RE: RE: JOSE WG request from W3C WebCrypto API from Mike Jones on 2012-08-16 (public-webcrypto@w3.org from August 2012)

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Thu, 16 Aug 2012 01:10:18 +0000
To: Harry Halpin <hhalpin@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <4E1F6AAD24975D4BA5B16804296739436677A8A1@TK5EX14MBXC283.redmond.corp.microsoft.>
I don't believe that private keys are out of scope for JOSE.  Since the charter is silent on them, it's up to the working group whether to support them or not.

The JOSE working group hadn't supported them thus far because there wasn't a use case for them.  WebCrypto has given JOSE one.

As an individual WebCrypto WG member, I would recommend that we let the discussions in JOSE progress a bit before deciding that ASN.1 is our only option.  I certainly believe that if we don't enable JSON-only uses, we're missing an opportunity at this point.

                                                                -- Mike

P.S.  Sorry for the slow reply.  I'd been on vacation.  I'll do what I can to move this discussion along in the JOSE WG.  As I'm sure you saw, I wrote http://tools.ietf.org/html/draft-jones-jose-json-private-key-00 to try to jump-start this process, now that I'm back.

From: Harry Halpin [mailto:hhalpin@w3.org]
Sent: Monday, August 13, 2012 10:28 AM
To: public-webcrypto@w3.org
Subject: Fwd: RE: JOSE WG request from W3C WebCrypto API

Here's the official response from the JOSE WG chair. It appears that private key export is out of scope, thus we will do ASN.1. I will clarify with them that we plan for JOSE formats to be supported by a "higher-level" API. Also some info re stability and conversion from ASN.1->JOSE.  cheers, harry


-------- Original Message --------
Subject:

RE: JOSE WG request from W3C WebCrypto API

Date:

Sun, 12 Aug 2012 11:56:02 -0700

From:

Jim Schaad <ietf@augustcellars.com><mailto:ietf@augustcellars.com>

To:

'Harry Halpin' <hhalpin@w3.org><mailto:hhalpin@w3.org>

CC:

<jose@ietf.org><mailto:jose@ietf.org>





> -----Original Message-----

> From: Harry Halpin [mailto:hhalpin@w3.org]

> Sent: Sunday, August 12, 2012 8:03 AM

> To: Jim Schaad; Karen O'Donoghue; jose-chairs@tools.ietf.org<mailto:jose-chairs@tools.ietf.org>; Michael

Jones

> Subject: JOSE WG request from W3C WebCrypto API

>

> [cc'ing Mike Jones and Richard Barnes, who participate inboth WGs]

>

> JOSE Chairs,

>

> The Web Cryptography Working group has noted that the API requires some

> access to raw key material, and the issue of whether or not to use JWK or

> ASN.1 as the default format came up. Two issues have come out that we'd

> like to know the answer to:

>

> 1) JWK does not define a private key format. Does the JOSE WG plan to

> support a JOSE-format for private keys? If so, when? Or 'maybe'?



The working group policy is that there will be no private key format defined

for JWK.  This issue has been explicitly discussed by the working group and

there are no plans to change that going forward.



>

>   2) While we'd like encourage the use of JOSE over ASN.1, it seems like

for

> backwards compatibility having some level of ASN.1 support would be useful

> and we *need* a format that allows key material (both private and

> public) to be exported. Folks seem to leaning towards ASN.1 as a default

> format in the low-level API, and having JWK as a format that can be built

on

> top of that in a possible high-level API. Would that be OK?



It would probably be preferable to be able to import/export private key

material as ASN.1.  But to allow for the import/export of public key

material in either the ASN.1 or JOSE format.  This would simplify the

implementation efforts for JOSE developers.



I don't believe that it would be good to have systems that use JOSE to need

to download script that did the ASN.1 to JOSE conversions.  If you supported

the ASN.1 blob at the SubjectPublicKeyInfo structure level, then an

independent function could be placed in systems to do the conversion between

the two formats.  If you make it a high-level API, I would be worried about

the support level provided by browsers.



>

>   3) How stable do you believe the JOSE formats are right now? Do you

think

> they are stable enough now we can reference them in our API draft at end

of

> August? If not, when?  The W3C would like to and plan to use these formats

> where possible.



There are currently no open issues for discussion on the formats for

asymmetric key formats; however there are some questions about the set of

algorithms and key sizes for symmetric keys.  While I have no reason to

believe that there will be a change in the key formats, I cannot promise

that there will not be one.



Jim Schaad

Jose WG Chair



>

> Feel free to forward this by JOSE WG for discussion. We'd like an answer

> before we send our document to FPWD at end of August.

>

>   cheers,

>       harry
Received on Thursday, 16 August 2012 01:10:52 UTC