Re: PEM feedback on draft-ietf-httpbis-message-signatures-13 from Justin Richer on 2022-11-07 (ietf-http-wg@w3.org from October to December 2022)

From: Justin Richer <jricher@mit.edu>
Date: Mon, 7 Nov 2022 11:35:16 +0000
To: Henry Story <henry.story@gmail.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <63B092A7-94F6-4FB9-A7BF-44ADD2E1431F@mit.edu>

Henry,

As I mentioned in the filed issue, I think it makes sense to simply add JWK formatted versions of all the keys in the examples section. Even our own test libraries have had issues with PKCS8 vs PCKS1.

 — Justin

> On Nov 6, 2022, at 10:41 AM, Henry Story <henry.story@gmail.com> wrote:
> 
> Hi,
> 
> 
>   I am very keen on this protocol becoming a standard.
> 
> The following feedback comes from trying to implement it carefully
> in Scala, compiling to JS and to JVM bytecode, so that the libraries
> can work in the browser and on the server.
> 
> I was just now at the stage of testing that the keys in the document
> can be used to correctly sign the base strings published there (see [0])
> Having such examples is very useful to test the spec, and to test
> one’s implementation of course.
> 
> Everything is fine on the Java VM, but the PEM encoded keys do not
> work well with the JS Web Crypto API. I wrote up one problem in [1].
> The Web Crypto API being deployed in all browsers is a major platform.
> As it becomes more widely adopted on NodeJS this will become
> even more important. So having examples that library devs can get to
> work on those platforms seems to me like an important requirement.
> 
> I asked the Web Crypto API folks in [2] what their feedback was,
> and got this very helpful response by @panva which I think is worth quoting in full:
> 
>> The keys in appendix-B.1.1 are in PKCS1, which isn't accepted by webcrypto at all. Recommend using rsaEncryption OID PKCS8 and SPKI PEM or JWK if they ought to be imported as CryptoKey reliably.
>> 
>> The private key in appendix-B.1.2 is 1.2.840.113549.1.1.10 (id-RSASSA-PSS). WebCryptoAPI implementations only generally accept 1.2.840.113549.1.1.1 (rsaEncryption) keys. Recommend using rsaEncryption OID PKCS8 PEM or JWK if they ought to be imported as CryptoKey reliably.
>> 
>> The private key in appendix-B.1.3 is in SEC1 format, which isn't accepted by webcrypto at all. Recommend using id-ecPublicKey OID PKCS8 PEM or JWK if they ought to be imported as CryptoKey reliably.
>> 
>> The keys in appendix-B.1.4 are fine but currently only Node.js and Deno runtimes implement Ed25519 as per Secure Curves in the Web Cryptography API.
>> 
>> Hope this helps inform the WG. I would propose to keep the PEM keys as is and add their JWK representation.
> 
> I also think there is good reason to publish both the PEM and the JWK as we are in a
> transition phase between the old binary ASN1 encodings and more semantic encodings.
> 
> I will continue working next on updating the the protocol library after
> version 07 in [3]
> 
> Henry Story
> 
> [0] https://github.com/bblfish/bobcats/pull/7

> [1] https://github.com/httpwg/http-extensions/issues/2290

> [2] https://github.com/w3c/webcrypto/issues/330#issuecomment-1304759709

> [3] https://github.com/bblfish/httpsig

> 
> 
> 
>

Received on Monday, 7 November 2022 11:35:31 UTC