Re: [Bug 23796] New: Define JWK attributes needed to represent a WebCrypto Key from Mark Watson on 2013-11-13 (public-webcrypto@w3.org from November 2013)

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 13 Nov 2013 09:36:22 +0800
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Ryan Sleevi <sleevi@google.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAEnTvdA77orfHqfFOHX5OMvnL5i=NkgZ=CpjkehQtRYkueLgKw@mail.gmail.com>
[To everyone this time]


On Wed, Nov 13, 2013 at 9:13 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:

> Thanks for asking, Ryan.
>
> The -18 JWA draft allows registration of non-JOSE algorithms for use with
> JWK.  See the updated registration template at
> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18#section-7.1.1.
>  This capability was put in precisely so WebCrypto can use JWKs for
> algorithms that may not be acceptable themselves for use in JWS or JWE
> objects.
>
> These registrations would contain these registration parameters:
>
> Algorithm Usage Location(s): JWK
> Implementation Requirements: Prohibited
>
> For instance, I expect that a WebCrypto spec will be written that
> registers "A128CBC", etc.  Its use with JWE would be prohibited because it
> is not an authenticated encryption algorithm.  But it could still be used
> in a JWK - for instance, by WebCrypto.
>
> Let me know if you have any questions.  I believe it's definitely the
> intent of the JOSE working group to work with WebCrypto to make sure that
> JWK can be used a way that meets WebCrypto's needs.
>
>                                 -- Mike
>
> P.S.  Can you point me to a doc or e-mail thread that defines the proposed
> "ext" and "uses" JWK parameters?
>

I proposed these here: https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796

It might be clearer if the "Implementation requirements" section of the
template was named "JWE/JWS Implementation Requirements", since,
unqualified, "Implementation requirements: Prohibited" reads as a little
proscriptive.

...Mark



>
> -----Original Message-----
> From: Ryan Sleevi [mailto:sleevi@google.com]
> Sent: Monday, November 11, 2013 6:07 PM
> To: public-webcrypto@w3.org
> Cc: Mike Jones
> Subject: Fwd: [Bug 23796] New: Define JWK attributes needed to represent a
> WebCrypto Key
>
> I just wanted to make sure the group was aware of this bug, since it
> overlaps with the JOSE work, and because the proposed algorithms added to
> the registry have the possibility of significantly weakening or undermining
> the JOSE algorithm selections.
>
> Mike, as JOSE liason, could you comment here on the proposal?
>
>
> ---------- Forwarded message ----------
> From:  <bugzilla@jessica.w3.org>
> Date: Mon, Nov 11, 2013 at 5:44 PM
> Subject: [Bug 23796] New: Define JWK attributes needed to represent a
> WebCrypto Key
> To: sleevi@google.com
>
>
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796
>
>             Bug ID: 23796
>            Summary: Define JWK attributes needed to represent a WebCrypto
>                     Key
>            Product: Web Cryptography
>            Version: unspecified
>           Hardware: PC
>                 OS: All
>             Status: NEW
>           Severity: normal
>           Priority: P2
>          Component: Web Cryptography API Document
>           Assignee: sleevi@google.com
>           Reporter: watsonm@netflix.com
>
> The JOSE working group has decided that it will not specify attributes /
> algorithms that are not needed for the JOSE Encryption and Signature
> standards (JWE and JWS). However, they do intend that JOSE structure may
> have other applications and are thus establishing IANA registries to allow
> others to extend JWK, JWE and JWS.
>
> So, responsibility for defining the JWK attributes needed to represent a
> WebCrypto Key object falls to the WebCrypto group, not JOSE.
>
> Here is a proposal for additional WebCrypto sections to this end:
>
> y. Representation of WebCrypto Key objects using JSON Web Key
>
> The KeyFormat value "jwk" enables Key objects to be imported or exported
> in JSON Web Key [reference].
>
> This specification defines additional JWK attributes and attribute values
> that may be used for this purpose as follows:
>
>    o  Additional "alg" names for algorithms supported by WebCrypto by not
> used by JSON Web Encryption or JSON Web Algorithms
>    o  A new "uses" attribute enabling multiple specific useages to be
> associated with a key
>    o  A new "ext" attribute providing the value of the WebCrypto Key's
> extractable attribute.
>
> y.1 JWK algorithm names for WebCrypto algorithms
>
> This specification defines additional JWK algorithm names associated with
> WebCrypto algorithms as listed in the following table:
>
> WebCrypto Algorithm | Key Size | JWK "alg" value AES-CTR | 128 | A128CTR
> AES-CTR | 192 | A192CTR AES-CTR | 256 | A256CTR AES-CBC | 128 | A128CBC
> AES-CBC | 192 | A192CBC AES-CBC | 256 | A256CBC
>
> y.2 JWK "uses" attribute
>
> This specification defines a new JWK attribute "uses" that enables
> multiple key usages to be included in the JWK. Since WebCrypto usages
> distinguish encryption from decryption etc., wheras JOSE "use" values do
> not, new values are defined for the individual usages.
>
> The "uses" attribute shall have a value which is an array of strings. Each
> entry shall specify a single usage, as follows:
>
> WebCrypto KeyUsage value | Value in JWK uses array encrypt | enc decrypt |
> dec sign | sig verify | vfy deriveKey | derivekey deriveBits | derivebits
> wrapKey | wrap unwrapKey | unwrap
>
> The JWK "use" value "enc" shall be equivalent to the "uses" value [ "enc",
> "dec" ].
>
> The JWK "use" value "sig" shall be equivalent to the "uses" value [ "sig",
> "vfy" ].
>
> If both a "use" and "uses" value are specified and are different, then the
> "uses" value shall take precedance.
>
> y.3 JWK "ext" attribute
>
> This specification defines a new JWK attribute "ext" that enables the
> value of the extractable attribute of a WebCrypto Key to be included in a
> JWK object.
> The "ext" attribute SHALL have a Boolean value.
>
> x.  IANA Considerations
>
> x.1 JSON Web Signature and Encryption Algorithms Registration
>
> This section registers the following algorithm identifiers in the IANA
> JSON Web Signature and Encryption Algorithms Registry.
>
>    o  Algorithm Name: "A128CBC"
>    o  Algorithm Description: AES CBC using 128 bit key
>    o  Algorithm Usage Location(s): "alg"
>    o  Implementation Requirements: Optional
>    o  Change Controller: W3C WebCrypto working group
>    o  Specification Document(s): [[ this document ]]
>
>    o  Algorithm Name: "A192CBC"
>    o  Algorithm Description: AES CBC using 192 bit key
>    o  Algorithm Usage Location(s): "alg"
>    o  Implementation Requirements: Optional
>    o  Change Controller: W3C WebCrypto working group
>    o  Specification Document(s): [[ this document ]]
>
>    o  Algorithm Name: "A256CBC"
>    o  Algorithm Description: AES CBC using 256 bit key
>    o  Algorithm Usage Location(s): "alg"
>    o  Implementation Requirements: Optional
>    o  Change Controller: W3C WebCrypto working group
>    o  Specification Document(s): [[ this document ]]
>
>    o  Algorithm Name: "A128CTR"
>    o  Algorithm Description: AES CTR using 128 bit key
>    o  Algorithm Usage Location(s): "alg"
>    o  Implementation Requirements: Optional
>    o  Change Controller: W3C WebCrypto working group
>    o  Specification Document(s): [[ this document ]]
>
>    o  Algorithm Name: "A192CTR"
>    o  Algorithm Description: AES CTR using 192 bit key
>    o  Algorithm Usage Location(s): "alg"
>    o  Implementation Requirements: Optional
>    o  Change Controller: W3C WebCrypto working group
>    o  Specification Document(s): [[ this document ]]
>
>    o  Algorithm Name: "A256CTR"
>    o  Algorithm Description: AES CTR using 256 bit key
>    o  Algorithm Usage Location(s): "alg"
>    o  Implementation Requirements: Optional
>    o  Change Controller: W3C WebCrypto working group
>    o  Specification Document(s): [[ this document ]]
>
> x.2 JSON Web Key Parameters Registry
>
>    o  Parameter Name: "ext"
>    o  Used with "kty" Value(s): *
>    o  Parameter Information Class: Public
>    o  Change Controller: W3C WebCrypto working group
>    o  Specification Document(s): Section y.2 of [[ this document ]]
>
>    o  Parameter Name: "uses"
>    o  Used with "kty" Value(s): *
>    o  Parameter Information Class: Public
>    o  Change Controller: W3C WebCrypto working group
>    o  Specification Document(s): Section y.1 of [[ this document ]]
>
> --
> You are receiving this mail because:
> You are the assignee for the bug.
>
>
Received on Wednesday, 13 November 2013 01:36:51 UTC