keying material with the Javascript environment. This has >>>> advantage in certain security models where the JS is less trusted than the >>>> UA. >>>> >>>> We are working on the specification of key import/export functions >>>> including import/export of wrapped keys. Both these functions require an >>>> explicit binary representation of the key material to be defined. In the >>>> latter case it is required that not only the key itself is protected by >>>> the wrapping operation, but also attributes associated with the key, most >>>> importantly the "exportable" attribute which determines whether the key >>>> can later be exported back to the JS layer. >>>> >>>> JWK seems attractive for this purpose since it is straightforward to >>>> define additional attributes to be carried with the key. The entire JWK >>>> JSON structure would then be wrapped using the key wrapping algorithm (for >>>> example AES Key Wrap). >>>> >>>> WebCrypto supports public/private key pairs and symmetric keys. Hence JWK >>>> would need to be extended to support private and symmetric keys to be used >>>> for this purpose. >>>> >>>> (2) Provision of keys to the HTML Encrypted Media Extensions "clear key" >>>> keysystem >>>> >>>> The Encrypted Media Extensions provide an API for a script to interact >>>> with a "Content Decryption Module" within the UA that provides key >>>> exchange and content decryption capabilities. It is expected that the >>>> well-known DRM vendors will provide "Content Decryption Modules" that are >>>> integrated into browsers and/or that platform APIs for such modules will >>>> be available for browsers to integrate with (e.g. in the case that the >>>> capability is present within the OS on a given platform.) >>>> >>>> Additionally, the W3C group itself will define a simple "clearkey" Content >>>> Decryption Module in which the key is passed, in the clear, directly from >>>> the JS to the UA. This keysystem has application in certain specific >>>> security models (for example if the user is also the owner of the content) >>>> and for testing. >>>> >>>> The keying material is passed to the CDM in the form of an opaque >>>> keysystem-specific byte array, which for clearkey must specify one or more >>>> (symmetric, likely AES) keys and associated Key Ids. Again, JWK seems an >>>> excellent simple candidate for this purpose, if it supported symmetric >>>> keys. >>>> >>>> >>>> I understand that the JWK specification can be extended by registering the >>>> necessary additional attributes with IANA on a "Specification Required" >>>> basis. However, it was generally agreed in last week's W3C meetings that >>>> it would be better if this work was done in the IETF JOSE group. >>>> >>>> Therefore, the upshot of this email is to ask if there is support in the >>>> IETF JOSE group for adding private and symmetric keys to JWK ? >>>> >>>> I understand there is a draft for private keys already existing. I would >>>> be more than happy to propose a draft for symmetric keys if there is >>>> interest in progressing that here. >>>> >>>> Finally, just to avoid any confusion, I should say that whilst the above >>>> approaches had general support in last week's W3C meeting, this is not a >>>> formal communication from the W3C (W3C groups tend not to send formal >>>> "liaisons"). >>>> >>>> Best regards, >>>> >>>> Mark Watson >>>> Netflix >>>> >>>> [1] >>>> http://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html >>>> [2] >>>> http://dvcs.w3.org/hg/html-media/raw-file/tip/media-source/media-source.html >>>> [3] http://www.w3.org/2012/webcrypto/WebCryptoAPI/ >>> >> >> _______________________________________________ >> jose mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
