Re: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)

Benjamin Kaduk <kaduk@mit.edu> Fri, 10 July 2020 21:21 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E80923A09DD for <jose@ietfa.amsl.com>; Fri, 10 Jul 2020 14:21:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqunXdi_G9hV for <jose@ietfa.amsl.com>; Fri, 10 Jul 2020 14:21:39 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4D703A09E0 for <jose@ietf.org>; Fri, 10 Jul 2020 14:21:39 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06ALLY51014849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 17:21:37 -0400
Date: Fri, 10 Jul 2020 14:21:33 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Carsten Bormann <cabo@tzi.org>
Cc: "jose@ietf.org" <jose@ietf.org>
Message-ID: <20200710212133.GA16335@kduck.mit.edu>
References: <MN2PR00MB06880AA5E91B9DC72AF93D25F5650@MN2PR00MB0688.namprd00.prod.outlook.com> <5DA4F0DB-8579-40CD-B1A9-9AB40C09F839@tzi.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5DA4F0DB-8579-40CD-B1A9-9AB40C09F839@tzi.org>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/BXjsU1lPyeUzihb2Q9VGEdbBOq8>
Subject: Re: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 21:21:42 -0000

On Fri, Jul 10, 2020 at 10:43:46PM +0200, Carsten Bormann wrote:
> On 2020-07-10, at 22:21, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
> > 
> > There are things I would have commented on in JCS 
> 
> Much of what discussion we had happened on the JSON mailing list.
> There is a map (JSON object) key ordering mechanism in there for which I only have the word “sick”, and this was commented on the JSON mailing list [1] (in slightly more elaborate wording).  That “feature” is still in there.  No comment.
> 
> The disturbing part is that people are now running ahead and are trying to do run-arounds around the JOSE format based on the old XMLDSig thinking.  I certainly suspected that was the point of JCS, but it plaid no role in the IESG conflict review for this independent submission — I have seen very inconsistent levels of attention in IESG to considerations about how a spec will actually be used over time.

https://tools.ietf.org/html/rfc5742#section-3 seems pretty clear that the
IESG reviews the work that is being presented for publication on the
Independent Submission stream, which would seem to exclude extensive
consideration of what might be done later that builds upon such work.  I'm
not sure which of the 5 "types of conclusion" from RFC 5742 you are
proposing should have been sent (and why)...

Thanks,

Ben