Hi Nathaniel,
So what you wish to propose is a new "p11" parameter which is a PKCS#11
URI (RFC 7512)?
Vladimir
On 28/06/17 22:23, Nathaniel McCallum wrote:z
> We're using a JWK with a "p11" property because the public key
> material is still usable without the private key. For example,
> verification of signatures or encrypting data. So, for example:
>
> $ jose jwk gen -o test.jwk -i '{"p11":"pkcs11:..."}'
> $ cat test.jwk
> {"crv":"P-256","kty":"EC","p11":"pkcs11:...","x":"...","y":"..."}
>
> This JWK can be passed directly to most JOSE implementations and be
> successfully used for encryption or verification and the "p11"
> property will be ignored (or it can be stripped before sharing the
> key). For implementations that support PKCS#11, they can detect the
> absence of a private key during signing or decryption and fall back to
> evaluating the "p11" property.
>
> That is to say, PKCS#11 is not a replacement for a JWK but for the
> missing private (or symmetric) key.
>
> On Wed, Jun 28, 2017 at 2:22 PM, Jim Schaad <[email protected]> wrote:
>> I am not aware of any work being done for that purpose. I am not sure why
>> you would use a JWK rather than a URI, but I can see some possibilities.
>>
>> Jim
>>
>>
>> -----Original Message-----
>> From: jose [mailto:[email protected]] On Behalf Of Nathaniel McCallum
>> Sent: Wednesday, June 28, 2017 5:41 AM
>> To: [email protected]
>> Subject: [jose] PKCS#11 Support for JWKs
>>
>> Has there been any interest in standardizing this?
>>
>> The Jose project[0] has some initial working code (not yet published).
>> We are using the (new, standardized) "p11" attribute in JWKs to replace the
>> absence of private key material. The value of this attribute is the URI to
>> the key as defined by p11-kit[1].
>>
>> Thus, when a JWK which lacks private key material but contains "p11"
>> is used for a decryption or signing process, we forward this request to the
>> PKCS#11 module.
>>
>> Does anyone have interest in working with me on a standard for this (or
>> something similar)?
>>
>> Nathaniel
>>
>> [0]: https://github.com/latchset/jose
>> [1]: https://github.com/p11-glue/p11-kit
>>
>> _______________________________________________
>> jose mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/jose
>>
>> _______________________________________________
>> jose mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/jose
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
