Replies inline below… From: Tim Bray [mailto:[email protected]] Sent: Monday, September 15, 2014 11:54 AM To: Stephen Kent Cc: Mike Jones; Kathleen Moriarty; [email protected]; [email protected]; [email protected]; [email protected] Subject: Re: [jose] JWK member names, was: SECDIR review of draft-ietf-jose-json-web-key-31
When I talk about existing software I’m referring to generic JSON parsers such as are included in the basic library set of every programming language now, and which are unfortunately idiosyncratic and inconsistent in their handling of dupe keys, but in almost no cases actually inform the calling software whether or not dupe keys were encountered. On Mon, Sep 15, 2014 at 11:51 AM, Stephen Kent <[email protected]<mailto:[email protected]>> wrote: OK, I'm a bit confused. I thought the JOSE specs were intended to create standards for transport of keys, and for sigs, MACs, and encryption of JSON objects. Actually, the payloads of JWS and JWE objects can be any octet sequence – not just those representing JSON objects. What is the existing software to which you and Tim refer, when referring to keys (vs. JSON parsing in general)? JWK objects are already used in production to distribute public keys. For instance, the keys for Salesforce’s identity services are in JWK format at https://login.salesforce.com/id/keys. (Note that I’m not saying that just because the current specs are in use, that no changes are possible.) The existing JSON parsers include every existing JavaScript implementation, for starters, plus the JSON implementations in Java, PHP, Ruby, Python, Perl, .NET, Objective C, Scala, etc. There’s a pretty large list at http://json.org/. Any of these could be used to consume these keys. Steve -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray) -- Mike
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
