Re: [apps-discuss] a new web security list
Hannes Tschofenig <hannes.tschofenig@nsn.com> Mon, 21 February 2011 10:04 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 729EF3A6E93 for <apps-discuss@core3.amsl.com>; Mon, 21 Feb 2011 02:04:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.901
X-Spam-Level:
X-Spam-Status: No, score=-105.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IL5A7sKtZ233 for <apps-discuss@core3.amsl.com>; Mon, 21 Feb 2011 02:04:02 -0800 (PST)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by core3.amsl.com (Postfix) with ESMTP id 80EB83A6AFF for <apps-discuss@ietf.org>; Mon, 21 Feb 2011 02:04:01 -0800 (PST)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id p1LA4bRR015342 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 21 Feb 2011 11:04:37 +0100
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id p1LA4St3020010; Mon, 21 Feb 2011 11:04:34 +0100
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Mon, 21 Feb 2011 11:04:31 +0100
Received: from 10.144.235.95 ([10.144.235.95]) by FIESEXC015.nsn-intra.net ([10.159.0.28]) via Exchange Front-End Server webmail.nsn-intra.net ([10.150.128.35]) with Microsoft Exchange Server HTTP-DAV ; Mon, 21 Feb 2011 10:04:31 +0000
User-Agent: Microsoft-Entourage/12.28.0.101117
Date: Mon, 21 Feb 2011 12:04:29 +0200
From: Hannes Tschofenig <hannes.tschofenig@nsn.com>
To: ext Graham Klyne <GK@ninebynine.org>, Peter Saint-Andre <stpeter@stpeter.im>
Message-ID: <C988054D.2475%hannes.tschofenig@nsn.com>
Thread-Topic: [apps-discuss] a new web security list
Thread-Index: AcvRrrpILMe/92Yl5kWxGrBJDFmNOg==
In-Reply-To: <4D615E2B.4020402@ninebynine.org>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
X-OriginalArrivalTime: 21 Feb 2011 10:04:31.0777 (UTC) FILETIME=[BBEFF110:01CBD1AE]
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] a new web security list
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Feb 2011 10:04:04 -0000
Maybe the charter text writeup I did earlier this year may help you: ----- JSON Cryptographic Syntax and Processing Background JSON (an acronym for JavaScript Object Notation) is a text format for the serialization of structured data. It is derived from the JavaScript programming language for representing simple data structures and associative arrays, called objects. Despite its relationship to JavaScript, it is language-independent, with parsers available for almost every programming language. The JSON format is described in RFC 4627 and builds on two structures: * A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or associative array. * An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence. The JSON format is often used for serializing and transmitting structured data over a network connection. It was initially used in the Web environment to transmit data between a server and web application, serving as an alternative to XML. Now, JSON is being used in various other protocols as well. With the increased usage of JSON in protocols there is now also the desire to offer security services, such as encryption, and message signing, for JSON encoded data. Different proposals for providing these security services have been defined and implemented. Examples are: JSON Web Token [JWT], Simple Web Tokens [SWT], Magic Signatures [MagicSignatures], JSON Simple Sign [JSS]. This working group aims to develop specifications to standardize these security services for JSON encoded data to improve interoperability, and to increase confidence in the offered security functionality based on the expert review process utilized in the IETF. Future work in the group could include support for other security services. Re-chartering of the group is, however, required. This working group aims to re-use well-defined concepts from Cryptographic Message Syntax (CMS) [CMS], XML Digital Signature [XMLDSIG] and XML Encryption [XMLENC]. Since this work is within the realm of the security domain, respective experts will be involved. References [JWT] M. Jones, et al. "JSON Web Token (JWT)", draft-jones-json-web-token-01, January 2011. Available at http://self-issued.info/docs/draft-jones-json-web-token.html. [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", September 2010. [MagicSignatures] Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic Signatures", August 2010. [SWT] Hardt, D. and Y. Goland, "Simple Web Token (SWT)", Version 0.9.5.1, November 2009. XMLDIG] W3C, "XML Signature Syntax and Processing (Second Edition)", available at http://www.w3.org/TR/xmldsig-core/, Jun. 2008. [XMLENC] W3C, "XML Encryption Syntax and Processing", available at http://www.w3.org/TR/xmlenc-core/, Dec. 2002. [CMS] R. Housley, "Cryptographic Message Syntax", RFC 3852, Jul. 2004. Deliverables A document illustrating how to digitally sign arbitrary JSON encoded data. This document shall be Standards Track. A document illustrating how to encrypt arbitrary JSON encoded data. This document shall be Standards Track. Goals and Milestones Dec 2010 Submit initial document on JSON object signing as individual submission. Feb 2011 Submit initial document on JSON object encryption as individual submission. Mar 2011 Hold a BOF at IETF#80 (Prague). May 2011 Formation of a working group Jul 2011 Submit JSON object signing document as a WG item. Jul 2011 Submit JSON object encryption document as a WG item. Dec 2011 Start Working Group Last Call on JSON object signing document. Dec 2011 Start Working Group Last Call on JSON object signing document. Feb 2012 Submit JSON object signing document to IESG for consideration as Standards Track document. Feb 2012 Submit JSON object encryption document to IESG for consideration as Standards Track document. ------- On 2/20/11 8:32 PM, "ext Graham Klyne" <GK@ninebynine.org> wrote: > Peter, > > I'm rather puzzled by your description. > > Using "JSON to provide security services" seems a bit like "using gasolene to > provide transportation services". I.e., it has a part to play, but doesn't > seem > to be more than a bit-part player in the whole service provision issue. > > In providing security services, I would expect the encoding syntax of the > service to be the easy bit. Determining the trust and service models is > harder, > and that should stand independently of (say) JSON, no? > > #g > -- > > Peter Saint-Andre wrote: >> Folks, a dedicated list has been established for discussion about >> requirements and potential implementation of JSON to provide security >> services for Web-based applications. You can subscribe here: >> >> https://www.ietf.org/mailman/listinfo/woes >> >> Peter >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> apps-discuss mailing list >> apps-discuss@ietf.org >> https://www.ietf.org/mailman/listinfo/apps-discuss > > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss
- [apps-discuss] a new web security list Peter Saint-Andre
- Re: [apps-discuss] a new web security list Dave CROCKER
- Re: [apps-discuss] a new web security list Peter Saint-Andre
- Re: [apps-discuss] a new web security list Dave CROCKER
- Re: [apps-discuss] a new web security list Eric Burger
- Re: [apps-discuss] a new web security list Keith Moore
- Re: [apps-discuss] a new web security list Graham Klyne
- Re: [apps-discuss] a new web security list Hannes Tschofenig
- Re: [apps-discuss] a new web security list Joe Hildebrand