IETF Logo Mail Archive

Re: [COSE] Consensus Call: Adoption of the COSE Token

Mike Jones <Michael.Jones@microsoft.com> Fri, 13 November 2015 02:08 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F2FF1B3CDD for <cose@ietfa.amsl.com>; Thu, 12 Nov 2015 18:08:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KlfgAr3zntoF for <cose@ietfa.amsl.com>; Thu, 12 Nov 2015 18:08:39 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0731.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:731]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45F321A0369 for <cose@ietf.org>; Thu, 12 Nov 2015 18:08:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RxoItPiTPzVbiyk+orp5tjz83Rbt/Rcaksp7+S08u9s=; b=WDvI4NEyt7plEASU4/+6ynO3D8xVyN+nINNVsK0Y+W6oOXvvg2QC2qMzO8YwioIXeX4IGp3HjN9gPZMNm1bbY0/uAQuiygQiETTgeCXHhINlfI6twHBqe5KwOQaA0Ldze8009xE7roehJZFv84Lh2TD6JC1oFUB3Hw/pzVIsR80=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.325.17; Fri, 13 Nov 2015 02:08:15 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0325.003; Fri, 13 Nov 2015 02:08:14 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Justin Richer <jricher@mit.edu>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] Consensus Call: Adoption of the COSE Token
Thread-Index: AQHRGTKYfIX3Ls5A6k+9NkYTgwTuIJ6TcjYAgAXHyfA=
Date: Fri, 13 Nov 2015 02:08:14 +0000
Message-ID: <BY2PR03MB442F3EB3FAC162316B53431F5110@BY2PR03MB442.namprd03.prod.outlook.com>
References: <B163C432-E13C-4D35-B86B-066C1365232A@mit.edu> <56406970.5090801@gmx.net>
In-Reply-To: <56406970.5090801@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:5::188]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:uiQlD1C+T2/tNAWC9Gx0ML0HzaCmQ+0xArg2wL1U6A+PWqscjUQcDOR9S9KCVsdUhVCEyhNenLBkQyChuFX+pLp30/9xQb6IrU+2M8ea47bYdV1A+x46jLTGaTLTA/xqzR4DlduU1GLFWKyaQGIWAg==; 24:ph3swNI6wvSXClMxOfVtFIWnAkcIWUq06IzBKMiEYHPoINcut0IVvHoOT2RGob3FErkk7fVokIFrGXnHb1oKXN/u0YV5wBqTgT0pFdx40qc=; 20:Hm5/hft1ho7uQ6vA8FeySn4bPOwKQ0WUvwXYSbiZQ1RPouMIjq1DFxUNYD1ZdAWUZmENxi7h2v/TKeUgNJdxsg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444;
x-microsoft-antispam-prvs: <BY2PR03MB444B864AFD5F8C6E3FB964EF5110@BY2PR03MB444.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(8121501046)(5005006)(520078)(3002001)(10201501046)(61426024)(61427024); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444;
x-forefront-prvs: 0759F7A50A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(199003)(189002)(377454003)(13464003)(479174004)(54356999)(2501003)(76176999)(107886002)(19580395003)(40100003)(2900100001)(19580405001)(50986999)(92566002)(102836002)(106116001)(77096005)(15975445007)(5001960100002)(106356001)(1720100001)(74316001)(33656002)(122556002)(5003600100002)(97736004)(81156007)(8990500004)(5007970100001)(2171001)(76576001)(87936001)(86612001)(5004730100002)(10290500002)(2950100001)(10400500002)(5008740100001)(5005710100001)(99286002)(5001770100001)(105586002)(101416001)(86362001)(5002640100001)(10090500001)(189998001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2015 02:08:14.8408 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/QeH3WZ18XZv3Fngu9Am0zjVGnx0>
Subject: Re: [COSE] Consensus Call: Adoption of the COSE Token
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 02:08:42 -0000

I personally believe that the core CBOR Web Token (CWT) spec should define equivalents of the same seven general-purpose claims that JSON Web Token (JWT) http://tools.ietf.org/html/rfc7519 defined (iss, sub, aud, exp, nbf, iat, and jti), define the CWT Claims Registry, and stop there.  Keeping the target simple in that manner means that this could get done VERY quickly.

Then applications, such as ACE protocols and applications, could define additional claims used by those applications and register them in the CWT Claims Registry.  Keeping the general-purpose and application-specific claim definitions in different specs is important to having CWT be a general-purpose spec, rather than being viewed as being slanted towards a particular application or application area.  It also means it will get done much faster.

IoT/ACE expertise is critical for defining the supplemental IoT/ACE claims.  It's unnecessary for developing the base CWT spec.  Whereas the expertise that created JWT, which we'd be doing a functional clone of, is in the OAuth working group.  Therefore, I believe the best answer is:

B) Define the COSE Token inside the OAuth working group.

				-- Mike

P.S.  For those wanting to wrap their heads around what we're concretely talking about, Erik Wahlström was kind enough to write a first draft https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00, with some input from Hannes and myself.

-----Original Message-----
From: COSE [mailto:cose-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Monday, November 09, 2015 1:38 AM
To: Justin Richer; cose@ietf.org
Subject: Re: [COSE] Consensus Call: Adoption of the COSE Token

Hi Justin, Hi Kepeng,

I believe the participants of the Yokohama IETF meeting already decided against (D) with their agreement that this work is important.

In terms of expertise I believe COSE, OAuth, and ACE would be in a good position. While OAuth is currently in a re-chartering process (as you
know) there is a lot of work on the plate already even though it is distributed over a number of folks. Furthermore, there also seems to be a strong overlap between the participants of the ACE and the COSE working group whereby I believe that we have more participants in ACE than in COSE since the scope is much broader.

Ultimately we are doing something very simple here: we are copying the JSON encoded claims to CBOR encoded claims.

I believe that the AD should decide about where the work goes.

Ciao
Hannes


On 11/07/2015 09:01 AM, Justin Richer wrote:
> At the Yokohama meeting, the chairs agreed to do a consensus call regarding the adoption and placement of new work to define a COSE Token, analogous to the JWT from JOSE. In the room, there was a general sentiment of support for the work being done, with the wide adoption of JWT and its driving of JOSE being a common theme of precedent. What wasn’t clear is where the work should be done and to what end it should drive. The six positions we are asking the working group to consider and voice their support for are:
> 
> A) Define the COSE Token within the COSE working group along side the COSE Messages (and potentially COSE Auxiliary Algorithms) draft.
> B) Define the COSE Token inside the OAuth working group.
> C) Define the COSE Token inside the ACE working group.
> D) Don’t define the COSE Token anywhere.
> E) You need more information to decide.
> F) You don’t give a flying rat about the COSE Token.*
> 
> The consensus call will remain open for two weeks from today, closing on November 21, 2015; at which time, hopefully we will have a clear answer and direction to point this work.
> 
> Thank you,
>  — Justin & Kepeng, your COSE chairs
> 
> * I promised those in the room at Yokohama to offer a flying rat option, for which I am deeply sorry.
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

v2.23.0 | Report a Bug | By Email