On 23/01/15 14:30, [email protected] wrote:
> Stephen,
>
> How does rfc6920 help when the key is a jwk? Like sub_jwk below.
You can easily construct the hash input (an SPKI) from that
and hence could easily produce an ni URI.
And its reasonably likely your implementation supports SPKI
natively as well as its format for exporting a public key.
S.
>
> -Axel
>
> {
> "iss": "https://self-issued.me";,
> "sub": "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs",
> "aud": "https://client.example.org/cb";,
> "nonce": "n-0S6_WzA2Mj",
> "exp": 1311281970,
> "iat": 1311280970,
> "sub_jwk": {
> "kty":"RSA",
> "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
> 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
> tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
> QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
> SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
> w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
> "e":"AQAB"
> }
> }
>
> -----Original Message-----
> From: jose [mailto:[email protected]] On Behalf Of Stephen Farrell
> Sent: Friday, January 23, 2015 1:39 PM
> To: Jim Schaad; [email protected]
> Subject: Re: [jose] Working Group last call on draft-ietf-jose-jwk-thumbprint
>
>
>
> I just had a quick look and it seems fine for asymmetric keys assuming
> there's a need for it and a justification for including things like '{"e":'
> in the hash input, which I don't see.
>
> The reason I looked at this is that there's some overlap here with RFC6920,
> (I'm an author of
> that) and DANE and maybe other specs that say how to hash a public key.
>
> It does seem a shame to have so many ways to hash public keys, but 6920 is
> compatible with DANE and others that hash a SPKI (even if that's artificially
> created just as a hash input), so I wonder if the benefit of the running code
> here is really worth being different from other specs that hash a SPKI.
>
> So, other than that someone has some code, what is the benefit of being
> incompatible with other specs here?
>
> The downside is that I could not determine that one of these does/doesn't map
> to the same public key as some DANE RRs for example.
> Seems a bit odd to me to want to accept that downside unless there's an
> upside.
>
> Only other thing is for symmetric keys I think you should add an optional
> salt, in case you need the thumbprint of a low-entropy secret, which is quite
> likely to happen, and quite likely to get exposed somehow. And I'd argue to
> recommend that a long salt always be used for potentially low-entropy secret
> keys.
>
> Apologies if the WG discussed these before but I missed it;-)
>
> S.
>
> PS: These are just random-punter comments with no hats.
>
> On 23/01/15 01:56, Jim Schaad wrote:
>> This starts a two week last call on draft-ietf-jose-jwk-thumbprint.
>> Last call will end on February 2, 2015.
>>
>>
>>
>> Due to the general lack of activity on the list. General silence will
>> be considered as a vote to park the document and either have it done
>> via the ISE or with an AD shepherd rather than having group consensus.
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> jose mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/jose
>>
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
>
>
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
