Re: [COSE] Consensus Call: Adoption of the COSE Token

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 23 November 2015 01:43 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69561B2C61 for <cose@ietfa.amsl.com>; Sun, 22 Nov 2015 17:43:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Level:
X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hp2vgtUrKMaU for <cose@ietfa.amsl.com>; Sun, 22 Nov 2015 17:43:49 -0800 (PST)
Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EF561B2C58 for <cose@ietf.org>; Sun, 22 Nov 2015 17:43:49 -0800 (PST)
Received: by vkha189 with SMTP id a189so28629815vkh.2 for <cose@ietf.org>; Sun, 22 Nov 2015 17:43:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GNn/AAQGHWOXX8HHzjpIOgtMlhSHmUWgFY8pyI2Vusc=; b=oi1y5CsUw8PF8yAtf3YjNujxmXCub37ZGKdCl24OW/fQkWk2KEUiqSjjmhx8iAywqA da/PKFD93eMbNF6+B0UZmjbODnauBkR15NBosgnyBhpcklom1fdsH1LiQ/kItmxC+O0v skUXVzaRwQKb9axzxjT00mbtJGIdU/1frX1i67jvAX7l5dZWul4hGNMg6K/rjtscw9fe enTNEW64tOteGGz7Oh99KdyktyG+e5TIJxVcjYo6Eg8+giK4WKd+gRiDz1HexAzbFl40 JiYnk7DQYqwtd8Lpfwm93S695PXNhigxAt0GiTSrTQWzCs/aK62t/ClYPJ+Mt0+VANkY p+Kw==
X-Received: by 10.31.180.205 with SMTP id d196mr14170926vkf.146.1448243028643; Sun, 22 Nov 2015 17:43:48 -0800 (PST)
Received: from [172.20.3.0] ([65.200.157.66]) by smtp.gmail.com with ESMTPSA id w125sm8934955vke.13.2015.11.22.17.43.47 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 22 Nov 2015 17:43:47 -0800 (PST)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=Apple-Mail-6D8EC28B-4960-4120-866E-BAD23D6B5E8D
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (12H143)
In-Reply-To: <C956700F-1FE3-45C4-AF85-000A7A16F90B@nexusgroup.com>
Date: Sun, 22 Nov 2015 20:43:46 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <80EA3B4B-6FF2-42F4-8379-0C5D9E4ADE7A@gmail.com>
References: <B163C432-E13C-4D35-B86B-066C1365232A@mit.edu> <7505C89A-FCA1-4AD6-93F6-BDE3517AF1B4@mit.edu> <C956700F-1FE3-45C4-AF85-000A7A16F90B@nexusgroup.com>
To: =?utf-8?Q?Erik_Wahlstr=C3=B6m_neXus?= <erik.wahlstrom@nexusgroup.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/dSumyNTeuX1MakMocmg0ZdDRa4o>
Cc: Justin Richer <jricher@MIT.EDU>, "cose@ietf.org" <cose@ietf.org>
Subject: Re: [COSE] Consensus Call: Adoption of the COSE Token
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2015 01:43:52 -0000

Hello,

Looking across the three WGs, there are good arguments for doing the work in each, but ACE would be the best WG for a few reasons.

COSE is supposed to be short-lived, let's keep it that way.

OAUTH has a full plate, although they tend to be very productive.

ACE has just become more focused and I think this could fit well once the OAUTH solution work is underway.

There's enough overlap for this to happen in any of the WGs.

Thanks for the discussion, I was waiting to chime in until it was hashed out a bit to see if there was any overwhelming consensus without influencing the outcome.  Now that it has quieted down, ACE is probably the best plan.

Thanks,
Kathleen 

Sent from my iPhone

> On Nov 22, 2015, at 4:25 PM, Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com> wrote:
> 
> Hi,
> 
> Yes, we have a draft posted in the OAuth WG for a CBOR Web Token (CWT). https://tools.ietf.org/id/draft-wahlstroem-oauth-cbor-web-token-00.txt 
> 
> We want to keep it there and reference the JWT claims (also defined in OAuth WG) and later add attributes needed for authentication and authorization for IoT to JWT/CWT in ACE WG.
> 
> Thanks
> Erik
> 
> 
> 
>> On 21 Nov 2015, at 18:39, Justin Richer <jricher@MIT.EDU> wrote:
>> 
>> Reading through the threads an opinions, there is no clear consensus as to where the work should be done. There is roughly equal support for doing this in any of the three offered working groups.
>> 
>> There is clear consensus that it should be done and that, as much as possible, it should be a direct map of the existing JWT payload object and common claims. 
>> 
>> In this light, someone needs to just start the work as an individual draft and push forward, and whichever working group most wants to can pick it up and publish it. I have no qualms on accepting this work within the COSE working group and I believe there is enough support to warrant that placement if an author submits a draft here (and this remains my preference as an individual), but I will not object to another group picking it up.
>> 
>> I believe, with all of the overlap between groups, that we will have no trouble getting the “right people” to look at it. Additionally, it is clear that it will be very beneficial to have formal reviews from all three groups once the draft has reached a mature status. 
>> 
>> Thankfully, Erik has already done this with his “COSE Web Token” draft. He’s initially targeted this at the OAuth working group, and the work started in ACE, so I call to the author to pick a location and run with it.
>> 
>> — Justin, your COSE chair
>> 
>>> On Nov 7, 2015, at 3:01 AM, Justin Richer <jricher@MIT.EDU> wrote:
>>> 
>>> At the Yokohama meeting, the chairs agreed to do a consensus call regarding the adoption and placement of new work to define a COSE Token, analogous to the JWT from JOSE. In the room, there was a general sentiment of support for the work being done, with the wide adoption of JWT and its driving of JOSE being a common theme of precedent. What wasn’t clear is where the work should be done and to what end it should drive. The six positions we are asking the working group to consider and voice their support for are:
>>> 
>>> A) Define the COSE Token within the COSE working group along side the COSE Messages (and potentially COSE Auxiliary Algorithms) draft.
>>> B) Define the COSE Token inside the OAuth working group.
>>> C) Define the COSE Token inside the ACE working group.
>>> D) Don’t define the COSE Token anywhere.
>>> E) You need more information to decide.
>>> F) You don’t give a flying rat about the COSE Token.*
>>> 
>>> The consensus call will remain open for two weeks from today, closing on November 21, 2015; at which time, hopefully we will have a clear answer and direction to point this work.
>>> 
>>> Thank you,
>>> — Justin & Kepeng, your COSE chairs
>>> 
>>> * I promised those in the room at Yokohama to offer a flying rat option, for which I am deeply sorry.
>>> _______________________________________________
>>> COSE mailing list
>>> COSE@ietf.org
>>> https://www.ietf.org/mailman/listinfo/cose
>> 
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
> 
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose