This is a second issue in the issue tracker that I wanted to bring to the
working group’s attention for discussion. My personal view is stated in the
issue tracker comment below.
-- Mike
-----Original Message-----
From: jose issue tracker [mailto:[email protected]]
Sent: Wednesday, August 28, 2013 12:36 PM
To: [email protected]; Mike Jones
Cc: [email protected]
Subject: Re: [jose] #82: Section 6. Encrypted JWK and Encrypted JWK Set Format
#82: Section 6. Encrypted JWK and Encrypted JWK Set Format
Comment (by [email protected]):
This comment is about part A of this issue - the suggestion that private key
material within a JWK be moved into a "private" element. While I understand
the motivation for the suggestion, this doesn't seem like a necessary or
particularly useful change. If an implementation leaks its private or shared
key information by disclosing a JWK containing it to a party not entitled to
have it, there's no security difference in whether that information is in a
top-level member or a member of a "private" field. The information will have
still been inappropriately disclosed.
This suggestion is also ambiguously specified. While yes, the "d" elements of
elliptic curve and RSA keys could be moved to be within a "private" structure,
what would be done for the "k" element of a symmetric key? Would that also be
moved into a "private" element? (At that point, there would be no symmetric
key information at the top level of the JWK, which seems more than a little
odd.)
Finally, I'll note that the specs already clearly delineate public from private
fields, through use of the Parameter Information Class value in the JSON Web
Key Parameters registry (with values "Public" and "Private"). So there should
be no confusion which is which.
I therefore recommend that this suggestion be resolved as "wontfix".
--
-------------------------+----------------------------------------------
-------------------------+---
Reporter: | Owner: draft-ietf-jose-json-web-
[email protected] | [email protected]
Type: defect | Status: new
Priority: major | Milestone:
Component: json-web- | Version:
key | Resolution:
Severity: - |
Keywords: |
-------------------------+----------------------------------------------
-------------------------+---
Ticket URL: <http://tools.ietf.org/wg/jose/trac/ticket/82#comment:1>
jose <http://tools.ietf.org/jose/>
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
