Re: [jose] updated draft charter text incorporating AD's comments
Sean Turner <turners@ieca.com> Fri, 05 April 2013 12:29 UTC
Return-Path: <turners@ieca.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 343C221F972F for <jose@ietfa.amsl.com>; Fri, 5 Apr 2013 05:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.245
X-Spam-Level:
X-Spam-Status: No, score=-102.245 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HOZoFQ8nE4bc for <jose@ietfa.amsl.com>; Fri, 5 Apr 2013 05:29:05 -0700 (PDT)
Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [67.18.36.18]) by ietfa.amsl.com (Postfix) with ESMTP id 4420121F9724 for <jose@ietf.org>; Fri, 5 Apr 2013 05:29:05 -0700 (PDT)
Received: by gateway08.websitewelcome.com (Postfix, from userid 5007) id D2D1DD5583737; Fri, 5 Apr 2013 07:29:04 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway08.websitewelcome.com (Postfix) with ESMTP id C601CD55836E5 for <jose@ietf.org>; Fri, 5 Apr 2013 07:29:04 -0500 (CDT)
Received: from [108.45.16.214] (port=59639 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1UO5lQ-00076D-JV for jose@ietf.org; Fri, 05 Apr 2013 07:29:04 -0500
Message-ID: <515EC38F.2060703@ieca.com>
Date: Fri, 05 Apr 2013 08:29:03 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: jose@ietf.org
References: <513CCD31.8050408@isoc.org>
In-Reply-To: <513CCD31.8050408@isoc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [108.45.16.214]:59639
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: Re: [jose] updated draft charter text incorporating AD's comments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 12:29:06 -0000
Hi, We've gotten what amounts to two discusses on the charter. I wanted to run these by the WG in case there were any violent objections. 1. (easy one first) What does "JSON-structured integrity protection" and "JSON-structured encryption" mean? It was explained "JSON-structured" means that the metadata about how you did the encryption/integrity is expressed in JSON not that the payload itself is JSON. I.e., the algorithm description, key identifiers, etc. are in JSON but not necessary the payload. I proposed: OLD: specifying how to apply JSON-structured integrity protection to data NEW: specifying a JSON structure for integrity-protected data and the same again for encryption: OLD: specifying how to apply a JSON-structured encryption to data NEW: specifying a JSON structure for encrypted data 2. (hard one) Barry's been told by some App folks who are working on new JSON-based protocols that they don't see the applicability of JOSE to their work. I think there is some concern that we're doing our own thing here in security land and not consulting with others. That's not a true characterization based the use case we have from ALTO and XMPP, but nonetheless this feedback worries both Barry and myself. What I'm going to do is prompt/prod the Apps folks to engage and say why/how it won't work for them. What we might also do is some education in the appsawg; one of those here's how it works kind of presentations. We'll reach out, but they need to reach out too because I don't want to have to be pinned waiting on a input that may never come. To that end, putting some wording in the charter earlier than the numbered bullet about the uses cases, I think, solves this dilemma: The WG will strive to gather use cases to ensure the broadest possible applicability of the mechanism. spt On 3/10/13 2:13 PM, Karen O'Donoghue wrote: > Folks, > > Here is the updated charter text based on Sean's comments and Mike's > response. If there are any errors, please identify them asap as I plan > to forward this back to Sean (and thus the IESG) in the very near future. > > Regards, > Karen > > > Description of JOSE Working Group > > JavaScript Object Notation (JSON) is a text format for the serialization > of structured > data described in RFC 4627. The JSON format is often used for > serializing and > transmitting structured data over a network connection. With the > increased usage > of JSON in protocols in the IETF and elsewhere, there is now a desire to > offer > security services for JSON with encryption, digital signatures, and > message authentication > codes (MACs). > > Different proposals for providing such security services have already > been defined > and implemented. This Working Group will standardize the mechanism for > integrity > protection (signature and MAC) and encryption as well as the format for > keys and algorithm > identifiers to support interoperability of security services for > protocols that > use JSON. The Working Group will base its work on well-known message > security primitives > (e.g., CMS), and will solicit input from the rest of the IETF Security > Area to be sure > that the security functionality in the JSON format is sound. > > As JSON adoption expands, the different applications utilizing JSON > security services > will grow and this leads to the need to support different requirements. > The WG will > develop a generic syntax that can be used by applications to secure > JSON-data, but > it will be up to the application to fully specify the use of the WG's > documents much > the same way S/MIME is the application of CMS to MIME-based media types. > > This group is chartered to work on the following deliverables: > > (1) A Standards Track document or documents specifying how to apply > JSON-structured > integrity protection to data, including (but not limited to) JSON data > structures. > "Integrity protection" includes public-key digital signatures as well as > symmetric-key MACs. > > (2) A Standards Track document or documents specifying how to apply a > JSON-structured > encryption to data, including (but not limited to) JSON data structures. > > (3) A Standards Track document specifying how to encode public keys as > JSON- > structured objects. > > (4) A Standards Track document specifying algorithms and algorithm > identifiers for > the previous three documents. > > (5) A Standards Track document specifying how to encode private and > symmetric > keys as JSON-structured objects. This document will build upon the > concepts and > structures in (3). > > (6) A Standards Track document specifying a means of protecting private > and symmetric > keys via encryption. This document will build upon the concepts and > structures in (2) > and (5). This document may register additional algorithms in registries > defined by (4). > > (7) An Informational document detailing Use Cases and Requirements for > JSON Object > Signing and Encryption (JOSE). > > (8) An Informational document that tells an application what needs to be > specified in order > to implement JOSE. > > One or more of these goals may be combined into a single document, in > which case the > concrete milestones for these goals will be satisfied by the > consolidated document(s). > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] updated draft charter text incorporating A… Karen O'Donoghue
- Re: [jose] updated draft charter text incorporati… Mike Jones
- Re: [jose] updated draft charter text incorporati… Dan Brown
- Re: [jose] updated draft charter text incorporati… Sean Turner
- Re: [jose] updated draft charter text incorporati… Mike Jones
- Re: [jose] updated draft charter text incorporati… Barry Leiba
- Re: [jose] updated draft charter text incorporati… Dick Hardt
- Re: [jose] updated draft charter text incorporati… Mike Jones
- Re: [jose] updated draft charter text incorporati… Barry Leiba
- Re: [jose] updated draft charter text incorporati… Richard Barnes
- Re: [jose] updated draft charter text incorporati… Richard Barnes
- Re: [jose] updated draft charter text incorporati… Mike Jones
- Re: [jose] updated draft charter text incorporati… Sean Turner
- Re: [jose] updated draft charter text incorporati… Sean Turner
- Re: [jose] updated draft charter text incorporati… Barry Leiba
- Re: [jose] updated draft charter text incorporati… Peter Saint-Andre
- Re: [jose] updated draft charter text incorporati… Sean Turner