Sent from my iPhone
On Dec 13, 2013, at 9:04 PM, Mike Jones <[email protected]> wrote:
As already fairly extensively discussed, many in the JOSE working group
believe that it is a security problem to use the same key for multiple
uses. Therefore, “use” is, and I believe should remain, single-valued.
Well, this is in complete contradiction to the existing use values which
each encompass multiple actual uses (enc = encrypt, decrypt, wrap, unwrap
for example). I agree with the principle, but the current use definition in
JOSE doesn't.
Also, as discussed on the list, if WebCrypto wants to record additional key
properties in a JWK, that’s no problem. Just register a new key parameter
and use it. For instance, you could register “webcrypto_uses” and use
exactly the same key uses parameters that WebCrypto uses. Use of “use” is
optional, and WebCrypto could specify whether it MUST, MUST NOT, or MAY
also be used for WebCrypto keys.
There was strong push-back against registering a new attribute with
overlapping semantics and a preference for extending the existing attribute
defined for this purpose. That is what we have done for the 'single-use'
cases, but there are valid use-cases for multiple uses (e.g. both encrypt
and decrypt).
The only question here is whether we can register an Array type value or
whether we have to register a string value which is a comma-separated list
(with attendant parsing issues). It would be fine for JOSE to just relax
the requirement that use values are strings and allow them to have any
valid JSON value.
...Mark
-- Mike
*From:* jose [mailto:[email protected] <[email protected]>] *On
Behalf Of *Mark Watson
*Sent:* Tuesday, December 10, 2013 1:09 PM
*To:* [email protected]
*Subject:* [jose] JWK "use" attribute and multiple uses
All,
Currently, the JWK "use" attribute effectively distinguishes between JWE
("enc") and JWA ("sign").
However, additional uses can be added to the registry and the W3C WebCrypto
group is planning to register use values corresponding to the KeyUsage
values defined for WebCrypto Key objects. These KeyUsage values include,
for example, encrypt, decrypt, sign, verify, wrap, unwrap etc.
A WebCrypto Key object may have multiple KeyUsages and so we have a
question as to how to represent that in JWK.
One proposal is to allow the use string to contain a comma-separated list
of values. We could register such a scheme directly with IANA.
It would be cleaner, though, since this is JSON, to allow this attribute to
have Array type where two or more usages are to be represented (it would
remain a string for the single-usage case). I've also had some negative
feedback from implemetors about the comma-separated-value idea along
yet-another-string-parser lines.
Would it be possible to modify the Registry for JWK use values to allow
data types other than String to be registered ?
...Mark
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
