Re: [apps-discuss] a new web security list
Joe Hildebrand <joe.hildebrand@webex.com> Mon, 21 February 2011 18:06 UTC
Return-Path: <Joe.Hildebrand@webex.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B74823A7136; Mon, 21 Feb 2011 10:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.997
X-Spam-Level:
X-Spam-Status: No, score=-102.997 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, RCVD_NUMERIC_HELO=2.067, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dtNeVyiGi+2; Mon, 21 Feb 2011 10:06:19 -0800 (PST)
Received: from gw1.webex.com (gw1.webex.com [64.68.122.208]) by core3.amsl.com (Postfix) with SMTP id 6B77D3A6FE3; Mon, 21 Feb 2011 10:06:18 -0800 (PST)
Received: from SRV-EXSC03.webex.local ([192.168.252.197]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 21 Feb 2011 10:07:00 -0800
Received: from 66.114.169.8 ([66.114.169.8]) by SRV-EXSC03.webex.local ([192.168.252.200]) via Exchange Front-End Server mailus.webex.com ([66.114.175.12]) with Microsoft Exchange Server HTTP-DAV ; Mon, 21 Feb 2011 18:07:00 +0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Mon, 21 Feb 2011 11:07:06 -0700
From: Joe Hildebrand <joe.hildebrand@webex.com>
To: Hannes Tschofenig <hannes.tschofenig@nsn.com>, ext Graham Klyne <GK@ninebynine.org>, Peter Saint-Andre <stpeter@stpeter.im>, "woes@ietf.org" <woes@ietf.org>
Message-ID: <C987F7DA.4AB41%joe.hildebrand@webex.com>
Thread-Topic: [apps-discuss] a new web security list
Thread-Index: AcvRrrpILMe/92Yl5kWxGrBJDFmNOgAQ2u1j
In-Reply-To: <C988054D.2475%hannes.tschofenig@nsn.com>
IM-ID: xmpp:jhildebr@cisco.com
Presence-ID: xmpp:jhildebr@cisco.com
Jabber-ID: jhildebr@cisco.com
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
X-OriginalArrivalTime: 21 Feb 2011 18:07:00.0897 (UTC) FILETIME=[22F51910:01CBD1F2]
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] a new web security list
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Feb 2011 18:06:22 -0000
And we should take this discussion to the WOES list, please. There are now subscribers there that are not on apps-discuss. On 2/21/11 3:04 AM, "Hannes Tschofenig" <hannes.tschofenig@nsn.com> wrote: > Maybe the charter text writeup I did earlier this year may help you: > > ----- > > JSON Cryptographic Syntax and Processing > > Background > > JSON (an acronym for JavaScript Object Notation) is a text format for the > serialization of structured data. It is derived from the JavaScript > programming language for representing simple data structures and associative > arrays, called objects. Despite its relationship to JavaScript, it is > language-independent, with parsers available for almost every programming > language. > > The JSON format is described in RFC 4627 and builds on two structures: > * A collection of name/value pairs. In various languages, this is realized > as an object, record, struct, dictionary, hash table, keyed list, or > associative array. > * An ordered list of values. In most languages, this is realized as an > array, vector, list, or sequence. > > The JSON format is often used for serializing and transmitting structured > data over a network connection. It was initially used in the Web environment > to transmit data between a server and web application, serving as an > alternative to XML. Now, JSON is being used in various other protocols as > well. > > With the increased usage of JSON in protocols there is now also the desire > to offer security services, such as encryption, and message signing, for > JSON encoded data. Different proposals for providing these security services > have been defined and implemented. Examples are: JSON Web Token [JWT], > Simple Web Tokens [SWT], Magic Signatures [MagicSignatures], JSON Simple > Sign [JSS]. > > This working group aims to develop specifications to standardize these > security services for JSON encoded data to improve interoperability, and to > increase confidence in the offered security functionality based on the > expert review process utilized in the IETF. Future work in the group could > include support for other security services. Re-chartering of the group is, > however, required. > > This working group aims to re-use well-defined concepts from Cryptographic > Message Syntax > (CMS) [CMS], XML Digital Signature [XMLDSIG] and XML Encryption [XMLENC]. > Since this work is within the realm of the security domain, respective > experts will be involved. > > References > > [JWT] M. Jones, et al. "JSON Web Token (JWT)", > draft-jones-json-web-token-01, January 2011. Available at > http://self-issued.info/docs/draft-jones-json-web-token.html. > > [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", September > 2010. > > [MagicSignatures] Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic > Signatures", August 2010. > > [SWT] Hardt, D. and Y. Goland, "Simple Web Token (SWT)", Version 0.9.5.1, > November 2009. > > XMLDIG] W3C, "XML Signature Syntax and Processing (Second Edition)", > available at > http://www.w3.org/TR/xmldsig-core/, Jun. 2008. > > [XMLENC] W3C, "XML Encryption Syntax and Processing", available at > http://www.w3.org/TR/xmlenc-core/, Dec. 2002. > > [CMS] R. Housley, "Cryptographic Message Syntax", RFC 3852, Jul. 2004. > > Deliverables > > A document illustrating how to digitally sign arbitrary JSON encoded data. > This document shall be Standards Track. > > A document illustrating how to encrypt arbitrary JSON encoded data. This > document shall be Standards Track. > > Goals and Milestones > > Dec 2010 Submit initial document on JSON object signing as individual > submission. > > Feb 2011 Submit initial document on JSON object encryption as individual > submission. > > Mar 2011 Hold a BOF at IETF#80 (Prague). > > May 2011 Formation of a working group > > Jul 2011 Submit JSON object signing document as a WG item. > > Jul 2011 Submit JSON object encryption document as a WG item. > > Dec 2011 Start Working Group Last Call on JSON object signing document. > > Dec 2011 Start Working Group Last Call on JSON object signing document. > > Feb 2012 Submit JSON object signing document to IESG for consideration as > Standards Track document. > > Feb 2012 Submit JSON object encryption document to IESG for consideration > as Standards Track document. > > ------- > > > On 2/20/11 8:32 PM, "ext Graham Klyne" <GK@ninebynine.org> wrote: > >> Peter, >> >> I'm rather puzzled by your description. >> >> Using "JSON to provide security services" seems a bit like "using gasolene to >> provide transportation services". I.e., it has a part to play, but doesn't >> seem >> to be more than a bit-part player in the whole service provision issue. >> >> In providing security services, I would expect the encoding syntax of the >> service to be the easy bit. Determining the trust and service models is >> harder, >> and that should stand independently of (say) JSON, no? >> >> #g >> -- >> >> Peter Saint-Andre wrote: >>> Folks, a dedicated list has been established for discussion about >>> requirements and potential implementation of JSON to provide security >>> services for Web-based applications. You can subscribe here: >>> >>> https://www.ietf.org/mailman/listinfo/woes >>> >>> Peter >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> apps-discuss mailing list >>> apps-discuss@ietf.org >>> https://www.ietf.org/mailman/listinfo/apps-discuss >> >> _______________________________________________ >> apps-discuss mailing list >> apps-discuss@ietf.org >> https://www.ietf.org/mailman/listinfo/apps-discuss > > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss -- Joe Hildebrand
- [apps-discuss] a new web security list Peter Saint-Andre
- Re: [apps-discuss] a new web security list Dave CROCKER
- Re: [apps-discuss] a new web security list Peter Saint-Andre
- Re: [apps-discuss] a new web security list Dave CROCKER
- Re: [apps-discuss] a new web security list Eric Burger
- Re: [apps-discuss] a new web security list Keith Moore
- Re: [apps-discuss] a new web security list Graham Klyne
- Re: [apps-discuss] a new web security list Hannes Tschofenig
- Re: [apps-discuss] a new web security list Joe Hildebrand