If your protocol wants to impose particular algorithm restrictions it can
obviously do that. And the key, as transmitted by your protocol, can include,
and in fact, can require an "alg" field.
That's separate from the thumbprint value for the key, which is intentionally
computed without any of the optional field values, so that its value is
invariant both in their presence and in their absence.
-- Mike
-----Original Message-----
From: Jim Schaad [mailto:[email protected]]
Sent: Monday, April 14, 2014 2:34 PM
To: 'Daniel Holth'
Cc: Mike Jones; 'jose'
Subject: RE: [jose] JSON Web Key (JWK) Thumbprint Specification
No, it includes the key type not the algorithm. It says this is an RSA key not
that this is an RSA key to be used with the RSA-PSS-with-SHA512 algorithm.
> -----Original Message-----
> From: Daniel Holth [mailto:[email protected]]
> Sent: Monday, April 14, 2014 1:51 PM
> To: Jim Schaad
> Cc: Mike Jones; jose
> Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification
>
> The thumbprint includes the algorithm but not the usage restrictions.
> A practical certificate would certainly include "trusted for ..."
> constraints. Simply not having to store the kid since a substitute can
> be computed from the actual key material is advantage enough for me.
>
> On Mon, Apr 14, 2014 at 4:38 PM, Jim Schaad <[email protected]> wrote:
> > I would have problems with that if it did not come with additional
> > restrictions
> on the key that I might want to additionally state -such as
> restricting the key to be used with specific algorithms or key usages.
> >
> >
> >> -----Original Message-----
> >> From: Daniel Holth [mailto:[email protected]]
> >> Sent: Monday, April 14, 2014 1:39 PM
> >> To: Jim Schaad
> >> Cc: Mike Jones; jose
> >> Subject: Re: [jose] JSON Web Key (JWK) Thumbprint Specification
> >>
> >> For me the finger/thumbprint is something you could sign as part of
> >> an "I trust this key" assertion since it is a property of a
> >> specific key rather than an arbitrary association.
> >>
> >> On Mon, Apr 14, 2014 at 4:06 PM, Jim Schaad
> >> <[email protected]>
> wrote:
> >> > What are the practical benefits for this over using the kid parameter?
> >> >
> >> >
> >> >
> >> > Jim
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > From: jose [mailto:[email protected]] On Behalf Of Mike Jones
> >> > Sent: Thursday, April 10, 2014 5:50 PM
> >> > To: [email protected]
> >> > Subject: [jose] JSON Web Key (JWK) Thumbprint Specification
> >> >
> >> >
> >> >
> >> > I created a new simple spec that defines a way to create a
> >> > thumbprint of an arbitrary key, based upon its JWK representation.
> >> > The abstract of the spec
> >> > is:
> >> >
> >> >
> >> >
> >> > This specification defines a means of computing a thumbprint value
> >> > (a.k.a.
> >> > digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509
> >> > Certificate SHA-1 Thumbprint) value defined for X.509 certificate
> >> > objects.
> >> > This specification also registers the new JSON Web Signature
> >> > (JWS) and JSON Web Encryption (JWE) Header Parameters and the new
> >> > JSON Web Key
> >> > (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these
> values.
> >> >
> >> >
> >> >
> >> > The desire for this came up in an OpenID Connect context, but it
> >> > s of general applicability, so I decided to submit the spec to
> >> > the JOSE working group. Thanks to James Manger, John Bradley,
> >> > and Nat Sakimura for the discussions that led up to this spec.
> >> >
> >> >
> >> >
> >> > The specification is available at:
> >> >
> >> >
> >> > http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00
> >> >
> >> >
> >> >
> >> > An HTML formatted version is also available at:
> >> >
> >> >
> >> > https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.
> >> > ht
> >> > ml
> >> >
> >> >
> >> >
> >> > --
> >> > Mike
> >> >
> >> >
> >> >
> >> > P.S. I also posted this notice at
> >> > http://self-issued.info/?p=1213 and as @selfissued.
> >> >
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > jose mailing list
> >> > [email protected]
> >> > https://www.ietf.org/mailman/listinfo/jose
> >> >
> >
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
