Re: JWK attributes for WebCrypto keys: last call from Ryan Sleevi on 2013-12-16 (public-webcrypto@w3.org from December 2013)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 16 Dec 2013 08:08:22 -0800
To: Harry Halpin <hhalpin@w3.org>
Cc: Mike Jones <Michael.Jones@microsoft.com>, Mark Watson <watsonm@netflix.com>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvZs49XGDFQSBuNwYUrP62Q7qUpy7BmKvz77E=eXsh0-uw@mail.gmail.com>

On Mon, Dec 16, 2013 at 7:50 AM, Harry Halpin <hhalpin@w3.org> wrote:

>  On 12/16/2013 04:44 PM, Mike Jones wrote:
>
>  From my point of view, it would be a lot cleaner to use a different JWK
> identifier than “use”, such as “WebCrypto_uses” than to overload “use” with
> different, but related values.  It will hurt interoperation by creating
> keys that use a common identifier differently, and in a non-interoperable
> manner.  It would be far better to use a different identifier, which can be
> safely ignored by vanilla JWK implementations, rather than to overload the
> standard identifier, and potentially cause JWK implementations to reject
> the keys.
>
>
> Mike,
>
> I think the way you would solve that problem would be to forbid people to
> overload the identifier in the registry. However, would JWK implementations
> actually reject the key if it used "use" in such a way?
>
> Normative guidance to JWK implementations should probably be given by JOSE
> here. If no normative guidance is given in the specs and there is a
> registry, then I would assume that a JWK implementation would accept.
>

Harry, the registry (and the blocker) are expert review.

Presumably, that will mean someone from the JOSE WG. That's why I feel
strongly about making sure that JOSE is on-board, even if it's not going to
be in their specs. Without the registry established, and without the expert
review, there's no guarantee at all that such an attribute - whether
Webcrypto_use or extensions to use - would be accepted, and if
implementations begin to ship based on that, then we're in a real tough
pickle of de-facto standards, but without the IANA blessing.


>
> I see your point re not using "use" but we'll know about interoperability
> only when actual interoperablity tests are done and normative guidance in
> both JWK and WebCrypto are clear (and they should be compatible as regards
> normative guidance on points of intersection), but the creation of a
> different identifier also adds complexity.
>
>    cheers,
>       harry
>
>
>
>
> Since “use” is OPTIONAL, WebCrypto could also specify that it not be used
> in a JWK when “WebCrypto_uses” is used, so that there’s no duplication of
> information.
>
>
>
>                                                             -- Mike
>
>
>
> *From:* Mark Watson [mailto:watsonm@netflix.com <watsonm@netflix.com>]
> *Sent:* Monday, December 16, 2013 7:37 AM
> *To:* Ryan Sleevi
> *Cc:* GALINDO Virginie; public-webcrypto@w3.org; Mike Jones
> *Subject:* Re: JWK attributes for WebCrypto keys: last call
>
>
>
>
>
> Sent from my iPhone
>
>
> On Dec 16, 2013, at 7:32 AM, Ryan Sleevi <sleevi@google.com> wrote:
>
>  Were we not waiting to hear from JOSE?
>
>  We heard from them that it is ok / intended for others to register new
> use values for JWK and they have modified their specification accordingly.
>
>
>
> Separately, I have raised the question of whether we should change the
> comma-separated string format for multiple use values to an Array. On this
> there is no consensus yet, so we should stick with the format in the
> proposal and now in the Editor's Draft.
>
>
>
> ...Mark
>
>
>
>  On Dec 16, 2013 7:07 AM, "GALINDO Virginie" <Virginie.GALINDO@gemalto.com>
> wrote:
>
> Dear all,
>
> FYI, as there was no comment to this call, the text proposed by Mark has
> been integrated.
>
> Virginie
>
>
>
> *From:* Mark Watson [mailto:watsonm@netflix.com]
> *Sent:* lundi 2 décembre 2013 17:32
> *To:* public-webcrypto@w3.org
> *Subject:* JWK attributes for WebCrypto keys: last call
>
>
>
> All,
>
>
>
> On our call today we discussed the proposal for this [1] which I revised
> as a result of the email/bug discussion (Comment 12 to [1]). There were no
> further comments on the call and have been no further comments on the list.
>
>
>
> We agreed to send a "last chance" email to the list (that is what this
> is). In the absence of comments we'll add this material to the editor's
> draft.
>
>
>
> ...Mark
>
>
>
> [1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796
>
>
>  ------------------------------
>
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus
>
>
>

Received on Monday, 16 December 2013 16:08:52 UTC