Re: JWK attributes for WebCrypto keys: last call from Harry Halpin on 2013-12-16 (public-webcrypto@w3.org from December 2013)

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 16 Dec 2013 16:50:55 +0100
To: Mike Jones <Michael.Jones@microsoft.com>, Mark Watson <watsonm@netflix.com>, Ryan Sleevi <sleevi@google.com>
CC: GALINDO Virginie <Virginie.GALINDO@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <52AF215F.90002@w3.org>

On 12/16/2013 04:44 PM, Mike Jones wrote:
>
> From my point of view, it would be a lot cleaner to use a different 
> JWK identifier than "use", such as "WebCrypto_uses" than to overload 
> "use" with different, but related values.  It will hurt interoperation 
> by creating keys that use a common identifier differently, and in a 
> non-interoperable manner.  It would be far better to use a different 
> identifier, which can be safely ignored by vanilla JWK 
> implementations, rather than to overload the standard identifier, and 
> potentially cause JWK implementations to reject the keys.
>

Mike,

I think the way you would solve that problem would be to forbid people 
to overload the identifier in the registry. However, would JWK 
implementations actually reject the key if it used "use" in such a way?

Normative guidance to JWK implementations should probably be given by 
JOSE here. If no normative guidance is given in the specs and there is a 
registry, then I would assume that a JWK implementation would accept.

I see your point re not using "use" but we'll know about 
interoperability only when actual interoperablity tests are done and 
normative guidance in both JWK and WebCrypto are clear (and they should 
be compatible as regards normative guidance on points of intersection), 
but the creation of a different identifier also adds complexity.

    cheers,
       harry

> Since "use" is OPTIONAL, WebCrypto could also specify that it not be 
> used in a JWK when "WebCrypto_uses" is used, so that there's no 
> duplication of information.
>
> -- Mike
>
> *From:*Mark Watson [mailto:watsonm@netflix.com]
> *Sent:* Monday, December 16, 2013 7:37 AM
> *To:* Ryan Sleevi
> *Cc:* GALINDO Virginie; public-webcrypto@w3.org; Mike Jones
> *Subject:* Re: JWK attributes for WebCrypto keys: last call
>
>
>
> Sent from my iPhone
>
>
> On Dec 16, 2013, at 7:32 AM, Ryan Sleevi <sleevi@google.com 
> <mailto:sleevi@google.com>> wrote:
>
>     Were we not waiting to hear from JOSE?
>
> We heard from them that it is ok / intended for others to register new 
> use values for JWK and they have modified their specification accordingly.
>
> Separately, I have raised the question of whether we should change the 
> comma-separated string format for multiple use values to an Array. On 
> this there is no consensus yet, so we should stick with the format in 
> the proposal and now in the Editor's Draft.
>
> ...Mark
>
>     On Dec 16, 2013 7:07 AM, "GALINDO Virginie"
>     <Virginie.GALINDO@gemalto.com
>     <mailto:Virginie.GALINDO@gemalto.com>> wrote:
>
>     Dear all,
>
>     FYI, as there was no comment to this call, the text proposed by
>     Mark has been integrated.
>
>     Virginie
>
>     *From:*Mark Watson [mailto:watsonm@netflix.com
>     <mailto:watsonm@netflix.com>]
>     *Sent:* lundi 2 décembre 2013 17:32
>     *To:* public-webcrypto@w3.org <mailto:public-webcrypto@w3.org>
>     *Subject:* JWK attributes for WebCrypto keys: last call
>
>     All,
>
>     On our call today we discussed the proposal for this [1] which I
>     revised as a result of the email/bug discussion (Comment 12 to
>     [1]). There were no further comments on the call and have been no
>     further comments on the list.
>
>     We agreed to send a "last chance" email to the list (that is what
>     this is). In the absence of comments we'll add this material to
>     the editor's draft.
>
>     ...Mark
>
>     [1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796
>
>     ------------------------------------------------------------------------
>
>     This message and any attachments are intended solely for the
>     addressees and may contain confidential information. Any
>     unauthorized use or disclosure, either whole or partial, is
>     prohibited.
>     E-mails are susceptible to alteration. Our company shall not be
>     liable for the message if altered, changed or falsified. If you
>     are not the intended recipient of this message, please delete it
>     and notify the sender.
>     Although all reasonable efforts have been made to keep this
>     transmission free from viruses, the sender will not be liable for
>     damages caused by a transmitted virus
>

Received on Monday, 16 December 2013 15:51:12 UTC