Re: [jose] updated draft charter text incorporating AD's comments
Richard Barnes <rlb@ipv.sx> Fri, 05 April 2013 22:43 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60F0421F992B for <jose@ietfa.amsl.com>; Fri, 5 Apr 2013 15:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[AWL=-1.276, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CpV7z7iJlmzx for <jose@ietfa.amsl.com>; Fri, 5 Apr 2013 15:43:21 -0700 (PDT)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id DDD4F21F98F4 for <jose@ietf.org>; Fri, 5 Apr 2013 15:43:20 -0700 (PDT)
Received: by mail-ob0-f174.google.com with SMTP id wm15so1562381obc.19 for <jose@ietf.org>; Fri, 05 Apr 2013 15:43:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=4PgxM2RP5hJkkNIJ6DqrRLYeTRAPF3+rFbqV4ifxfBs=; b=BCFHPpdHqbzHkcFWdmI2JadJt1hDgHVgGAWZShnEFVrUHOjq9si0ioXcj9WaRCdANM K84i/S7BODnMhgJNzLQ4D5AHpvapwedM2bAxhcQNdhfj0CNIZ07q96byJ8EfgkcyzSS0 7a0EE32fRTJVTua9OX2fbqYa+Xt2/ytaz3NsB0o8QRBvXxd7A36oJ8CG3I+s8iioGv58 Iisy25+aQAZw39/ovbhHabYpYD9GqL0eMs7WmXxYIpdgHSYkSVrJL3BcS+P2s76BQiqa 2sKGzwm1VtdPL/mjigEE8Fgs6oE4sxBF2mdsyJ+pDGi/FmBUMvY1SlaWCq3/MjNjFy8S ZOYQ==
MIME-Version: 1.0
X-Received: by 10.60.17.132 with SMTP id o4mr9593903oed.12.1365201800130; Fri, 05 Apr 2013 15:43:20 -0700 (PDT)
Received: by 10.60.25.196 with HTTP; Fri, 5 Apr 2013 15:43:20 -0700 (PDT)
X-Originating-IP: [128.89.255.18]
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943675B77BC@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <513CCD31.8050408@isoc.org> <515EC38F.2060703@ieca.com> <4E1F6AAD24975D4BA5B1680429673943675B77BC@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Fri, 05 Apr 2013 18:43:20 -0400
Message-ID: <CAL02cgTHe2pmJRjnzDvD-QDgN=FwE1Yf2803OdMup_dLYLcN3w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="089e01294d0c58041704d9a4d0c2"
X-Gm-Message-State: ALoCoQk4RZTGCdNc8u96BxnTEg3hJsbbpOry1BD9qbGNKotWtdOvknZuSXHUKCuyhUrqaNxQLtIw
Cc: Sean Turner <turners@ieca.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] updated draft charter text incorporating AD's comments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 22:43:22 -0000
On Fri, Apr 5, 2013 at 9:28 AM, Mike Jones <Michael.Jones@microsoft.com>wrote: > Hmmm... I feel really queasy about the proposed rewording for (1), as > it could lead to significant unintended consequences and potential > obstacles when we go for final approval of the JWS and JWE specs. Here's > why...**** > > ** ** > > The wording could easily be interpreted as a mandate that the > end-representation itself be JSON – not just that the representation > utilize JSON for representing structured data, which is what is actually > the case now. I could easily imagine the new wording enabling a situation > where someone would then file a DISCUSS saying that the current Compact > Serialization representations aren't JSON and so don't meet the > requirements of the charter. > That won't be a problem as long as there is *a* JSON representation in the base specification. Which we have agreed to do. --Richard > **** > > ** ** > > For that reason, I believe we would be FAR better off to leave the first > two charter items exactly as they are at > http://datatracker.ietf.org/wg/jose/charter/ than to accept the new > wording. The current wording is:**** > > ** ** > > 1) A Standards Track document specifying how to apply JSON-structured **** > > integrity protection to data, including (but not limited to) JSON data ** > ** > > structures. "Integrity protection" includes public-key digital **** > > signatures as well as symmetric-key MACs. **** > > ** ** > > 2) A Standards Track document specifying how to apply a JSON-structured ** > ** > > encryption to data, including (but not limited to) JSON data structures.* > *** > > ** ** > > So yes, I strongly object to the new wording, as I don’t want to open the > door for the current representations to be rejected on charter grounds > later. If it helps, you can reassure objectors that we ARE producing pure > JSON representations too, but that they’re not the only JSON-based > representations for integrity protected and encrypted content.**** > > ** ** > > Why don’t we just scale back the recharter request to only add the new > items and leave the existing items alone, if that’s what it will take to be > approved.**** > > ** ** > > Thanks for > asking,**** > > -- Mike **** > > ** ** > > -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of > Sean Turner > Sent: Friday, April 05, 2013 5:29 AM > To: jose@ietf.org > Subject: Re: [jose] updated draft charter text incorporating AD's comments > > ** ** > > Hi,**** > > ** ** > > We've gotten what amounts to two discusses on the charter. I wanted to > run these by the WG in case there were any violent objections.**** > > ** ** > > 1. (easy one first) What does "JSON-structured integrity protection" and > "JSON-structured encryption" mean?**** > > ** ** > > It was explained "JSON-structured" means that the metadata about how you > did the encryption/integrity is expressed in JSON not that the payload > itself is JSON. I.e., the algorithm description, key identifiers, etc. ** > ** > > are in JSON but not necessary the payload.**** > > ** ** > > I proposed:**** > > ** ** > > OLD:**** > > ** ** > > specifying how to apply JSON-structured integrity**** > > protection to data**** > > ** ** > > NEW:**** > > ** ** > > specifying a JSON structure for integrity-protected data**** > > ** ** > > and the same again for encryption:**** > > ** ** > > OLD:**** > > ** ** > > specifying how to apply a JSON-structured encryption to data**** > > ** ** > > NEW:**** > > ** ** > > specifying a JSON structure for encrypted data**** > > ** ** > > 2. (hard one) Barry's been told by some App folks who are working on new > JSON-based protocols that they don't see the applicability of JOSE to their > work.**** > > ** ** > > I think there is some concern that we're doing our own thing here in > security land and not consulting with others. That's not a true > characterization based the use case we have from ALTO and XMPP, but **** > > nonetheless this feedback worries both Barry and myself. What I'm **** > > going to do is prompt/prod the Apps folks to engage and say why/how it > won't work for them. What we might also do is some education in the > appsawg; one of those here's how it works kind of presentations. We'll > reach out, but they need to reach out too because I don't want to have to > be pinned waiting on a input that may never come. To that end, putting > some wording in the charter earlier than the numbered bullet about the uses > cases, I think, solves this dilemma:**** > > ** ** > > The WG will strive to gather use cases to ensure the broadest**** > > possible applicability of the mechanism.**** > > ** ** > > spt**** > > ** ** > > On 3/10/13 2:13 PM, Karen O'Donoghue wrote:**** > > > Folks,**** > > >** ** > > > Here is the updated charter text based on Sean's comments and Mike's *** > * > > > response. If there are any errors, please identify them asap as I plan * > *** > > > to forward this back to Sean (and thus the IESG) in the very near future. > **** > > >** ** > > > Regards,**** > > > Karen**** > > >** ** > > >** ** > > > Description of JOSE Working Group**** > > >** ** > > > JavaScript Object Notation (JSON) is a text format for the **** > > > serialization of structured data described in RFC 4627. The JSON **** > > > format is often used for serializing and transmitting structured data ** > ** > > > over a network connection. With the increased usage of JSON in **** > > > protocols in the IETF and elsewhere, there is now a desire to offer **** > > > security services for JSON with encryption, digital signatures, and **** > > > message authentication codes (MACs).**** > > >** ** > > > Different proposals for providing such security services have already ** > ** > > > been defined and implemented. This Working Group will standardize the * > *** > > > mechanism for integrity protection (signature and MAC) and encryption ** > ** > > > as well as the format for keys and algorithm identifiers to support **** > > > interoperability of security services for protocols that use JSON. The * > *** > > > Working Group will base its work on well-known message security **** > > > primitives (e.g., CMS), and will solicit input from the rest of the **** > > > IETF Security Area to be sure that the security functionality in the *** > * > > > JSON format is sound.**** > > >** ** > > > As JSON adoption expands, the different applications utilizing JSON **** > > > security services will grow and this leads to the need to support **** > > > different requirements.**** > > > The WG will**** > > > develop a generic syntax that can be used by applications to secure **** > > > JSON-data, but it will be up to the application to fully specify the *** > * > > > use of the WG's documents much the same way S/MIME is the application ** > ** > > > of CMS to MIME-based media types.**** > > >** ** > > > This group is chartered to work on the following deliverables:**** > > >** ** > > > (1) A Standards Track document or documents specifying how to apply **** > > > JSON-structured integrity protection to data, including (but not **** > > > limited to) JSON data structures.**** > > > "Integrity protection" includes public-key digital signatures as well ** > ** > > > as symmetric-key MACs.**** > > >** ** > > > (2) A Standards Track document or documents specifying how to apply a ** > ** > > > JSON-structured encryption to data, including (but not limited to) **** > > > JSON data structures.**** > > >** ** > > > (3) A Standards Track document specifying how to encode public keys as** > ** > > > JSON-**** > > > structured objects.**** > > >** ** > > > (4) A Standards Track document specifying algorithms and algorithm **** > > > identifiers for the previous three documents.**** > > >** ** > > > (5) A Standards Track document specifying how to encode private and **** > > > symmetric keys as JSON-structured objects. This document will build *** > * > > > upon the concepts and structures in (3).**** > > >** ** > > > (6) A Standards Track document specifying a means of protecting **** > > > private and symmetric keys via encryption. This document will build *** > * > > > upon the concepts and structures in (2) and (5). This document may **** > > > register additional algorithms in registries defined by (4).**** > > >** ** > > > (7) An Informational document detailing Use Cases and Requirements for * > *** > > > JSON Object Signing and Encryption (JOSE).**** > > >** ** > > > (8) An Informational document that tells an application what needs to ** > ** > > > be specified in order to implement JOSE.**** > > >** ** > > > One or more of these goals may be combined into a single document, in ** > ** > > > which case the concrete milestones for these goals will be satisfied *** > * > > > by the consolidated document(s).**** > > >** ** > > > _______________________________________________**** > > > jose mailing list**** > > > jose@ietf.org**** > > > https://www.ietf.org/mailman/listinfo/jose**** > > >** ** > > _______________________________________________**** > > jose mailing list**** > > jose@ietf.org**** > > https://www.ietf.org/mailman/listinfo/jose**** > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] updated draft charter text incorporating A… Karen O'Donoghue
- Re: [jose] updated draft charter text incorporati… Mike Jones
- Re: [jose] updated draft charter text incorporati… Dan Brown
- Re: [jose] updated draft charter text incorporati… Sean Turner
- Re: [jose] updated draft charter text incorporati… Mike Jones
- Re: [jose] updated draft charter text incorporati… Barry Leiba
- Re: [jose] updated draft charter text incorporati… Dick Hardt
- Re: [jose] updated draft charter text incorporati… Mike Jones
- Re: [jose] updated draft charter text incorporati… Barry Leiba
- Re: [jose] updated draft charter text incorporati… Richard Barnes
- Re: [jose] updated draft charter text incorporati… Richard Barnes
- Re: [jose] updated draft charter text incorporati… Mike Jones
- Re: [jose] updated draft charter text incorporati… Sean Turner
- Re: [jose] updated draft charter text incorporati… Sean Turner
- Re: [jose] updated draft charter text incorporati… Barry Leiba
- Re: [jose] updated draft charter text incorporati… Peter Saint-Andre
- Re: [jose] updated draft charter text incorporati… Sean Turner