Re: [jose] draft revision to JOSE charter

Mark Watson <> Fri, 18 January 2013 17:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4823E21F87D1 for <>; Fri, 18 Jan 2013 09:14:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.265
X-Spam-Status: No, score=-10.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HaiRnWmUP-oF for <>; Fri, 18 Jan 2013 09:14:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4947E21F87CB for <>; Fri, 18 Jan 2013 09:14:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=s2048;; h=from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; bh=W60UV5Cw/E90ft7ZB2PAFWR0HD4=; b=m1YO87jktCvL/xAhYbxAvE1iTVsAtg17oi/6fRhu9SqgBWap5embZxJ6ZM9Nkl/kF91s8YvJ P1BcHhOzhMMOaJXDO58j1gc6Ygr9YoRoVPHKMryIa29mNyX12bxSPh0dFHs0Roj/kmU1Avff biZ6jV8ymVRIFri2cLg4Rw/hME+W37NPbXy+gDZbvUOVamc3nkAFmCapu7cK59S+RgoXKXJL 0cwoag4N4sSG44/mNKwy3Hjozj9qF2FJlmh4gEkBPPAV1ADmN+Q5iYtMEycp9cuPSnuS6EMq Yv0SBq1tM+GDrXvMy81/8gY/l4qBdtjRONuXNeLKh6GA/f4e7flpGQ==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048;; h=from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; b=cpPoCsfX6sgR/LMfITMZubwK+NlDg+ZT1wPF0Xdft5Q2e3ewJxa8Q7Usf0gj/uORjZPV7f2C pAEsdOWpv7B4neWSIdm3kRCsjYX7lmYXRxNqfXrMq/cBj0ORRhBMV5iEqoyfsLk9iiZjmwqa l/a0SJTIcVZEfZwanEYDGxE7aIAlaTyeCi1rlJcsmtlsWDFp330lE9/2Xlb1OOHYgxj48jTD HgwoKm9aUp85TD2IKy/EbVJRwB+XaWdMOEtWyyTiGJF1IHXwkRHJ7CBlfqT8bmyFkm/j7xSl nMlYgZNzopUqLp5nxDEzoWzsiqoC/EJ/fuK7ALuo7vtpWpJ6VFJMFg==
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 18 Jan 2013 09:13:54 -0800
Received: from ([]) by ([]) with mapi id 14.02.0283.003; Fri, 18 Jan 2013 09:13:54 -0800
From: Mark Watson <>
To: Richard Barnes <>
Thread-Topic: [jose] draft revision to JOSE charter
Thread-Index: AQHN8DaqvvBReA/bIk+6nuN3BSNm3ZhLcLuAgAASCQCABFKVgIAADrmA
Date: Fri, 18 Jan 2013 17:13:53 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Mike Jones <>, "" <>, "" <>
Subject: Re: [jose] draft revision to JOSE charter
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Jan 2013 17:14:06 -0000

On Jan 18, 2013, at 8:21 AM, Richard Barnes wrote:

> Inline
>> -----
>> On 1,2,3,5,6:
>> Do I understand correctly that milestones 5 and 6 are intended to be something like the JSON serialization documents, whereas 1, 2, and 3 are supposed to be something like the current documents?  If that's the case, then we might as well call a spade a spade and remove "JSON-structured" from 1, 2, and 3.
>> I find that sort of back-tracking pretty distasteful, though.  As I've said before, it would be better if we could come up with a reasonable JSON syntax that would profile down to something compact and URL-safe. 
>> Yes, (1), (2), (3) (and (4)) are the deliverables in the present charter (  The “JSON-structured” wording is from the current charter.  I suppose it could be changed to “JSON-based” if people prefer that.  But minimizing changes to the existing charter items also seems like a good goal.  I’d be fine with either the “JSON-structured” wording from the current charter or “JSON-based”.
>> And yes, (5) and (6) are the JSON serialization documents, which we decided adopt as working group documents and create charter items for at the working group meeting in Atlanta.  Consensus to do this is recorded at    See and for the current versions of these documents.
> I just don't see any reason for us to have separate documents for a "JSON serialization".  It's what we should have done in the first place -- make something "JSON-structured".  Rather than having separate documents/milestones, let's just put the JSON stuff in the base spec.  It will help ensure coherence between the formats, and it's really not that much text.
> If we make the explicit decision not to include a JSON format in our base deliverables, then we should just strike "JSON" altogether.  JW* is as much "ASN.1-based" as it is "JSON-based" -- it contains base64-serialized objects of both types.
>> On 4:
>> This group has agreed time and again that we will not have mandatory to implement algorithms.  As Mr. Housley put it, according to the IETF 85 minutes, "Each app defines MTI, achieving separation of MTI from syntax.".  So the phrase "including mandatory-to-implement algorithms" needs to be struck from item (4).
>> This statement makes no sense, as our current charter already *requires* us to produce “A Standards Track document specifying mandatory-to-implement algorithms for the other three documents”.  The rechartering is about adding the new deliverables 5-8 – not changing our existing deliverables, of which this is one already one.
> You want to deviate from the first three milestones, I want to deviate from this one :)
> There have been clear consensus calls at the last few IETF meetings that run against this milestone.  If the chairs would like to have an explicit call on removing "mandatory to implement" from this milestone, then I would support that.
>> On 7,8:
>> I have no idea what milestones 7 and 8 are supposed to entail.  JWE already has wrapped keys, and JWS should (for MAC).  As above, we should strive to get this right the first time instead of doing something halfway with a promise to patch it later.
>> I’m surprised that you say that don’t understand 7 and 8, as you were in the Friday morning meeting in Atlanta that was organized by Joe Hildebrand and Jim Schaad that defined them.  The minutes of that meeting are at  Deliverable (A) in the minutes is charter item (7).  Deliverable (B) in the minutes is charter item (8).
>> (7) extends (3) to define JSON representations for private and symmetric keys (whereas (3) only defines representations for public keys).  See for a draft that does this.
>> As we discussed at that meeting, while JWE uses wrapped key *values* (wrapped CMKs), this new document that Matt is writing will enable us to wrap both key values and associated key properties.  It wraps a JWK representation (which per (7), may represent private and symmetric keys), including potential key properties as the key’s “alg” and “kid” values, as well as others that may be used.  It’s intentionally more general than the wrapped CMK value used in JWE, again, as discussed during the Friday meeting in Atlanta.
> I was at that meeting, and I did not leave convinced that having a separate document was the correct path, as opposed to doing wrapped keys right the first time.
> JWE already has a mechanism for wrapping keys.  Instead of inventing some separate syntax, we should consolidate the "wrapped key" bits of JWE into an object ("JSON Wrapped Key", or JWK :) ), and give that object a way to protect attributes.  If there are no attributes, then this just looks like what's already in JWE. I can send a more thorough proposal to the list if you like.
> In any case, I oppose adding these two milestones based on the above.  If we are going to handle this separately, then 7 and 8 should be combined, since the format for symmetric/private keys will have to have a protection mechanism.

Both the W3C WebCrypto and HTML media groups have use-cases for an unprotected representation of a symmetric key. In the WebCrypto case for export of such keys (where that is allowed according to the key properties) and for a representation that includes attributes which could then be wrapped (with AES Key Wrap, for example). In the HTML media group they would like to use this format for the "clearkey" key system for encrypted media, where the requirement is again just for a clear unprotected representation of the key and associated attributes.

So (7) at least has stand-alone use-cases.


> --Richard
> _______________________________________________
> jose mailing list