IETF Logo Mail Archive

Re: [OAUTH-WG] [COSE] [Ace] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Tue, 10 May 2016 15:14 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FEC212D704; Tue, 10 May 2016 08:14:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.215
X-Spam-Level:
X-Spam-Status: No, score=-5.215 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Afx2e5YWakx4; Tue, 10 May 2016 08:14:37 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF31012D6FC; Tue, 10 May 2016 08:14:36 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u4AFES5h017962 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 10 May 2016 15:14:28 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u4AFER06014933 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 10 May 2016 15:14:28 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u4AFEQIq027188; Tue, 10 May 2016 15:14:26 GMT
Received: from [10.0.1.3] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 10 May 2016 08:14:25 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-12FBE324-A738-4D06-97CC-03AF56B063ED"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (13E238)
In-Reply-To: <5E85AFAC-07D3-4499-A5B2-5FEC69409913@mit.edu>
Date: Tue, 10 May 2016 08:14:22 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <7C5768D4-8293-49E4-B8A6-49910E9C4372@oracle.com>
References: <D356A330.34F31%kepeng.lkp@alibaba-inc.com> <57309F46.9040705@tzi.org> <89B6F196-D08F-4FBD-9F0D-5B250284048F@mit.edu> <CA+KYQAuF-AzXEBQFo0-2VoCSBnCAPTAvHRwwngDUQcFgk0Q4SQ@mail.gmail.com> <SN1PR0301MB1645A1F955468253B8EF4782F5710@SN1PR0301MB1645.namprd03.prod.outlook.com> <5E85AFAC-07D3-4499-A5B2-5FEC69409913@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/n0dBefoOU4VIDoh2IoEtQnr4K00>
Cc: "ace@ietf.org" <ace@ietf.org>, "<oauth@ietf.org>" <oauth@ietf.org>, cose <cose@ietf.org>
Subject: Re: [OAUTH-WG] [COSE] [Ace] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2016 15:14:50 -0000

I don't have this issue. I see your point, but I think the constrained branding makes it clear. 

IOW. When the specs say "constrained web" the use means to me that the tokens for the constrained set of binary protocols which all tend to be in parallel architecture with web apis anyway.  

Phil

> On May 10, 2016, at 05:57, Justin Richer <jricher@mit.edu> wrote:
> 
> You’re missing my original complaint: Until this token can be directly encoded into web technologies, like HTTP headers and HTML pages, then it has no business being called a “Web” anything. As it is, it’s a binary encoding that would need an additional wrapper, like base64url perhaps, to be placed into web spaces. It can be used in CoAP and native CBOR structures as-is, which is what it’s designed to do. 
> 
> The “web” part of JWT is very important. A JWT can be used, as-is, in any part of an HTTP message: headers, query, form, etc. It can also be encoded as a string in other data structures in just about any language without any additional transformation, including HTML, XML, and JSON. This makes the JWT very “webby”, and this is a feature set that this new token doesn’t share. Ergo, it has no business being called a “web” token regardless of its heritage. 
> 
> Both CBOR Token and COSE Token are fine with me. 
> 
>  — Justin
> 
>> On May 10, 2016, at 3:50 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>> 
>> I also feel strongly that the name should remain CBOR Web Token.  CWT is a beneficiary of the intellectual and deployment heritage from the Simple Web Token (SWT) and JSON Web Token (JWT).  CWT is intentionally parallel to JWT.  The name should stay parallel as well.
>>  
>> The “Web” part of the “CBOR Web Token” name can be taken as a reference to the Web of Things (see https://en.wikipedia.org/wiki/Web_of_Things).  As Erik correctly points out JSON is not the only data representation that makes things in the Web and the Web of Things.
>>  
>>                                                           -- Mike
>>  
>> From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Erik Wahlström
>> Sent: Tuesday, May 10, 2016 1:44 AM
>> To: Justin Richer <jricher@mit.edu>
>> Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; Kepeng Li <kepeng.lkp@alibaba-inc.com>; ace@ietf.org; Carsten Bormann <cabo@tzi.org>; Hannes Tschofenig <hannes.tschofenig@gmx.net>; <oauth@ietf.org> <oauth@ietf.org>; cose <cose@ietf.org>
>> Subject: Re: [Ace] [COSE] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00
>>  
>> Or keep the CBOR Web Token (CWT) for two major reasons:
>> - To show the very close relationship to JWT. It relies heavily on JWT and it's iana registry. It is essentially a JWT but in CBOR/COSE instead of JSON/JOSE.
>> - I would not say that JWT is the only format that works for the web, and it's even used in other, non-traditional, web protocols. That means I don't have a problem with the W in CWT at all. Why would JSON be the only web protocol?
>>  
>> Then we also have one smaller (a lot smaller) reason, it's the fact that it can be called "cot" just like JWT is called a "jot" and I figured that our "cozy chairs" would very much like that fact because then it's essentially a "cozy cot" :)
>>  
>> / Erik
>>  
>>  
>> On Tue, May 10, 2016 at 2:49 AM, Justin Richer <jricher@mit.edu> wrote:
>> We can also call it the “COSE Token”. As a chair of the COSE working group, I’m fine with that amount of co-branding.
>> 
>>  — Justin
>> 
>> > On May 9, 2016, at 9:31 AM, Carsten Bormann <cabo@tzi.org> wrote:
>> >
>> >> draft-ietf-ace-cbor-token-00.txt;
>> >
>> > For the record, I do not think that ACE has a claim on the term "CBOR
>> > Token".  While the term token is not used in RFC 7049, there are many
>> > tokens that could be expressed in CBOR or be used in applying CBOR to a
>> > problem.
>> >
>> > ACE CBOR Token is fine, though.
>> > (Or, better, CBOR ACE Token, CAT.)
>> >
>> > Grüße, Carsten
>> >
>> > _______________________________________________
>> > COSE mailing list
>> > COSE@ietf.org
>> > https://www.ietf.org/mailman/listinfo/cose
>> 
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace
> 
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email