PKCS #11 for JSON Web Keys
draft-mccallum-jose-pkcs11-jwk-00

Document Type Active Internet-Draft (individual)
Last updated 2017-06-30
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Engineering Task Force                              N. McCallum
Internet-Draft                                             Red Hat, Inc.
Updates: 7517 (if approved)                                June 30, 2017
Intended status: Standards Track
Expires: January 1, 2018

                       PKCS #11 for JSON Web Keys
                   draft-mccallum-jose-pkcs11-jwk-00

Abstract

   This document updates RFC 7517 in order to specify an extension to
   the JSON Web Key (JWK) format so that private key material may be
   stored in cryptographic hardware using PKCS #11.  It defines a new
   property for JWKs which contains the PKCS #11 URI identifying the
   location of the private key material.  Implementations can use this
   URI to offload the cryptographic operations to the identified
   hardware.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 1, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

McCallum                 Expires January 1, 2018                [Page 1]
Internet-Draft              PKCS #11 for JWK                   June 2017

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Document Conventions  . . . . . . . . . . . . . . . . . . . .   2
   3.  JWK PKCS #11 URI Property . . . . . . . . . . . . . . . . . .   2
   4.  Implementation Considerations . . . . . . . . . . . . . . . .   3
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   JSON Web Key (JWK) [RFC7517] defines a format for keys which can be
   used to perform cryptographic operations.  When these JWKs contain
   private key material, illegitimate access to this material creates
   the possibility for wide-scale security compromise.

   As a defensive strategy, other key types will offload their private
   key material to cryptographic hardware or other secure storage using
   PKCS #11.  The locations of these keys are communicated using PKCS
   #11 URIs [RFC7512].  Therefore, this document defines a method to
   replace the private key material of a JWK with a PKCS #11 URI.

2.  Document Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  JWK PKCS #11 URI Property

   JWKs that wish to offload their private key material using PKCS #11
   will provide a JSON property named "p11" instead of the private key
   material.  The "p11" property MUST contain a valid PKCS #11 URI
   [RFC7517] that points to a private key object (that is,
   type=private).

   Private key material is defined by the Parameter Information Class of
   Section 8.1.1 of RFC 7517 [RFC7517].  JWKs MUST NOT provide both the
   "p11" property and other private key material.  However,
   implementations SHOULD provide full public key material appropriate
   to the key type.  This enables implementations to perform public key
   cryptographic operations without consulting PKCS #11.

McCallum                 Expires January 1, 2018                [Page 2]
Internet-Draft              PKCS #11 for JWK                   June 2017

4.  Implementation Considerations

   The PKCS #11 URI standard provides mappings to URI format for most
   metadata attributes available over PKCS #11.  Some of these
   attributes may differ based on operating system, driver or even
   hardware implementations.  The generation of URIs which can only be
Show full document text