I wasn't saying that it should be a separate parameter. It's just not
necessary in a lot of cases. If you have a 16-octet value in
"encrypted_key", then you don't need to specify the key length; you could
just say "AES-GCM", and the implementation would know it was AES-128-GCM
based on the length of the key. Worse, as it is, there can be conflict.
What should an implementation do with "enc":"A128GCM" with a 32-octet
"encrypted_key"? Use the first 16 octets? The last? Reject?
OTOH, for the cases where a KEK is derived, you do need to specify a key
length for the KEK. So you could either do (1) "ECDH-ES+AES-KW" with a
"dkLen" parameter (as in PKCS#5), or (2) "ECDH-ES+A128KW". If I were
designing from clean slate, I would prefer #1, but I can live with #2.
PROPOSAL: Remove key lengths in cases where it's not required ("A*GCM",
"A*KW", "A*GCMKW"), since the length of the key will be clear from the
"encrypted_key" value (or for "dir", from provisioning). Leave them in the
"alg" values, since you need to specify key length there.
PROS:
-- Mitigate combinatorial explosion (don't need one identifier per key type)
-- Avoid conflict issues
-- Save 3 octets if you don't care about being pretty ("AGCM" instead of
"A128GCM", though I would prefer "AES-GCM")
-- Parallelism with the JWS algorithms (e.g., "HS256"), which don't specify
key length
CONS:
-- Requires existing implementations to support additional algorithm
identifiers (note: doesn't preclude supporting the old algorithm
identifiers!)
On Fri, Jul 19, 2013 at 1:13 PM, John Bradley <[email protected]> wrote:
> +1 I don't think taking the length out of the algorithm and making it a
> separate parameter is a good way to go.
>
> On 2013-07-19, at 1:11 PM, "Jim Schaad" <[email protected]> wrote:
>
> We need to keep key lengths in algorithm ids for the purpose of key
> derivation. Additionally there would need to be some way to signal the key
> length to the system when doing key generation****
>
> i.e. you would need to change****
> jose.SetCEKAlgorithm(“AES128”) to****
> jose.SetCEKAlgoirthm(“AES”, 128)****
>
> jim****
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of
> *Richard Barnes
> *Sent:* Friday, July 19, 2013 9:47 AM
> *To:* John Bradley
> *Cc:* Mike Jones; [email protected]
> *Subject:* Re: [jose] 192 bit AES keys****
> ** **
> Or we could just remove the key lengths from the algorithm IDs altogether
> ;) They really don't add any value.****
>
> ** **
> On Thu, Jul 18, 2013 at 6:17 PM, John Bradley <[email protected]> wrote:**
> **
> I am OK with registering the 192 bit versions.
>
> Sent from my iPhone****
>
>
> On Jul 18, 2013, at 5:17 PM, Mike Jones <[email protected]>
> wrote:****
>
> Richard had previously requested that we register algorithm identifiers
> for AES using 192 bit keys. As he previously pointed out, “It seems like
> if we're going to support AES, then we should support AES. Every AES
> library I know of supports all three key lengths, so it's not like there's
> extra cost besides the registry entry.” (I’ll note that we already have
> algorithm identifiers for the “mid-size” HMAC and signature functions
> “HS384”, “RS384”, and “ES384”.)****
> ****
> I heard no objections at the time. I’m therefore thinking that we should
> register algorithm identifiers for these key sizes as well. Specifically,
> we would add:****
> “A192KW”, “ECDH-ES+A192KW”, “A192GCMKW”, “PBES2-HS256+A192KW”,
> “A192CBC-HS384”, and “A192GCM”. Support for these algorithms would be
> optional.****
> ****
> What do people think?****
> ****
> -- Mike****
> ****
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose****
>
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose****
>
>
>
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
