Re: JWK import feature not described in the WebCrypto Draft from Ryan Sleevi on 2014-11-11 (public-webcrypto-comments@w3.org from November 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 10 Nov 2014 23:16:38 -0800
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: public-webcrypto-comments@w3.org
Message-ID: <CACvaWvZ_37cqBrOLp7MCuOEKTW79UMB2nEcMYkdt6QTqeOiy3Q@mail.gmail.com>

The TL:DR is that for a number of libraries, omitting these has profound
security implications. It is also a MUST from PKCS#1, and so to support
export of valid PKCS#1, it is implicitly a MUST for import of JWK.

Also, it's just plain good security.
On Nov 10, 2014 9:08 PM, "Anders Rundgren" <anders.rundgren.net@gmail.com>
wrote:

> On 2014-11-11 07:55, Ryan Sleevi wrote:
>
>>
>> It is perfectly described as far as what the spec goes, to the same
>> degree at least that none of the implementations support RSA keys that are
>> not multiples of 8 bits, or that some only support keys of certain sizes.
>>
>>
> I see, you mean that it is up to each implementer to decide if JWK's
> SHOULD is to be interpreted as a MUST?
>
> Anders
>
>  On Nov 10, 2014 7:12 PM, "Anders Rundgren" <anders.rundgren.net@gmail.com
>> <mailto:anders.rundgren.net@gmail.com>> wrote:
>>
>>     http://www.ietf.org/mail-archive/web/jose/current/msg04661.html
>>
>>     That is, JWK's SHOULD regarding "p", "q", "dp", "dq", "qi" has in
>> WebCrypto been interpreted as a MUST.
>>     This can't be entirely obvious neither for implementers nor users.
>>
>>     Anders
>>
>>
>

Received on Tuesday, 11 November 2014 07:17:05 UTC