[woes] WOES Charter Proposal

["Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>]

Web Object Encryption and Signing (woes)
========================================

Background
----------

JSON (an acronym for JavaScript Object Notation) is a text format for
the serialization of structured data. It is derived from the JavaScript
programming language for representing simple data structures and
associative arrays, called objects. Despite its relationship to
JavaScript, it is language-independent, with parsers available for
almost every programming
language.

The JSON format is described in RFC 4627 and builds on two structures:
* A collection of name/value pairs. In various languages, this is
realized as an object, record, struct, dictionary, hash table, keyed
list, or associative array.
* An ordered list of values. In most languages, this is realized as an
array, vector, list, or sequence.

The JSON format is often used for serializing and transmitting
structured data over a network connection. It was initially used in the
Web environment to transmit data between a server and web application,
serving as an alternative to XML. Now, JSON is being used in various
other protocols as well.

With the increased usage of JSON in protocols there is now also the
desire to offer security services, such as encryption, and message
signing, for JSON encoded data. Different proposals for providing these
security services have been defined and implemented.  Examples are: JSON
Web Token [JWT], Simple Web Tokens [SWT], Magic Signatures
[MagicSignatures], JSON Simple Sign [JSS], JavaScript Message Security
Format [JSMS]. 

This working group aims to develop specifications to standardize these
security services for JSON encoded data to improve interoperability, and
to increase confidence in the offered security functionality based on
the expert review process utilized in the IETF. Future work in the group
may offer support for other security services. Re-chartering of the
group is, however, required.

This working group aims to re-use well-defined concepts from
Cryptographic Message Syntax
(CMS) [CMS], XML Digital Signature [XMLDSIG] and XML Encryption [XMLENC]
since the group aims to develop a JavaScript-developer-friendly
JSON-equivalent for CMS. 

Since this work is within the realm of the security domain respective
experts will be involved. 

References
----------

[JWT] M. Jones, et al. "JSON Web Signature (JWS)",
draft-jones-json-web-signature-01 (work in progress), Mar. 2011.

[JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign",
September 2010.

[MagicSignatures] Panzer (editor), J., Laurie, B., and D. Balfanz,
"Magic Signatures", August 2010.

[SWT] Hardt, D. and Y. Goland, "Simple Web Token (SWT)", Version
0.9.5.1, November 2009.

XMLDIG] W3C, "XML Signature Syntax and Processing (Second Edition)",
available at
http://www.w3.org/TR/xmldsig-core/, Jun. 2008. 

[XMLENC] W3C, "XML Encryption Syntax and Processing", available at
http://www.w3.org/TR/xmlenc-core/, Dec. 2002.

[CMS]  R. Housley, "Cryptographic Message Syntax", RFC 3852, Jul. 2004. 

[JSMS] E. Rescorla, J. Hildebrand, "JavaScript Message Security Format",
draft-rescorla-jsms-00 (work in progress), Mar. 2011.

Deliverables
------------

This group is chartered to work on two documents: 

1) A Standards Track document specifying how to apply a digital
signature and a keyed message digest to 
JSON encoded data.

2) A Standards Track document illustrating how to encrypt JSON encoded
data. 

Goals and Milestones
--------------------

Aug 2011    Submit JSON object signing document as a WG item.

Aug 2011    Submit JSON object encryption document as a WG item.

Mar 2012    Start Working Group Last Call on JSON object signing
document.

Mar 2012    Start Working Group Last Call on JSON object encryption
document.

Apr 2012    Submit JSON object signing document to IESG for
consideration as
Standards Track document.

Apr 2012    Submit JSON object encryption document to IESG for
consideration
as Standards Track document.