There was some discussion of "cty" at the interim, in the context of distinguishing wrapped JWK from wrapped bare key. Since this is only addressing wrapped JWK, that need goes away.
However, there's still the security consideration that we don't want applications mixing up keys and data. Marking wrapped keys with "cty" supports that goal. So the most softening I would be willing to do would be something like "MUST ... unless application context specifies the content of the wrapped key package." Thy way, it's always clear that the package is wrapped key and not general JWE, either by marking or by application rules. That sounds to me pretty much like what you're saying. Would that text work for you? --Richard On Friday, May 24, 2013, Mike Jones wrote: > I agree with all of this wording except for the mandatory use of “cty”. > We didn’t discuss that at the interim. In many (most?) contexts, it’s > already known that the value is a wrapped key, so there’s no need to > explicitly call it out, any more than there is for other content types. > I’m fine with including wording that says that the content type **MAY** > be used, however.**** > > ** ** > > Thanks for taking first crack at this wording, Richard.**** > > ** ** > > -- Mike*** > * > > ** ** > > *From:* [email protected] <javascript:_e({}, 'cvml', > '[email protected]');> [mailto:[email protected]<javascript:_e({}, > 'cvml', '[email protected]');>] > *On Behalf Of *Richard Barnes > *Sent:* Friday, May 24, 2013 11:40 AM > *To:* [email protected] <javascript:_e({}, 'cvml', '[email protected]');> > *Subject:* [jose] Proposed text for wrapped keys**** > > ** ** > > Dear JOSE,**** > > ** ** > > At the interim, it seemed like there was agreement on key wrapping at > least in the case of wrapping a JWK-structured key (as opposed to a bare > symmetric key). Namely, we agreed to use JWE to wrap the JWK structure.** > ** > > ** ** > > It seems to me that it would be prudent to add this recommendation as a > section in JWK. Since we're defining private key attributes, we should > define in the same document how to protect them.**** > > ** ** > > """**** > > X. Wrapped Key Format**** > > ** ** > > A wrapped key is a JWE object with a key as its payload, encoded as a > serialized JWK object. The "cty" attribute of a wrapped key MUST be set to > the JWK MIME type, "application/jwk+json". The processing of wrapped keys > is identical to normal JWE processing.**** > > """**** > > ** ** > > Do people find that to be sufficient text to explain how to generate and > process wrapped keys (as JWK within JWE)?**** > > ** ** > > Thanks,**** > > --Richard**** > > ** ** > > ** ** > > ** ** > > P.S. The astute reader will note that this text is adapted > from draft-barnes-jose-key-wrapping-01 **** > > <http://tools.ietf.org/html/draft-barnes-jose-key-wrapping-01#section-2>** > ** > > This is not an accident. I'm proposing to first address the question of > key wrapping in general; then we can talk about whether we want to > special-case symmetric keys with no attributes.**** > > ** ** > > ** ** > > ** ** > > ** ** >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
