RE: JWK attributes for WebCrypto keys: last call

You're making a mountain out of a molehill, Ryan.  Just use a different property name, since you're conveying different semantics.  It's clean and easy.  That's exactly the kind of thing that the JWK extensibility is for.

                                                            -- Mike

From: Ryan Sleevi [mailto:sleevi@google.com]
Sent: Monday, December 16, 2013 8:14 AM
To: Mike Jones
Cc: Mark Watson; GALINDO Virginie; public-webcrypto@w3.org
Subject: Re: JWK attributes for WebCrypto keys: last call



On Mon, Dec 16, 2013 at 8:09 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
I strongly suggest that you reconsider using a different attribute such as "WebCrypto_uses".  This will cause no conflicts and would allow you to use an array, saving the complexity of parsing.  The comma-separated thing is a gross hack.

There's also a risk of the "use" registrations being rejected by the Designated Experts on the ground of duplication if you insist on trying to register additional values with similar meanings "enconly" alongside "enc", etc.  See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18#section-7 for the instructions to the Designated Experts.  (No, experts haven't been appointed yet, so this is speculation, but for risk management purposes, I would say away from registration requests that might fall afoul of the Designated Experts, when they are appointed.)

I would suggest that if the Designated Experts feel that it's better to create multiple fields for "use", in order to preserve special meaning of JWK for JWE/JWS, rather than simply treat JWK as a key container format, then WebCrypto would be better not using JWK at all, and using something "JWK-like".

I'm not a fan of "forking standards" by any means, but to me, such a signal by the DE (or by JOSE) is a sign that they only see JWK for use with "their" specs, and this would make it clearly inappropriate for use with WebCrypto as a suitable key container format (particularly since it does not implement JWE/JWS)


Maybe you can talk about using a different JWK member name on the call.  (I can't join it because of family functions at present.)

                                                            -- Mike

From: Mark Watson [mailto:watsonm@netflix.com<mailto:watsonm@netflix.com>]
Sent: Monday, December 16, 2013 7:51 AM
To: Mike Jones
Cc: Ryan Sleevi; GALINDO Virginie; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>

Subject: Re: JWK attributes for WebCrypto keys: last call



On Mon, Dec 16, 2013 at 7:44 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
>From my point of view, it would be a lot cleaner to use a different JWK identifier than "use", such as "WebCrypto_uses" than to overload "use" with different, but related values.  It will hurt interoperation by creating keys that use a common identifier differently, and in a non-interoperable manner.  It would be far better to use a different identifier, which can be safely ignored by vanilla JWK implementations, rather than to overload the standard identifier, and potentially cause JWK implementations to reject the keys.

This is what I originally proposed and there was strong push-back: See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796

Given that both the value space of "use" and the set of attributes are subject to extension through IANA, it's no clear why a JWK library would take a different approach to unrecognized "use" values that it does to unrecognized attributes.

...Mark



Since "use" is OPTIONAL, WebCrypto could also specify that it not be used in a JWK when "WebCrypto_uses" is used, so that there's no duplication of information.

                                                            -- Mike

From: Mark Watson [mailto:watsonm@netflix.com<mailto:watsonm@netflix.com>]
Sent: Monday, December 16, 2013 7:37 AM
To: Ryan Sleevi
Cc: GALINDO Virginie; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>; Mike Jones
Subject: Re: JWK attributes for WebCrypto keys: last call



Sent from my iPhone

On Dec 16, 2013, at 7:32 AM, Ryan Sleevi <sleevi@google.com<mailto:sleevi@google.com>> wrote:

Were we not waiting to hear from JOSE?
We heard from them that it is ok / intended for others to register new use values for JWK and they have modified their specification accordingly.

Separately, I have raised the question of whether we should change the comma-separated string format for multiple use values to an Array. On this there is no consensus yet, so we should stick with the format in the proposal and now in the Editor's Draft.

...Mark

On Dec 16, 2013 7:07 AM, "GALINDO Virginie" <Virginie.GALINDO@gemalto.com<mailto:Virginie.GALINDO@gemalto.com>> wrote:
Dear all,
FYI, as there was no comment to this call, the text proposed by Mark has been integrated.
Virginie

From: Mark Watson [mailto:watsonm@netflix.com<mailto:watsonm@netflix.com>]
Sent: lundi 2 décembre 2013 17:32
To: public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>
Subject: JWK attributes for WebCrypto keys: last call

All,

On our call today we discussed the proposal for this [1] which I revised as a result of the email/bug discussion (Comment 12 to [1]). There were no further comments on the call and have been no further comments on the list.

We agreed to send a "last chance" email to the list (that is what this is). In the absence of comments we'll add this material to the editor's draft.

...Mark

[1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus