RSA JWK import from Charles Engelke on 2016-08-16 (public-webcrypto@w3.org from August 2016)

From: Charles Engelke <w3c@engelke.com>
Date: Tue, 16 Aug 2016 13:30:56 -0400
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAFeVzdykgyMt9eoZEaV3KzA_PFGQdyFUu7S5kv8U-jayLtE6Zg@mail.gmail.com>

As I read the WebCryptoAPI spec and RFC 7518 to which it refers, importKey
for private RSA keys in JWK format requires only the basic parameters kty,
n, e, and d. The RFC says that the JWK format SHOULD (but is not REQUIRED
to) include the other parameters p, q, dp, dq, qi and in some cases oth.

Based on my tests, both Chrome and Firefox (on Linux anyway) require that
all the parameters, not just the ones the RFC says must be required, be
included to use importKey.

Am I misreading the spec, or are Chrome and Firefox both requiring more
than the spec does? And if they are, do we want to change the spec to have
the more restrictive language in it?

Charlie

Received on Tuesday, 16 August 2016 17:31:25 UTC