Fwd: RE: JOSE WG request from W3C WebCrypto API

Here's the official response from the JOSE WG chair. It appears that 
private key export is out of scope, thus we will do ASN.1. I will 
clarify with them that we plan for JOSE formats to be supported by a 
"higher-level" API. Also some info re stability and conversion from 
ASN.1->JOSE.  cheers, harry

-------- Original Message --------
Subject: 	RE: JOSE WG request from W3C WebCrypto API
Date: 	Sun, 12 Aug 2012 11:56:02 -0700
From: 	Jim Schaad <ietf@augustcellars.com>
To: 	'Harry Halpin' <hhalpin@w3.org>
CC: 	<jose@ietf.org>

> -----Original Message-----
> From: Harry Halpin [mailto:hhalpin@w3.org]
> Sent: Sunday, August 12, 2012 8:03 AM
> To: Jim Schaad; Karen O'Donoghue; jose-chairs@tools.ietf.org; Michael
> Subject: JOSE WG request from W3C WebCrypto API
> [cc'ing Mike Jones and Richard Barnes, who participate inboth WGs]
> JOSE Chairs,
> The Web Cryptography Working group has noted that the API requires some
> access to raw key material, and the issue of whether or not to use JWK or
> ASN.1 as the default format came up. Two issues have come out that we'd
> like to know the answer to:
> 1) JWK does not define a private key format. Does the JOSE WG plan to
> support a JOSE-format for private keys? If so, when? Or 'maybe'?

The working group policy is that there will be no private key format defined
for JWK.  This issue has been explicitly discussed by the working group and
there are no plans to change that going forward.

>   2) While we'd like encourage the use of JOSE over ASN.1, it seems like
> backwards compatibility having some level of ASN.1 support would be useful
> and we *need* a format that allows key material (both private and
> public) to be exported. Folks seem to leaning towards ASN.1 as a default
> format in the low-level API, and having JWK as a format that can be built
> top of that in a possible high-level API. Would that be OK?

It would probably be preferable to be able to import/export private key
material as ASN.1.  But to allow for the import/export of public key
material in either the ASN.1 or JOSE format.  This would simplify the
implementation efforts for JOSE developers.

I don't believe that it would be good to have systems that use JOSE to need
to download script that did the ASN.1 to JOSE conversions.  If you supported
the ASN.1 blob at the SubjectPublicKeyInfo structure level, then an
independent function could be placed in systems to do the conversion between
the two formats.  If you make it a high-level API, I would be worried about
the support level provided by browsers.

>   3) How stable do you believe the JOSE formats are right now? Do you
> they are stable enough now we can reference them in our API draft at end
> August? If not, when?  The W3C would like to and plan to use these formats
> where possible.

There are currently no open issues for discussion on the formats for
asymmetric key formats; however there are some questions about the set of
algorithms and key sizes for symmetric keys.  While I have no reason to
believe that there will be a change in the key formats, I cannot promise
that there will not be one.

Jim Schaad
Jose WG Chair

> Feel free to forward this by JOSE WG for discussion. We'd like an answer
> before we send our document to FPWD at end of August.
>   cheers,
>       harry

Received on Monday, 13 August 2012 17:28:07 UTC