RE: [Bug 23796] New: Define JWK attributes needed to represent a WebCrypto Key from Mike Jones on 2013-11-13 (public-webcrypto@w3.org from November 2013)

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Wed, 13 Nov 2013 01:13:40 +0000
To: Ryan Sleevi <sleevi@google.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <4E1F6AAD24975D4BA5B168042967394377E79C70@TK5EX14MBXC287.redmond.corp.microsoft.>
Thanks for asking, Ryan.

The -18 JWA draft allows registration of non-JOSE algorithms for use with JWK.  See the updated registration template at http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18#section-7.1.1.  This capability was put in precisely so WebCrypto can use JWKs for algorithms that may not be acceptable themselves for use in JWS or JWE objects.

These registrations would contain these registration parameters:

Algorithm Usage Location(s): JWK
Implementation Requirements: Prohibited

For instance, I expect that a WebCrypto spec will be written that registers "A128CBC", etc.  Its use with JWE would be prohibited because it is not an authenticated encryption algorithm.  But it could still be used in a JWK - for instance, by WebCrypto.

Let me know if you have any questions.  I believe it's definitely the intent of the JOSE working group to work with WebCrypto to make sure that JWK can be used a way that meets WebCrypto's needs.

				-- Mike

P.S.  Can you point me to a doc or e-mail thread that defines the proposed "ext" and "uses" JWK parameters?

-----Original Message-----
From: Ryan Sleevi [mailto:sleevi@google.com] 
Sent: Monday, November 11, 2013 6:07 PM
To: public-webcrypto@w3.org
Cc: Mike Jones
Subject: Fwd: [Bug 23796] New: Define JWK attributes needed to represent a WebCrypto Key

I just wanted to make sure the group was aware of this bug, since it overlaps with the JOSE work, and because the proposed algorithms added to the registry have the possibility of significantly weakening or undermining the JOSE algorithm selections.

Mike, as JOSE liason, could you comment here on the proposal?


---------- Forwarded message ----------
From:  <bugzilla@jessica.w3.org>
Date: Mon, Nov 11, 2013 at 5:44 PM
Subject: [Bug 23796] New: Define JWK attributes needed to represent a WebCrypto Key
To: sleevi@google.com


https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796

            Bug ID: 23796
           Summary: Define JWK attributes needed to represent a WebCrypto
                    Key
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: watsonm@netflix.com

The JOSE working group has decided that it will not specify attributes / algorithms that are not needed for the JOSE Encryption and Signature standards (JWE and JWS). However, they do intend that JOSE structure may have other applications and are thus establishing IANA registries to allow others to extend JWK, JWE and JWS.

So, responsibility for defining the JWK attributes needed to represent a WebCrypto Key object falls to the WebCrypto group, not JOSE.

Here is a proposal for additional WebCrypto sections to this end:

y. Representation of WebCrypto Key objects using JSON Web Key

The KeyFormat value "jwk" enables Key objects to be imported or exported in JSON Web Key [reference].

This specification defines additional JWK attributes and attribute values that may be used for this purpose as follows:

   o  Additional "alg" names for algorithms supported by WebCrypto by not used by JSON Web Encryption or JSON Web Algorithms
   o  A new "uses" attribute enabling multiple specific useages to be associated with a key
   o  A new "ext" attribute providing the value of the WebCrypto Key's extractable attribute.

y.1 JWK algorithm names for WebCrypto algorithms

This specification defines additional JWK algorithm names associated with WebCrypto algorithms as listed in the following table:

WebCrypto Algorithm | Key Size | JWK "alg" value AES-CTR | 128 | A128CTR AES-CTR | 192 | A192CTR AES-CTR | 256 | A256CTR AES-CBC | 128 | A128CBC AES-CBC | 192 | A192CBC AES-CBC | 256 | A256CBC

y.2 JWK "uses" attribute

This specification defines a new JWK attribute "uses" that enables multiple key usages to be included in the JWK. Since WebCrypto usages distinguish encryption from decryption etc., wheras JOSE "use" values do not, new values are defined for the individual usages.

The "uses" attribute shall have a value which is an array of strings. Each entry shall specify a single usage, as follows:

WebCrypto KeyUsage value | Value in JWK uses array encrypt | enc decrypt | dec sign | sig verify | vfy deriveKey | derivekey deriveBits | derivebits wrapKey | wrap unwrapKey | unwrap

The JWK "use" value "enc" shall be equivalent to the "uses" value [ "enc", "dec" ].

The JWK "use" value "sig" shall be equivalent to the "uses" value [ "sig", "vfy" ].

If both a "use" and "uses" value are specified and are different, then the "uses" value shall take precedance.

y.3 JWK "ext" attribute

This specification defines a new JWK attribute "ext" that enables the value of the extractable attribute of a WebCrypto Key to be included in a JWK object.
The "ext" attribute SHALL have a Boolean value.

x.  IANA Considerations

x.1 JSON Web Signature and Encryption Algorithms Registration

This section registers the following algorithm identifiers in the IANA JSON Web Signature and Encryption Algorithms Registry.

   o  Algorithm Name: "A128CBC"
   o  Algorithm Description: AES CBC using 128 bit key
   o  Algorithm Usage Location(s): "alg"
   o  Implementation Requirements: Optional
   o  Change Controller: W3C WebCrypto working group
   o  Specification Document(s): [[ this document ]]

   o  Algorithm Name: "A192CBC"
   o  Algorithm Description: AES CBC using 192 bit key
   o  Algorithm Usage Location(s): "alg"
   o  Implementation Requirements: Optional
   o  Change Controller: W3C WebCrypto working group
   o  Specification Document(s): [[ this document ]]

   o  Algorithm Name: "A256CBC"
   o  Algorithm Description: AES CBC using 256 bit key
   o  Algorithm Usage Location(s): "alg"
   o  Implementation Requirements: Optional
   o  Change Controller: W3C WebCrypto working group
   o  Specification Document(s): [[ this document ]]

   o  Algorithm Name: "A128CTR"
   o  Algorithm Description: AES CTR using 128 bit key
   o  Algorithm Usage Location(s): "alg"
   o  Implementation Requirements: Optional
   o  Change Controller: W3C WebCrypto working group
   o  Specification Document(s): [[ this document ]]

   o  Algorithm Name: "A192CTR"
   o  Algorithm Description: AES CTR using 192 bit key
   o  Algorithm Usage Location(s): "alg"
   o  Implementation Requirements: Optional
   o  Change Controller: W3C WebCrypto working group
   o  Specification Document(s): [[ this document ]]

   o  Algorithm Name: "A256CTR"
   o  Algorithm Description: AES CTR using 256 bit key
   o  Algorithm Usage Location(s): "alg"
   o  Implementation Requirements: Optional
   o  Change Controller: W3C WebCrypto working group
   o  Specification Document(s): [[ this document ]]

x.2 JSON Web Key Parameters Registry

   o  Parameter Name: "ext"
   o  Used with "kty" Value(s): *
   o  Parameter Information Class: Public
   o  Change Controller: W3C WebCrypto working group
   o  Specification Document(s): Section y.2 of [[ this document ]]

   o  Parameter Name: "uses"
   o  Used with "kty" Value(s): *
   o  Parameter Information Class: Public
   o  Change Controller: W3C WebCrypto working group
   o  Specification Document(s): Section y.1 of [[ this document ]]

--
You are receiving this mail because:
You are the assignee for the bug.
Received on Wednesday, 13 November 2013 01:14:56 UTC