As already fairly extensively discussed, many in the JOSE working group believe
that it is a security problem to use the same key for multiple uses.
Therefore, "use" is, and I believe should remain, single-valued.
Also, as discussed on the list, if WebCrypto wants to record additional key
properties in a JWK, that's no problem. Just register a new key parameter and
use it. For instance, you could register "webcrypto_uses" and use exactly the
same key uses parameters that WebCrypto uses. Use of "use" is optional, and
WebCrypto could specify whether it MUST, MUST NOT, or MAY also be used for
WebCrypto keys.
-- Mike
From: jose [mailto:[email protected]] On Behalf Of Mark Watson
Sent: Tuesday, December 10, 2013 1:09 PM
To: [email protected]
Subject: [jose] JWK "use" attribute and multiple uses
All,
Currently, the JWK "use" attribute effectively distinguishes between JWE
("enc") and JWA ("sign").
However, additional uses can be added to the registry and the W3C WebCrypto
group is planning to register use values corresponding to the KeyUsage values
defined for WebCrypto Key objects. These KeyUsage values include, for example,
encrypt, decrypt, sign, verify, wrap, unwrap etc.
A WebCrypto Key object may have multiple KeyUsages and so we have a question as
to how to represent that in JWK.
One proposal is to allow the use string to contain a comma-separated list of
values. We could register such a scheme directly with IANA.
It would be cleaner, though, since this is JSON, to allow this attribute to
have Array type where two or more usages are to be represented (it would remain
a string for the single-usage case). I've also had some negative feedback from
implemetors about the comma-separated-value idea along
yet-another-string-parser lines.
Would it be possible to modify the Registry for JWK use values to allow data
types other than String to be registered ?
...Mark
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
