[jose] Issue #93 - How to find a key

Thu, 12 Sep 2013 14:39:10 -0700 

I have filed an issue that boils down to the following statement:

 

There should be non-normative appendix to JWS that gives a
procedure/algorithm for locating keys based on the different things that can
be placed in a JOSE message.

 

I have been told a large number of ways to do this over time, and I think we
need to place this all into a single location that gives some guidance about
how to do this.  This is a list of the ways that I think there are currently
to locate keys:

 

A.       Look for certificates:

a.       Identify an EE certificate and a certificate list

                                                               i.      Is
there an x5u?  Follow the link and down load the certificates to get a
certificate list and set the EE certificate to the zero-th entry in the list

                                                             ii.      Is
there an x5t?  Locate the EE certificate in local storage and set the
certificate list to that certificate

                                                            iii.      Is
there an x5c? Set the EE certificate to the first item in the list.  Set the
certificate list to the array of certificates.

b.      Do path building from the EE certificate to a trusted root using the
certificate list and local certificate stores.

c.       Validate the path to a trust point

B.      Look for JWK Sets

a.       Create an empty JWK set KEYS

b.      Is there a jku?  Down load from the pointer and add to KEYS we are
maintaining.

c.       Is there a jkw?  Add it to KEYS

d.      Are there application JWKs?  Add them to KEYS

e.      Are there local JWKs? Add them to KEYS

C.      Find viable keys in KEYS

a.       Is there a kid?  Remove items from KEYS which have a kid and it
does match, leave items with kid value in the KEYS

b.      Remove items from KEYS based on the algorithm in the alg member.  If
a key element in KEYS does not support the algorithm, remove it.  This
examines the 'kty' member and the 'alg' member if it is present.

c.       Remove items from KEYS based on the use member.  If a key element
in KEYS has a use  member and it does not match the required use for the
JOSE element, remove it from KEYS.

D.      Check each of the key values in KEYS to see if it validates/decrypts
the object.

 

 

I have no idea if the above set of steps is complete in any sense of the
word.  If there are steps in it that people disagree with or not.

 

Please comment both on the concept of adding the appendix and the steps laid
out above.  And please remember that I am looking for an informational not a
normative appendix.

 

Jim

 


_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to