On Sat, Jul 1, 2017 at 4:00 AM, Simo Sorce <[email protected]> wrote: > On Fri, 2017-06-30 at 17:33 -0400, Nathaniel McCallum wrote: >> I have prepared an initial stab at a draft for offloading JWK private >> key data to PKCS #11. >> >> You can find the document here: >> https://www.ietf.org/id/draft-mccallum-jose-pkcs11-jwk-00.txt >> >> Thanks for your consideration! > > It's a nice start. > A few immediate comments: > > JWKs that wish to offload their private key material using PKCS #11 > will provide a JSON property named "p11" instead of the private key > material. > > JWKs are inanimate objects, hard to have them have any wish :-)
You've never heard of personification? ;) You're right. I'll change it. > I would say: > "Users that wish to offload their JWKs private key material to an HSM > ..." > > Later on you talk about performance penalty and say: > > Implementations SHOULD perform public > key operations, such as asymmetric signature verification or > asymmetric encryption, without using PKCS #11 > > I think this should be at most a MAY. If I wanted to be more pedantic I > would say you should take in consideration there may be PKCS#11 modules > that are already smart enough to implement such functions in software > so that they do not incur in performance penalties, so the whole this > would have to be wrapped in something like: > "If the PKCS#11 implementation perform public key operation in hardare > that may result in poor performance then implementations MAY perfrom > public ..." If we downgrade this recommendation, then we probably need to discuss how implementations would correlate public key and private key object URIs. That is, "p11" refers only to the private key. For public key crypto operations, we need a URI that refers to the public key. Thus, we would need a way to either: 1. Store the public key URI. 2. Transmute the private key URI into a public key URI implicitly. I'm not sure we can do #2. Sometimes keys are differentiated by id=. Sometimes they are differentiated by object=. Thus we can't do a single s/private/public/ on type= and expect things to work. Therefore, I expect #1 is our only option. Thoughts? > Curious to see example JWKs in the appendix. Will do! _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
