On Fri, 2017-06-30 at 17:33 -0400, Nathaniel McCallum wrote: > I have prepared an initial stab at a draft for offloading JWK private > key data to PKCS #11. > > You can find the document here: > https://www.ietf.org/id/draft-mccallum-jose-pkcs11-jwk-00.txt > > Thanks for your consideration!
It's a nice start. A few immediate comments: JWKs that wish to offload their private key material using PKCS #11 will provide a JSON property named "p11" instead of the private key material. JWKs are inanimate objects, hard to have them have any wish :-) I would say: "Users that wish to offload their JWKs private key material to an HSM ..." Later on you talk about performance penalty and say: Implementations SHOULD perform public key operations, such as asymmetric signature verification or asymmetric encryption, without using PKCS #11 I think this should be at most a MAY. If I wanted to be more pedantic I would say you should take in consideration there may be PKCS#11 modules that are already smart enough to implement such functions in software so that they do not incur in performance penalties, so the whole this would have to be wrapped in something like: "If the PKCS#11 implementation perform public key operation in hardare that may result in poor performance then implementations MAY perfrom public ..." Curious to see example JWKs in the appendix. HTH, Simo. _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
