Sorry for any misunderstanding Stephen, others had suggested the potential for interop problems (mainly Richard and Matt, I think). Not you. Although, thinking back to some recent examples of JWKs using regular base64 rather than base64url [1] now has me wondering if interop might be somewhat problematic - liberal decoders have allowed that to not be an interop problem for the parsing of JWKs but it would definitely be a problem as part of a hash input.
I didn't responded to your suggestion of using SubjectPublicKeyInfo because it seemed like everyone else had dismissed it already. But, admittedly, it does have a certain appeal. The objection I've heard is that it might be difficult to get at or produce the SPKI in some programming environments. I'm not sure how true that is. I mostly work in java and it's not-terribly-great documentation suggests that it's trivial. Another potential objection is that SubjectPublicKeyInfo doesn't work for symmetric keys. So a different mechanism is needed there or we say they aren't supported (which has also been suggested for other reasons - but I think there's value in supporting it). In conclusion, I'd like to reiterate my previous point: meh. ;) [1] http://www.ietf.org/mail-archive/web/jose/current/msg04783.html & http://www.ietf.org/mail-archive/web/jose/current/msg04807.html On Mon, Jan 26, 2015 at 8:39 AM, Stephen Farrell <[email protected]> wrote: > > > On 26/01/15 15:30, Brian Campbell wrote: > > IMHO, the > > fears of interoperability problems are a bit overblown. > > That is not the point I was making. If two sides the > same hash input of any kind that has the public key > and relevant parameters then you will get interop. I > made no argument that there will be interop problems > no matter how baroque an approach is adopted. > > But if you choose SPKI as the hash input you get interop > and system-level benefits that you do not get with any > other input. The reason being that other specifications > and systems use that input. The ways in which that can > be beneficial should be obvious, but e.g. some JOSE > application could benefit from TLSA RRs for example and > I can see how that might be useful for developers > who would like to securely associate a DNS name with > a public key (whenever DNSSEC is deployed for the relevant > names:-). > > I have yet to see anyone produce a goo argument against > those benefits. ("Meh" doesn't count as good, though I > do get, and could nearly agree with, the sentiment:-) > > S. > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
