- From: Ryan Sleevi <sleevi@google.com>
- Date: Mon, 16 Dec 2013 08:08:22 -0800
- To: Harry Halpin <hhalpin@w3.org>
- Cc: Mike Jones <Michael.Jones@microsoft.com>, Mark Watson <watsonm@netflix.com>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
- Message-ID: <CACvaWvZs49XGDFQSBuNwYUrP62Q7qUpy7BmKvz77E=eXsh0-uw@mail.gmail.com>
On Mon, Dec 16, 2013 at 7:50 AM, Harry Halpin <hhalpin@w3.org> wrote: > On 12/16/2013 04:44 PM, Mike Jones wrote: > > From my point of view, it would be a lot cleaner to use a different JWK > identifier than “use”, such as “WebCrypto_uses” than to overload “use” with > different, but related values. It will hurt interoperation by creating > keys that use a common identifier differently, and in a non-interoperable > manner. It would be far better to use a different identifier, which can be > safely ignored by vanilla JWK implementations, rather than to overload the > standard identifier, and potentially cause JWK implementations to reject > the keys. > > > Mike, > > I think the way you would solve that problem would be to forbid people to > overload the identifier in the registry. However, would JWK implementations > actually reject the key if it used "use" in such a way? > > Normative guidance to JWK implementations should probably be given by JOSE > here. If no normative guidance is given in the specs and there is a > registry, then I would assume that a JWK implementation would accept. > Harry, the registry (and the blocker) are expert review. Presumably, that will mean someone from the JOSE WG. That's why I feel strongly about making sure that JOSE is on-board, even if it's not going to be in their specs. Without the registry established, and without the expert review, there's no guarantee at all that such an attribute - whether Webcrypto_use or extensions to use - would be accepted, and if implementations begin to ship based on that, then we're in a real tough pickle of de-facto standards, but without the IANA blessing. > > I see your point re not using "use" but we'll know about interoperability > only when actual interoperablity tests are done and normative guidance in > both JWK and WebCrypto are clear (and they should be compatible as regards > normative guidance on points of intersection), but the creation of a > different identifier also adds complexity. > > cheers, > harry > > > > > Since “use” is OPTIONAL, WebCrypto could also specify that it not be used > in a JWK when “WebCrypto_uses” is used, so that there’s no duplication of > information. > > > > -- Mike > > > > *From:* Mark Watson [mailto:watsonm@netflix.com <watsonm@netflix.com>] > *Sent:* Monday, December 16, 2013 7:37 AM > *To:* Ryan Sleevi > *Cc:* GALINDO Virginie; public-webcrypto@w3.org; Mike Jones > *Subject:* Re: JWK attributes for WebCrypto keys: last call > > > > > > Sent from my iPhone > > > On Dec 16, 2013, at 7:32 AM, Ryan Sleevi <sleevi@google.com> wrote: > > Were we not waiting to hear from JOSE? > > We heard from them that it is ok / intended for others to register new > use values for JWK and they have modified their specification accordingly. > > > > Separately, I have raised the question of whether we should change the > comma-separated string format for multiple use values to an Array. On this > there is no consensus yet, so we should stick with the format in the > proposal and now in the Editor's Draft. > > > > ...Mark > > > > On Dec 16, 2013 7:07 AM, "GALINDO Virginie" <Virginie.GALINDO@gemalto.com> > wrote: > > Dear all, > > FYI, as there was no comment to this call, the text proposed by Mark has > been integrated. > > Virginie > > > > *From:* Mark Watson [mailto:watsonm@netflix.com] > *Sent:* lundi 2 décembre 2013 17:32 > *To:* public-webcrypto@w3.org > *Subject:* JWK attributes for WebCrypto keys: last call > > > > All, > > > > On our call today we discussed the proposal for this [1] which I revised > as a result of the email/bug discussion (Comment 12 to [1]). There were no > further comments on the call and have been no further comments on the list. > > > > We agreed to send a "last chance" email to the list (that is what this > is). In the absence of comments we'll add this material to the editor's > draft. > > > > ...Mark > > > > [1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796 > > > ------------------------------ > > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus > > >
Received on Monday, 16 December 2013 16:08:52 UTC