Re: [jose] PKCS#11 Support for JWKs

Wed, 28 Jun 2017 13:24:33 -0700 

We're using a JWK with a "p11" property because the public key
material is still usable without the private key. For example,
verification of signatures or encrypting data. So, for example:

    $ jose jwk gen -o test.jwk -i '{"p11":"pkcs11:..."}'
    $ cat test.jwk
    {"crv":"P-256","kty":"EC","p11":"pkcs11:...","x":"...","y":"..."}

This JWK can be passed directly to most JOSE implementations and be
successfully used for encryption or verification and the "p11"
property will be ignored (or it can be stripped before sharing the
key). For implementations that support PKCS#11, they can detect the
absence of a private key during signing or decryption and fall back to
evaluating the "p11" property.

That is to say, PKCS#11 is not a replacement for a JWK but for the
missing private (or symmetric) key.

On Wed, Jun 28, 2017 at 2:22 PM, Jim Schaad <[email protected]> wrote:
> I am not aware of any work being done for that purpose.  I am not sure why
> you would use a JWK rather than a URI, but I can see some possibilities.
>
> Jim
>
>
> -----Original Message-----
> From: jose [mailto:[email protected]] On Behalf Of Nathaniel McCallum
> Sent: Wednesday, June 28, 2017 5:41 AM
> To: [email protected]
> Subject: [jose] PKCS#11 Support for JWKs
>
> Has there been any interest in standardizing this?
>
> The Jose project[0] has some initial working code (not yet published).
> We are using the (new, standardized) "p11" attribute in JWKs to replace the
> absence of private key material. The value of this attribute is the URI to
> the key as defined by p11-kit[1].
>
> Thus, when a JWK which lacks private key material but contains "p11"
> is used for a decryption or signing process, we forward this request to the
> PKCS#11 module.
>
> Does anyone have interest in working with me on a standard for this (or
> something similar)?
>
> Nathaniel
>
> [0]: https://github.com/latchset/jose
> [1]: https://github.com/p11-glue/p11-kit
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to