- From: Mike Jones <Michael.Jones@microsoft.com>
- Date: Wed, 15 Aug 2012 23:20:14 +0000
- To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
-----Original Message----- From: Mike Jones Sent: Wednesday, August 15, 2012 4:19 PM To: 'Harry Halpin'; Jim Schaad; Karen O'Donoghue; jose-chairs@tools.ietf.org Cc: jose@ietf.org Subject: RE: JOSE WG request from W3C WebCrypto API Thanks for writing, Harry and WebCrypto WG. 1) About private keys, given the WebCrypto use case, I personally think it would be valuable for JOSE to define a JSON private key representation. To make this concrete, I would propose the private key representations specified in http://tools.ietf.org/html/draft-jones-jose-json-private-key. You'll see that doing this is very simple; it just defines two additional members for the JWK structure for representing the private parts of Elliptic Curve and RSA keys. This could either remain a separate spec from JWK/JWA or be merged in, at the working group's preference. I had previously agreed with the position that it was not necessary for JOSE to define private key representations because we didn't have a use case for it. However, as I see it, the W3C WebCrypto API use case changes things. Better for JOSE to be responsive to WebCrypto and add this simple extension, either as a new spec or in the existing specs, than to leave this undone, and have it potentially be an area where otherwise standards-compliant implementations diverge, and where JSON-only solutions are not possible. Finally, I'll note that the JOSE charter http://datatracker.ietf.org/wg/jose/charter/ does not preclude defining private key formats. (It simply requires the definition of public key formats and is silent on the topic of private keys.) 2) I agree on the likely need for WebCrypto support ASN.1 for backwards compatibility in some cases (just as the JOSE specs allow the use of X.509 certificates). However, I believe it would be a shame to preclude JSON-only solutions by not supporting key import/export in JWK format, where such solutions make sense. 3) It appears to me the JWK format is stable. I believe the JWS format is stable as well. The JWE format has known changes that will be applied shortly, based upon working group discussions at IETF 84 in Vancouver two weeks ago. Some JWA changes will occur that are part of the JWE changes. I don't anticipate significant changes after that. (Making these changes is my highest priority as JOSE editor. I'm hoping to have drafts out containing them by the end of August, which hopefully fits well with the WebCrypto schedule.) I write all of the above with the caveat that the working group is, of course, free to change things as they see fit. I look forward to a productive discussion of this coordination request in both working groups. Best wishes, -- Mike P.S. If you prefer, a HTML-formatted version of the private key spec is available at http://self-issued.info/docs/draft-jones-jose-json-private-key.html. I also blogged about this draft specification at http://self-issued.info/?p=816. -----Original Message----- From: Harry Halpin [mailto:hhalpin@w3.org] Sent: Sunday, August 12, 2012 8:03 AM To: Jim Schaad; Karen O'Donoghue; jose-chairs@tools.ietf.org; Mike Jones Subject: JOSE WG request from W3C WebCrypto API [cc'ing Mike Jones and Richard Barnes, who participate inboth WGs] JOSE Chairs, The Web Cryptography Working group has noted that the API requires some access to raw key material, and the issue of whether or not to use JWK or ASN.1 as the default format came up. Two issues have come out that we'd like to know the answer to: 1) JWK does not define a private key format. Does the JOSE WG plan to support a JOSE-format for private keys? If so, when? Or 'maybe'? 2) While we'd like encourage the use of JOSE over ASN.1, it seems like for backwards compatibility having some level of ASN.1 support would be useful and we *need* a format that allows key material (both private and public) to be exported. Folks seem to leaning towards ASN.1 as a default format in the low-level API, and having JWK as a format that can be built on top of that in a possible high-level API. Would that be OK? 3) How stable do you believe the JOSE formats are right now? Do you think they are stable enough now we can reference them in our API draft at end of August? If not, when? The W3C would like to and plan to use these formats where possible. Feel free to forward this by JOSE WG for discussion. We'd like an answer before we send our document to FPWD at end of August. cheers, harry
Received on Wednesday, 15 August 2012 23:20:48 UTC