PEM feedback on draft-ietf-httpbis-message-signatures-13 from Henry Story on 2022-11-06 (ietf-http-wg@w3.org from October to December 2022)

From: Henry Story <henry.story@gmail.com>
Date: Sun, 6 Nov 2022 11:41:32 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <B0AAE75E-05F0-4CC6-AEA6-3DE49BB09A81@gmail.com>

Hi,


   I am very keen on this protocol becoming a standard.

The following feedback comes from trying to implement it carefully
in Scala, compiling to JS and to JVM bytecode, so that the libraries
can work in the browser and on the server.

I was just now at the stage of testing that the keys in the document
can be used to correctly sign the base strings published there (see [0])
Having such examples is very useful to test the spec, and to test
one’s implementation of course.

Everything is fine on the Java VM, but the PEM encoded keys do not
work well with the JS Web Crypto API. I wrote up one problem in [1].
The Web Crypto API being deployed in all browsers is a major platform.
As it becomes more widely adopted on NodeJS this will become
even more important. So having examples that library devs can get to
work on those platforms seems to me like an important requirement.

I asked the Web Crypto API folks in [2] what their feedback was,
and got this very helpful response by @panva which I think is worth quoting in full:

> The keys in appendix-B.1.1 are in PKCS1, which isn't accepted by webcrypto at all. Recommend using rsaEncryption OID PKCS8 and SPKI PEM or JWK if they ought to be imported as CryptoKey reliably.
>
> The private key in appendix-B.1.2 is 1.2.840.113549.1.1.10 (id-RSASSA-PSS). WebCryptoAPI implementations only generally accept 1.2.840.113549.1.1.1 (rsaEncryption) keys. Recommend using rsaEncryption OID PKCS8 PEM or JWK if they ought to be imported as CryptoKey reliably.
>
> The private key in appendix-B.1.3 is in SEC1 format, which isn't accepted by webcrypto at all. Recommend using id-ecPublicKey OID PKCS8 PEM or JWK if they ought to be imported as CryptoKey reliably.
>
> The keys in appendix-B.1.4 are fine but currently only Node.js and Deno runtimes implement Ed25519 as per Secure Curves in the Web Cryptography API.
>
> Hope this helps inform the WG. I would propose to keep the PEM keys as is and add their JWK representation.

I also think there is good reason to publish both the PEM and the JWK as we are in a
transition phase between the old binary ASN1 encodings and more semantic encodings.

I will continue working next on updating the the protocol library after
version 07 in [3]

Henry Story

[0] https://github.com/bblfish/bobcats/pull/7
[1] https://github.com/httpwg/http-extensions/issues/2290
[2] https://github.com/w3c/webcrypto/issues/330#issuecomment-1304759709
[3] https://github.com/bblfish/httpsig

Received on Sunday, 6 November 2022 10:42:02 UTC