W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2014

Re: JOSE Last Call and ISSUE 28

From: Harry Halpin <hhalpin@w3.org>
Date: Thu, 10 Apr 2014 04:22:13 +0200
Message-ID: <53460055.7030307@w3.org>
To: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>
CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>

On 04/09/2014 10:16 PM, Richard Barnes wrote:
> There already is such an appendix.  I don't think we need more.

Sorry, that email wasn't very clear. The appendix is mostly done and 
looks good. I was wondering though if we wanted to include a helper 
function to allow people to use these string identifiers directly when 
creating keys.

We can always wait for the "high-level" API(s) to do this though. 
However, we need to formally close this loop before leaving Last Call at 
our next telecon.


> On Wed, Apr 9, 2014 at 4:08 PM, Mike Jones 
> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
>     I don't think that the "ask JOSE to do this" option is a viable
>     option, given that this was discussed in JOSE multiple times and
>     it was repeatedly decided not to support structured algorithm
>     identifiers.  Some of this discussion is recorded at
>     http://trac.tools.ietf.org/wg/jose/trac/ticket/7.
>     I would personally advocate supporting those JWA identifiers that
>     make sense in WebCrypto, but if that isn't done, I would at least
>     suggest having an appendix listing the correspondence between the
>     JWA identifiers and the corresponding structured WebCrypto
>     algorithm identifiers.  That would at least increase the chance of
>     developers understanding the correspondence correctly.
>                                     -- Mike
>     -----Original Message-----
>     From: Harry Halpin [mailto:hhalpin@w3.org <mailto:hhalpin@w3.org>]
>     Sent: Monday, April 07, 2014 12:48 PM
>     To: public-webcrypto@w3.org <mailto:public-webcrypto@w3.org>
>     Subject: JOSE Last Call and ISSUE 28
>     Before we exit Last Call we should deal with the "algorithm
>     shortname for ciphersuites" issue (Issue 28) and close it officially.
>     Note that JOSE Web Algorithms is still in Last Call [1] as well.
>     Do we have any desire in particular to allow the short names used
>     by JOSE in our spec, or at least clear conversion function that
>     generates an Algorithm object for a given JOSE ciphersuite (so
>     that "PS256"
>     specified keys in JOSE is automagically converted to RSA-PSS using
>     SHA-256/MG-1 ala http://www.w3.org/2012/webcrypto/track/issues/28?
>     Or do we ask JOSE to do this?
>     Or do we expect developers to handle this?
>     Also, as regards the SAAG comments, in may be useful to look at
>     Mike's security concerns section [1], where he deals with the same
>     issues brought up by the SAAG on WebCrypto.
>        cheers,
>          harry
>     [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25
Received on Thursday, 10 April 2014 02:22:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC