IETF Logo Mail Archive

Re: [COSE] Consensus Call: Adoption of the COSE Token

Justin Richer <jricher@mit.edu> Mon, 23 November 2015 02:49 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF2C1B2E87 for <cose@ietfa.amsl.com>; Sun, 22 Nov 2015 18:49:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.785
X-Spam-Level:
X-Spam-Status: No, score=-4.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDY0nyVza2Nu for <cose@ietfa.amsl.com>; Sun, 22 Nov 2015 18:49:27 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B091B2E83 for <cose@ietf.org>; Sun, 22 Nov 2015 18:49:27 -0800 (PST)
X-AuditID: 1209190c-f79c96d00000038e-01-56527eb5155e
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id E2.1D.00910.5BE72565; Sun, 22 Nov 2015 21:49:25 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id tAN2nPkL021218; Sun, 22 Nov 2015 21:49:25 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tAN2nNpd009321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 22 Nov 2015 21:49:24 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_AD154158-163A-4EEA-A5CF-E63B6E9993C4"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <80EA3B4B-6FF2-42F4-8379-0C5D9E4ADE7A@gmail.com>
Date: Sun, 22 Nov 2015 21:49:22 -0500
Message-Id: <36721D13-3C9A-4939-82CA-1A0CF1390840@mit.edu>
References: <B163C432-E13C-4D35-B86B-066C1365232A@mit.edu> <7505C89A-FCA1-4AD6-93F6-BDE3517AF1B4@mit.edu> <C956700F-1FE3-45C4-AF85-000A7A16F90B@nexusgroup.com> <80EA3B4B-6FF2-42F4-8379-0C5D9E4ADE7A@gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRmVeSWpSXmKPExsUixCmqrLu1LijM4FqjlcW0rVNZLY7tWsxm 0bAz34HZY+esu+weS5b8ZPLYev83YwBzFJdNSmpOZllqkb5dAlfGnN3/GAvWFVecbtrN2sDY ldjFyMkhIWAisfjTbTYIW0ziwr31QDYXh5DAYiaJTZu/sUA4GxklDt9uZASpEhJ4yCSxr18T xGYWSJA4dbUBrJtXQE/i1a3LrCC2sICdxKql08HibAKqEtPXtDB1MXJwcArYSjROdgAxWYDC nXcCIKYUS+z63MICMcVKYmX3MnaITRcYJdrXVIPYIgIWEmuav0HdKSux+/cjpgmMArOQHDEL yREQcW2JZQtfM0PYmhL7u5ezYIprSHR+m8i6gJFtFaNsSm6Vbm5iZk5xarJucXJiXl5qka6h Xm5miV5qSukmRnD4S/LsYHxzUOkQowAHoxIPr4Z+UJgQa2JZcWXuIUZJDiYlUd4bZkAhvqT8 lMqMxOKM+KLSnNTiQ4wSHMxKIrzPM4ByvCmJlVWpRfkwKWkOFiVx3rlffMOEBNITS1KzU1ML UotgsjIcHEoSvPa1QI2CRanpqRVpmTklCGkmDk6Q4TxAw1VAaniLCxJzizPTIfKnGBWlxHk/ 1AAlBEASGaV5cL2g9JTw9rDpK0ZxoFeEeYtB2nmAqQ2u+xXQYCagwUdKAkEGlyQipKQaGJcc 7o7boPYy/gujwf85zpLBGg2/DG7YSYe92VpbHOPtFn3V1K3w+eFCNaa1SRG/FW1EZE69Di6O qvzpF7BnwaMrSuVJIbX17VnfRLbdfd90NonH6V3vzrXnAp6uP3760MZGg7emM6bqbi7ccmad X6pCmNKvuPdKBX+S/p9Mkgtc9DZodkZSoBJLcUaioRZzUXEiAMJaDh0qAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/QGgDz_VTe854h6IXY9erDdLsi3A>
Cc: Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com>, "cose@ietf.org" <cose@ietf.org>
Subject: Re: [COSE] Consensus Call: Adoption of the COSE Token
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2015 02:49:30 -0000

Thanks, Kathleen, and thanks to everyone who contributed to the discussion.

The discussion and development of this work will continue in ACE. 

I also propose that we name this work the “COSE Token” instead of “COSE Web Token", because it has very little to do with the web. In fact, CBOR needs to be encoded somehow to fit into HTTP components anyway, and the COSE Token will not likely define such encodings.

Thanks,
 — Justin, your COSE chair

> On Nov 22, 2015, at 8:43 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> Hello,
> 
> Looking across the three WGs, there are good arguments for doing the work in each, but ACE would be the best WG for a few reasons.
> 
> COSE is supposed to be short-lived, let's keep it that way.
> 
> OAUTH has a full plate, although they tend to be very productive.
> 
> ACE has just become more focused and I think this could fit well once the OAUTH solution work is underway.
> 
> There's enough overlap for this to happen in any of the WGs.
> 
> Thanks for the discussion, I was waiting to chime in until it was hashed out a bit to see if there was any overwhelming consensus without influencing the outcome.  Now that it has quieted down, ACE is probably the best plan.
> 
> Thanks,
> Kathleen 
> 
> Sent from my iPhone
> 
> On Nov 22, 2015, at 4:25 PM, Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com <mailto:erik.wahlstrom@nexusgroup.com>> wrote:
> 
>> Hi,
>> 
>> Yes, we have a draft posted in the OAuth WG for a CBOR Web Token (CWT). https://tools.ietf.org/id/draft-wahlstroem-oauth-cbor-web-token-00.txt <https://tools.ietf.org/id/draft-wahlstroem-oauth-cbor-web-token-00.txt> 
>> 
>> We want to keep it there and reference the JWT claims (also defined in OAuth WG) and later add attributes needed for authentication and authorization for IoT to JWT/CWT in ACE WG.
>> 
>> Thanks
>> Erik
>> 
>> 
>> 
>>> On 21 Nov 2015, at 18:39, Justin Richer <jricher@MIT.EDU <mailto:jricher@MIT.EDU>> wrote:
>>> 
>>> Reading through the threads an opinions, there is no clear consensus as to where the work should be done. There is roughly equal support for doing this in any of the three offered working groups.
>>> 
>>> There is clear consensus that it should be done and that, as much as possible, it should be a direct map of the existing JWT payload object and common claims. 
>>> 
>>> In this light, someone needs to just start the work as an individual draft and push forward, and whichever working group most wants to can pick it up and publish it. I have no qualms on accepting this work within the COSE working group and I believe there is enough support to warrant that placement if an author submits a draft here (and this remains my preference as an individual), but I will not object to another group picking it up.
>>> 
>>> I believe, with all of the overlap between groups, that we will have no trouble getting the “right people” to look at it. Additionally, it is clear that it will be very beneficial to have formal reviews from all three groups once the draft has reached a mature status. 
>>> 
>>> Thankfully, Erik has already done this with his “COSE Web Token” draft. He’s initially targeted this at the OAuth working group, and the work started in ACE, so I call to the author to pick a location and run with it.
>>> 
>>> — Justin, your COSE chair
>>> 
>>>> On Nov 7, 2015, at 3:01 AM, Justin Richer <jricher@MIT.EDU <mailto:jricher@MIT.EDU>> wrote:
>>>> 
>>>> At the Yokohama meeting, the chairs agreed to do a consensus call regarding the adoption and placement of new work to define a COSE Token, analogous to the JWT from JOSE. In the room, there was a general sentiment of support for the work being done, with the wide adoption of JWT and its driving of JOSE being a common theme of precedent. What wasn’t clear is where the work should be done and to what end it should drive. The six positions we are asking the working group to consider and voice their support for are:
>>>> 
>>>> A) Define the COSE Token within the COSE working group along side the COSE Messages (and potentially COSE Auxiliary Algorithms) draft.
>>>> B) Define the COSE Token inside the OAuth working group.
>>>> C) Define the COSE Token inside the ACE working group.
>>>> D) Don’t define the COSE Token anywhere.
>>>> E) You need more information to decide.
>>>> F) You don’t give a flying rat about the COSE Token.*
>>>> 
>>>> The consensus call will remain open for two weeks from today, closing on November 21, 2015; at which time, hopefully we will have a clear answer and direction to point this work.
>>>> 
>>>> Thank you,
>>>> — Justin & Kepeng, your COSE chairs
>>>> 
>>>> * I promised those in the room at Yokohama to offer a flying rat option, for which I am deeply sorry.
>>>> _______________________________________________
>>>> COSE mailing list
>>>> COSE@ietf.org <mailto:COSE@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/cose <https://www.ietf.org/mailman/listinfo/cose>
>>> 
>>> _______________________________________________
>>> COSE mailing list
>>> COSE@ietf.org <mailto:COSE@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/cose <https://www.ietf.org/mailman/listinfo/cose>
>> 
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org <mailto:COSE@ietf.org>
>> https://www.ietf.org/mailman/listinfo/cose <https://www.ietf.org/mailman/listinfo/cose>

v2.23.0 | Report a Bug | By Email