Re: JWK attributes for WebCrypto keys: last call

On Mon, Dec 16, 2013 at 8:16 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  JWK is a general-purpose key format.  “use” is a simple optional key use
> designator within that format.  The format is extensible.  There’s no
> barrier to WebCrypto defining and registering a different finer-grained key
> use designator for that format as well.  Just use a different name and
> define the set of values.
>
>
>
> I’m not sure why people seem hell-bent on cramming finer-grained
> multi-valued use values into a single-valued property.  Doing it right and
> creating a different property is so much easier.
>
>
>
>                                                             -- Mike
>

Because we would hope that an IETF standard would accomodate multiple use
cases beyond JWE/JWS, which it seems to be a design flaw - whether
intentional from design philosophy or accidental from the fact that JWE/JWS
were the only users of JWK at the time - that it would fail to accomodate
such a use case that has long been recognized by other key formats.

You're absolutely correct that we could specify "WebCrypto_use" - but it
would seem like, for symmetry and following that design logic, JWK's "use"
should be "JWE_use" or "JWS_use", or something equally spec-specific.

I'm sure the visceral reaction to such a design proposal is negative, which
is I think what some of us are feeling with a suggestion that
"Webcrypto_use" is a somehow clean or elegant solution for the intransigent
inflexibility of JWK.


>
>
> *From:* Ryan Sleevi [mailto:sleevi@google.com]
> *Sent:* Monday, December 16, 2013 8:11 AM
> *To:* Mike Jones
> *Cc:* Mark Watson; GALINDO Virginie; public-webcrypto@w3.org
>
> *Subject:* Re: JWK attributes for WebCrypto keys: last call
>
>
>
>
>
>
>
> On Mon, Dec 16, 2013 at 7:44 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> From my point of view, it would be a lot cleaner to use a different JWK
> identifier than “use”, such as “WebCrypto_uses” than to overload “use” with
> different, but related values.  It will hurt interoperation by creating
> keys that use a common identifier differently, and in a non-interoperable
> manner.  It would be far better to use a different identifier, which can be
> safely ignored by vanilla JWK implementations, rather than to overload the
> standard identifier, and potentially cause JWK implementations to reject
> the keys.
>
>
>
> Mike,
>
>
>
> Respectfully, this makes no sense to me.
>
>
>
> I could understand your argument if the basis was that it hurt
> interoperability with JWE/JWS libraries, but that's not the argument you
> made - you suggested it hurts interoperability with "vanilla JWK
> implementations". There is, I believe, an inherent assumption that "vanilla
> JWK implementations" == "JWE and JWE", but I don't think that's the case at
> all, nor do I think that's a fair sign for the JOSE efforts if that is
> believed to be the case.
>
>
>
> If JWK is meant to be a key descriptor/key container format, for use in a
> variety of specifications (including JWE and JWS, but also WebCrypto), then
> supporting extensions to "use" per the relevant specifications seems
> absolutely the correct approach. However, if your view is that JWK is
> "really" only meant for JWE/JWK, and everything else should either extend
> JWE/JWS or define custom attributes, well, then I think this WG is making a
> mistake by attaching to JWK, since it's clear that is not the authors'
> intent.
>
>
>
> Cheers
>
>
>
>
>
> Since “use” is OPTIONAL, WebCrypto could also specify that it not be used
> in a JWK when “WebCrypto_uses” is used, so that there’s no duplication of
> information.
>
>
>
>                                                             -- Mike
>
>
>
> *From:* Mark Watson [mailto:watsonm@netflix.com]
> *Sent:* Monday, December 16, 2013 7:37 AM
> *To:* Ryan Sleevi
> *Cc:* GALINDO Virginie; public-webcrypto@w3.org; Mike Jones
> *Subject:* Re: JWK attributes for WebCrypto keys: last call
>
>
>
>
>
> Sent from my iPhone
>
>
> On Dec 16, 2013, at 7:32 AM, Ryan Sleevi <sleevi@google.com> wrote:
>
>  Were we not waiting to hear from JOSE?
>
>  We heard from them that it is ok / intended for others to register new
> use values for JWK and they have modified their specification accordingly.
>
>
>
> Separately, I have raised the question of whether we should change the
> comma-separated string format for multiple use values to an Array. On this
> there is no consensus yet, so we should stick with the format in the
> proposal and now in the Editor's Draft.
>
>
>
> ...Mark
>
>
>
>  On Dec 16, 2013 7:07 AM, "GALINDO Virginie" <Virginie.GALINDO@gemalto.com>
> wrote:
>
> Dear all,
>
> FYI, as there was no comment to this call, the text proposed by Mark has
> been integrated.
>
> Virginie
>
>
>
> *From:* Mark Watson [mailto:watsonm@netflix.com]
> *Sent:* lundi 2 décembre 2013 17:32
> *To:* public-webcrypto@w3.org
> *Subject:* JWK attributes for WebCrypto keys: last call
>
>
>
> All,
>
>
>
> On our call today we discussed the proposal for this [1] which I revised
> as a result of the email/bug discussion (Comment 12 to [1]). There were no
> further comments on the call and have been no further comments on the list.
>
>
>
> We agreed to send a "last chance" email to the list (that is what this
> is). In the absence of comments we'll add this material to the editor's
> draft.
>
>
>
> ...Mark
>
>
>
> [1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796
>
>
>  ------------------------------
>
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus
>
>
>