"kty":"PBKDF2" feels unnecessary, though "kty":"password" would be useful. A
key set could have an entry like the following:
{
"kty":"password",
"alg":" PBES2-HS256+A128KW",
"c-min":2000,
"prompt":"Payment approval PIN",
"hint":"last 4 digits of \u03C0"
}
The entry could also have a "password" field holding the actual password.
Mind you, I think mixing public (eg kty, alg) and sensitive (eg hint, password)
fields side-by-side in a JSON object is a design guaranteed to lead to security
breaches from poor handling.
--
James Manger
From: Richard Barnes [mailto:[email protected]]
Sent: Wednesday, 17 July 2013 9:37 AM
To: Mike Jones
Cc: Matt Miller (mamille2); Manger, James H; [email protected]
Subject: Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?
I was thinking that the "jwk" would be unnecessary. We could have "hint" at
the top level, or just use "kid" for that purpose.
--Richard
On Tue, Jul 16, 2013 at 7:30 PM, Mike Jones
<[email protected]<mailto:[email protected]>> wrote:
If we move “s” and “c” to being header parameters from the JWK, would we still
need the JWK with “kty”:”PBKDF2”? All that would be left would be the “hint”
JWK parameter.
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
