Add JSON Web Key to specification #135
Conversation
msporny
requested review from
dlongley,
iherman,
dmitrizagidulin,
TallTed,
mprorock,
David-Chadwick,
brianorwhatever,
decentralgabe,
OR13,
brentzundel,
mkhraisha and
awoie
There was a problem hiding this comment.
Just an editorial comment, possibly with an editorial note. It may be worth emphasizing that the publicKeyJwk having a JSON datatype means that all json terms within the target are not subject to the JSON-LD context processing. Ie, the terms like kid or alg are not mapped to any URL.
index.html
Outdated
|
|
||
| <p> | ||
| The example above is identical to the previous example, except that the | ||
| information is stored in the `secretKeyJwk` property and its value encodes the |
There was a problem hiding this comment.
hmmm... privateKeyJwk vs secretKeyJwk... Is the intention to make this work with MAC Signatures? and thats why you choose secretKeyJwk ?
There was a problem hiding this comment.
I agree that privateKeyJwk is a better name than secretKeyJwk.
There was a problem hiding this comment.
Is the intention to make this work with MAC Signatures? and thats why you choose secretKeyJwk ?
Yes, that's one of the reasons.
The other reason is due to the English definition of the word "private" vs. the English definition of the word "secret":
private: intended for or restricted to the use of a particular person, group, or class
secret: kept from knowledge or view; something kept hidden or unexplained
IOW, the word "secret", that is -- "do not share this with others", is closer to the intended usage of the property than "private", which can be misinterpreted as "its ok to share this information with a group" (which is almost never the case with a symmetric or a private key).
index.html
Outdated
| <p> | ||
| The example above is identical to the previous example, except that the | ||
| information is stored in the `secretKeyJwk` property and its value encodes the | ||
| private key value in the `d` property. |
There was a problem hiding this comment.
This seems possibly not true for all secret keys.
There was a problem hiding this comment.
this is definitely not true for all secret keys, and may yet be changing - why would we define any of this here rather than just point at rfc7517?
There was a problem hiding this comment.
There was a problem hiding this comment.
This seems possibly not true for all secret keys.
The language you are pointing to is providing a description of a specific example. It is not claiming that the example is true for all secret keys.
this is definitely not true for all secret keys, and may yet be changing - why would we define any of this here rather than just point at rfc7517?
Please re-read the /description of the example/. We are not defining anything here, merely explaining what an example is expressing.
There was a problem hiding this comment.
We should get more reviews on the secretKeyJwk part... will it be in the vocabulary? can it be used with HMAC?.
Concrete change request is to define secretKeyJwk in the vocabulary or remove the example.
I'm not attached to privateKeyJwk vs secretKeyJwk... perhapse it would be good to ask the experts on the JOSE and COSE mailing lists how they feel about this?
|
+1 @OR13 - definitely want feedback in from the jose and cose lists |
|
I agree with @iherman that Seems blocked pending #152 (review) |
There was a problem hiding this comment.
I have made some inline comments.
I must say I am lost among all the PRs that refer to various property names, anchors, ranges, etc. I am of the opinion at this point that all these PRs should be merged asap to allow for a comprehensive review of the vocabulary, domains, ranges, etc, possibly leading to new PRs. The current situation is simply too chaotic in my view.
| "@context": ["https://www.w3.org/ns/security/jwk/v1"], | ||
| "id": "did:example:123456789abcdefghi#key-1", | ||
| "type": "JsonWebKey", | ||
| "controller": "did:example:123456789abcdefghi", | ||
| "publicKeyJwk": { | ||
| "kty": "OKP", | ||
| "alg": "EdDSA" | ||
| "crv": "Ed25519", | ||
| "kid": "key-1", | ||
| "x": "_1EiHquO2aUx9JARSu0P8jdYT_OVneYxYOnOMAmUcFI", | ||
| } | ||
| } |
There was a problem hiding this comment.
Why do we need yet another context here? The definition of publicKeyJwk stipulates that its object is of datatype JSON, meaning that the properties within that object are ignored by any JSON-LD processing. If so, then I do not see any reason using a different context (which I have not seen defined anywhere).
Proposal: just use the usual security context here.
There was a problem hiding this comment.
We don't need another context here.
I will object if one is required... however, I think its fine to ship many smaller contexts from w3id.org (which is not the W3C)... IMO W3C examples should use W3C context URLs.
There was a problem hiding this comment.
Also, seems we are following a different style here than the core context, where we seem to prefer bundling, that inconsistency, feels... not good to me.
There was a problem hiding this comment.
The @vocab in the core v2 context is what is driving the need to bundle. Whenever that isn't used, bundling should be avoided (unless there's some other very good reason to do it). That's the consistent rule we're applying.
| "@context": ["https://www.w3.org/ns/security/jwk/v1"], | ||
| "id": "did:example:123456789abcdefghi#key-1", | ||
| "type": "JsonWebKey", | ||
| "controller": "did:example:123456789abcdefghi", | ||
| "secretKeyJwk": { | ||
| "kty": "OKP", | ||
| "alg": "EdDSA" | ||
| "crv": "Ed25519", | ||
| "kid": "key-1", | ||
| "d": "Q6JwjCUdThSnoxfXHSFt5C1nVFycY_ZpW7qVzK644_g", | ||
| "x": "_1EiHquO2aUx9JARSu0P8jdYT_OVneYxYOnOMAmUcFI", | ||
| } |
There was a problem hiding this comment.
Same comment as above. Except that we use here secretKeyJwk, but I presume the range of that property is also JSON
There was a problem hiding this comment.
Same response as above, yes, range is JSON.
|
PR #152 has been merged into this PR. It has been two weeks since we asked for feedback from the COSE mailing list (and no feedback has been given). If we get feedback in the future, we can always raise an issue and modify this via a future PR. In the meantime, this PR needs to go in so we have the appropriate anchors to finish up the vocabulary and JSON Web Key sections of the specification. |
Co-authored-by: Ivan Herman <[email protected]>
Co-authored-by: Ted Thibodeau Jr <[email protected]>
Co-authored-by: Orie Steele <[email protected]>
Co-authored-by: Dmitri Zagidulin <[email protected]>
Co-authored-by: Dave Longley <[email protected]>
Co-authored-by: Ted Thibodeau Jr <[email protected]>
msporny
force-pushed
the
msporny-json-web-key
branch
from
cf9f708 to
1852514
Compare
|
Normative, multiple reviews, changes requested and made, no objections, merging. |
This PR addresses issue #130 and issue #73 by adding the
JsonWebKeytype to the specification and the vocabulary, and ensuring that the range ofpublicKeyJwkis JSON. This value was going to be defined in the JsonWebSignature2020 specification, but since that specification has been pulled, we have to define it somewhere else and the Data Integrity specification is probably the best place for it since it also defined controller documents and verification methods.Preview | Diff