Re: [jose] Consensus call on charter for JSON Web Proofs work

Roman Danyliw <rdd@cert.org> Tue, 25 October 2022 12:48 UTC

Return-Path: <rdd@cert.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEDC8C14F72F for <jose@ietfa.amsl.com>; Tue, 25 Oct 2022 05:48:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7xOMBZptTag for <jose@ietfa.amsl.com>; Tue, 25 Oct 2022 05:48:08 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0138.outbound.protection.office365.us [23.103.208.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 370F8C14F613 for <jose@ietf.org>; Tue, 25 Oct 2022 05:48:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=SuVS6Lhs9PO/Xxu+Q773ZyXQAGo9EW6+pOKMsYU/RxMr88s1x9RLym6Dj7K8TLN45Svst+OxF0YOEoV551wd6xEFys5DWkxnwq4OLN/0PGcAS4iQKm99k2tXYw30bl9f8kEeP5CqLsMErfkE++lzpXFaWwhuZE5MyJkCZlqbuI7SDpWg/sIEGkVMJri5itG4NXKl9eOY9VMUfkoF6hZRYwQ+0m+VChY5xoHeBSg85czZ1GdcqEG/7kD/70fCxHSlm6J+wZv+6+AsyuOcNj9QckH9Jd2t0oU5IX3RXAh8CzAUQAPiCZ4Au8rWtpKej8zmQTyNYmsc84VohrfXOSrR7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XDtUxy9aKKRjak3oALZ7/myOJ4R0TIntdygdpKQgkuE=; b=RGXLc2vCWX/eEz/9Zwjau/ZP+5k2trJyLCFWAenJNPOY07vULv6uTabwlUv4BIgt5BR+cnBvOHkYGHmPswLfwnYberEpPybYbmtgqiwifYRk38U6zvDYPopX7UFHWWvDDLXuxUe3kylvNOFAa4VIw8wctxRjSiCM88BP/g+QiiDIKr8EStzLdygeklRWyC9q1zog+LvZdRaCOZSu9ebIMC2n1e5ExzKbfH6rviRdFWAivV/7+tFKAYsrycDjh3N3UOi84n4Sf5//ErKIklE205qprKWvKkdGFAE0aYnn2e3rELCXvCzx6EsfXG5LnPaowldbylCxe3ZZ21E9KKu4eQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1495.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Tue, 25 Oct 2022 12:48:02 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429%6]) with mapi id 15.20.5746.028; Tue, 25 Oct 2022 12:48:02 +0000
From: Roman Danyliw <rdd@cert.org>
To: "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Consensus call on charter for JSON Web Proofs work
Thread-Index: AQHY4o5yLiOS1Vx/FUSlp4yrHoQ30a4fETKA
Date: Tue, 25 Oct 2022 12:48:02 +0000
Message-ID: <BN2P110MB1107AF514B7C953843125896DC319@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <PH0PR06MB7061B875E484777060C5F06EC2289@PH0PR06MB7061.namprd06.prod.outlook.com>
In-Reply-To: <PH0PR06MB7061B875E484777060C5F06EC2289@PH0PR06MB7061.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1495:EE_
x-ms-office365-filtering-correlation-id: 32f43bc5-0b96-4f11-e470-08dab6872787
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BQAeklt0EYP002HISiuacAW1BXGZCWbFpBK4XJ+/nPmzyGo0ZMsMEzVVZNlto2im8VUbyQ/e0hPGHVSCeY2o0IO6rPy09j3O/saMjd0X3QcrZ8DC4rP4OgsjgtB+EOagc2rxnp2VnwyeqJhvHPqvlYBax17TJaPM9pwiiTrNmbVal4u1o5gA4OV7AmLJi3BOm9r19fkJuzFq40MLF7jZ5pZjxcjXRegRdVAK5jocqYKhVK9bQzo9a4xoNaVrQTMPEe6i4/f1RNhQpygqBbw6grArANIlKOMmuryf8sSEKKDSYD5bmHCaBg0cS9rEjNFskZbdE4Tznx/5ceuAPzeJcZgOLg9CBHml4aP6/JE06HbpurZYfODn2qnKUR03bMVCcw1KEM87R0+E2oYPs7qurjtiHr6cnautnVRXwhLbXVgCFJKkouvV+8zrKxz3ouMS7IKNISNFXCeXG42EvfWyGMTsfWt31T+tFpyMrGxiO0AzX8ia8DkrcLrFA2KugAAuJZ8m2M8Y64pjq+P+qs4/7P2wJWBB9zkVneb9vZ2r/8UrEcPaSlOJYqSD90Z+ahGOOyxn8HRFTErjO6Ebp9vESNhAcBnie9OGypDwJE80295CygZHvOSLSz5n01789jhG7r7JScsstMYhg6AOHFwkwXlfBEMCkDvJADQJsOorP7qHlbdZHLaGw/lTpzQ/KBLW/8wXhxikpkJR3Mni+juuJg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(38100700002)(498600001)(38070700005)(66899015)(71200400001)(82960400001)(166002)(6916009)(55016003)(8936002)(26005)(86362001)(9686003)(66946007)(76116006)(8676002)(64756008)(66446008)(66476007)(966005)(122000001)(83380400001)(2906002)(186003)(52536014)(66556008)(33656002)(53546011)(6506007)(5660300002)(21615005)(7696005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tjXZyFfYI7hUf6e09IJi6NhfpwN4DK4/x00U4WPVj6rUu5iwjNED8XVP2jOhxhWT16PykTKZfFb7DN18J6LVcSqD1W69dQ37poegkyVxh7UWm6+XT8WX5WAHDZcaVzvt6PvP4J7XZ3ToKCR5detAaJENnZDUaZ7dC3SVZYfVLiQeRH4zKEW83337VnRGsYPawt3r/lzOy2ncqtl/hcaQANSEpx82PuZ7m+LNTmtE0sdVixegj0QCnmmfPWEF7NlXvU1d3v7Xx7AqLE9wiiRRRwbV1xcn5fYPoAUEgDNoBfsxVkSRk+LYC9K8qvzRlhC2U7sF+rEJx6gz0dd2EW5UjdFoKAohW1pSGyndDHwYkBEom9XuRx2ZTkhVcM/D8PlHln1xx4238CUFx5TpgFsxzw6PHkMkx6wqUKKOM32mKnc=
Content-Type: multipart/alternative; boundary="_000_BN2P110MB1107AF514B7C953843125896DC319BN2P110MB1107NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 32f43bc5-0b96-4f11-e470-08dab6872787
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2022 12:48:02.6092 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1495
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/tcAtT0Vkk0KlV7mRhwIyUxd2Sug>
Subject: Re: [jose] Consensus call on charter for JSON Web Proofs work
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2022 12:48:12 -0000

Hi!

Thank you for all of your input in this call for feedback.  In consultation with the chairs, we have a conclusive way ahead - this email call for feedback confirmed the consensus of the second BoF to convene a WG, and that we have agreement on the charter text.  Additionally, we have consensus to re-open the JOSE WG as the venue to do the work.

As the next steps, the following will occur:

** I will start the process to re-open the JOSE work group using the agreed upon charter.  As a process reminder, this re-chartering process consists of three gated reviews: (1) charter goes to the IESG for initial review; (2) charter goes for broad IETF community review; (3) charter goes the IESG for final review.  The next available IESG telechat on which (1) could be schedule is 01-Dec-2022.  It would be followed by a two week review for (2) assuming IESG blocking comments were resolved.  Finally, assuming all community feedback is resolved, the charter would return to the IESG for the 15-Dec-2022 telechat per (3).  As discussed during the last BoF, an outcome of the timing of this process is that no WG can be formed for IETF 115.

** I will be canceling the planned IETF 115 JWP BOF.  This third BoF at IETF 115 was defensively scheduled to ensure that if there wasn't resolution on the charter, we could continue the discussion.  However, this extra session will not needed as the BoF objectives have already been met - cancelation is an indication of success!  An obvious question is why can't the group just meet to start discussion of the work if the time is already scheduled?  It's a matter of efficiently using the face-to-face meeting time.  There is already significant scheduling compression on the meeting agenda.  If we don't need the time for our BoF objectives, others can use it.

Regards,
Roman, Karen and John
(responsible AD and JWP co-chairs)


From: jose <jose-bounces@ietf.org> On Behalf Of Karen O'Donoghue
Sent: Monday, October 17, 2022 9:45 PM
To: jose@ietf.org
Subject: [jose] Consensus call on charter for JSON Web Proofs work

Everyone...

On 12 October 2022, we held the second BoF for JSON Web Proofs proposed work [1] as a follow-on to the BoF held at IETF 114 [2].

We had a robust discussion on problem to be solved and the proposed scope of work. A draft charter was previously circulated on the mailing list and discussed during the meeting. Polling of the BoF participants showed a strong consensus on understanding of the problem and interest to solve it in the IETF.  There was also critical mass of energy to do this work. There was some feedback on the charter along with consensus to reuse the JOSE mailing list.

The charter was updated based on the feedback from the BoF and is available here and included below:
https://github.com/json-web-proofs/json-web-proofs/blob/main/charter-ietf-jose-03.md

Now with a revised charter available, we'd like to continue this BoF conversion with an email thread to gauge interest to forming a WG to ensure we also capture views from those who were unable to attend the BoF or those who want to reiterate their positions.  Please respond to the list:

(1) Do you support the charter text? Or do you have objections or blocking concerns (please describe what they might be)?

If you do support the charter text:
(2) Are you willing to author or participate in the developed of the WG drafts?
(3) Are you willing to review the WG drafts?
(4) Are you interested in implementing the WG drafts?

If you previously spoke of at the BoF, you are welcome to repeat yourself here.

If you have been following along on the mailing list, the charter text below is the one that was being polished in GitHub (https://github.com/json-web-proofs/json-web-proofs/blob/main/charter-ietf-jose-03.md).

This call for feedback will end on Monday, 24 October 2022.

Thanks,
Karen and John

[1] https://datatracker.ietf.org/meeting/interim-2022-jwp-01/materials/minutes-interim-2022-jwp-01-202210121300-00
[2] https://notes.ietf.org/notes-ietf-114-jwp#<https://notes.ietf.org/notes-ietf-114-jwp>
[3] https://github.com/json-web-proofs/json-web-proofs/blob/main/charter-ietf-jose-03.md

Draft Charter:

The original JSON Object Signing and Encryption (JOSE) working group<https://datatracker.ietf.org/doc/charter-ietf-jose/02/> standardized JSON-based representations for:

  *   Integrity-protected objects - JSON Web Signatures (JWS) [RFC 7515<https://www.rfc-editor.org/rfc/rfc7515.html>]
  *   Encrypted objects - JSON Web Encryption (JWE) [RFC 7516<https://www.rfc-editor.org/rfc/rfc7516.html>]
  *   Key representations - JSON Web Key (JWK) [RFC 7517<https://www.rfc-editor.org/rfc/rfc7517.html>]
  *   Algorithm definitions - JSON Web Algorithms (JWA) [RFC 7518<https://www.rfc-editor.org/rfc/rfc7518.html>]
  *   Test vectors for the above - Examples of Protecting Content Using JSON Object Signing and Encryption [RFC 7520<https://www.rfc-editor.org/rfc/rfc7520.html>]

These were used to define the JSON Web Token (JWT) [RFC 7519<https://www.rfc-editor.org/rfc/rfc7519.html>], which in turn, has seen widespread deployment in areas as diverse as digital identity<https://openid.net/connect/> and secure telephony<https://www.ietf.org/blog/stir-action/>.

Concurrent to the growth of adoption of these standards to express and communicate sensitive data has been an increasing societal focus on privacy. Common privacy themes in identity solutions are user consent, minimal disclosure, and unlinkability.

A multi-decade research activity for a sizeable academic and applied cryptography community, often referred to as anonymous credentials, targets privacy and knowledge protection. Some of the cryptographic techniques developed in this space involve pairing-friendly curves and zero-knowledge proofs (ZKPs) (to name just a few). Some of the benefits of zero-knowledge proof algorithms include unlinkability, selective disclosure, and the ability to use predicate proofs.

The current container formats defined by JOSE and JWT are not able to represent data using zero-knowledge proof algorithms. Among the reasons are that most require an additional transform or finalize step, many are designed to operate on sets and not single messages, and the interface to ZKP algorithms has more inputs than conventional signing algorithms. The reconstituted JSON Object Signing and Encryption (JOSE) working group will address these new needs, while reusing aspects of JOSE and JWT, where applicable.

This group is chartered to work on the following deliverables:

  *   An Informational document detailing Use Cases and Requirements for new specifications enabling JSON-based selective disclosure and zero-knowledge proofs.
  *   Standards Track document(s) specifying representation(s) of independently-disclosable integrity-protected sets of data and/or proofs using JSON-based data structures, which also aims to prevent the ability to correlate by different verifiers.
  *   Standards Track document(s) specifying representation(s) of JSON-based claims and/or proofs enabling selective disclosure of these claims and/or proofs, and that also aims to prevent the ability to correlate by different verifiers.
  *   Standards Track document(s) specifying how to use existing cryptographic algorithms and defining their algorithm identifiers. The working group will not invent new cryptographic algorithms.
  *   Standards Track document(s) specifying how to represent keys for these new algorithms as JSON Web Keys (JWKs).
  *   An Informational document defining test vectors for these new specifications.
  *   Standards Track document(s) defining CBOR-based representations corresponding to all the above, building upon the COSE and CWT specifications in the same way that the above build on JOSE and JWT.

One or more of these goals may be combined into a single document, in which case the concrete milestones for these goals will be satisfied by the consolidated document(s).

An informal goal of the working group is close coordination with the rechartered W3C Verifiable Credentials WG<https://www.w3.org/2022/05/proposed-vc-wg-charter.html>, which has taken a dependency on this work for the second version of its Verifiable Credentials specification. The working group will also coordinate with the Selective Disclosure JWT<https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/> work in the OAuth working group, the Privacy Pass<https://datatracker.ietf.org/doc/charter-ietf-privacypass/> working group, and the CFRG.