26348 – Allow JWK for PBKDF2

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26348 - Allow JWK for PBKDF2

Summary: Allow JWK for PBKDF2

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Web Cryptography
Classification:	Unclassified
Component:	Web Cryptography API Document (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ryan Sleevi
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-16 03:46 UTC by Richard Barnes
Modified:	2014-09-24 01:22 UTC (History)
CC List:	2 users (show)

See Also:

Attachments

Description Richard Barnes 2014-07-16 03:46:51 UTC

The current spec forbids the use of JWK for import of keys to PBKDF2.  This is unnecessarily restrictive, since a JWK containing only "kty" and "k" elements is valid and equivalent to a raw key.

Comment 1 Ryan Sleevi 2014-07-16 03:56:18 UTC

From the point of view of a "JOSE" JWK, I don't think this is a good idea. JOSE intentionally doesn't provide PBKDF2 as a valid kty; the key algorithm is only used with the CEK, and associated by alg, not kty. Additionally, rather than store the security parameters on the JWK, they're part of the JWE's header parameters.

It's not "unnecessarily restrictive", it's "not defined because it's undefined for JWK".

If you feel strongly about this, then I think you'll need to propose text to the WG for adoption. It certainly seems like it involves new registrations with JWA.

Comment 2 Mark Watson 2014-09-22 18:00:36 UTC

I think we should live with the existing text here. If necessary the script can extract the raw key from the JWK itself and import that.