Re: [woes] First draft of JSON Web Encryption (JWE) spec published

"Thomson, Martin" <Martin.Thomson@commscope.com> Wed, 07 September 2011 06:15 UTC

Return-Path: <Martin.Thomson@commscope.com>
X-Original-To: woes@ietfa.amsl.com
Delivered-To: woes@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81D7021F8C34 for <woes@ietfa.amsl.com>; Tue, 6 Sep 2011 23:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.631
X-Spam-Level:
X-Spam-Status: No, score=-2.631 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQUQCouHF9rf for <woes@ietfa.amsl.com>; Tue, 6 Sep 2011 23:15:00 -0700 (PDT)
Received: from cdcsmgw02.commscope.com (fw.commscope.com [198.135.207.129]) by ietfa.amsl.com (Postfix) with ESMTP id 51D9621F8C36 for <woes@ietf.org>; Tue, 6 Sep 2011 23:15:00 -0700 (PDT)
X-AuditID: 0a0404e9-b7cd4ae000004b3f-8e-4e670c4badb9
Received: from ACDCE7HC1.commscope.com ( [10.86.20.102]) by cdcsmgw02.commscope.com (Symantec Brightmail Gateway) with SMTP id 68.C2.19263.B4C076E4; Wed, 7 Sep 2011 01:16:43 -0500 (CDT)
Received: from CDCE10HC1.commscope.com (10.86.28.21) by ACDCE7HC1.commscope.com (10.86.20.102) with Microsoft SMTP Server (TLS) id 8.3.159.2; Wed, 7 Sep 2011 01:16:43 -0500
Received: from SISPE7HC1.commscope.com (10.97.4.12) by CDCE10HC1.commscope.com (10.86.28.21) with Microsoft SMTP Server (TLS) id 14.1.270.1; Wed, 7 Sep 2011 01:16:43 -0500
Received: from SISPE7MB1.commscope.com ([fe80::9d82:a492:85e3:a293]) by SISPE7HC1.commscope.com ([fe80::8a9:4724:f6bb:3cdf%10]) with mapi; Wed, 7 Sep 2011 14:16:38 +0800
From: "Thomson, Martin" <Martin.Thomson@commscope.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "woes@ietf.org" <woes@ietf.org>
Date: Wed, 7 Sep 2011 14:16:37 +0800
Thread-Topic: First draft of JSON Web Encryption (JWE) spec published
Thread-Index: AcxtF+lzVYs2di5FQHC5saaCF9soogACmqsQ
Message-ID: <27AFD040F6F8AA4193E0614E2E3AF9C910CE60903C@SISPE7MB1.commscope.com>
References: <4E1F6AAD24975D4BA5B16804296739435B782D23@TK5EX14MBXC203.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435B782D23@TK5EX14MBXC203.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Cc: Nat Sakimura <nat@sakimura.org>
Subject: Re: [woes] First draft of JSON Web Encryption (JWE) spec published
X-BeenThere: woes@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Web Object Encryption and Signing \(woes\) BOF discussion list" <woes.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/woes>, <mailto:woes-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/woes>
List-Post: <mailto:woes@ietf.org>
List-Help: <mailto:woes-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/woes>, <mailto:woes-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 06:15:01 -0000

Or to add another link for the rest of us:

http://tools.ietf.org/html/draft-jones-json-web-encryption

I found the presentation to be a little sketchy.  The table is difficult to parse.  I think that the table is constraining how you describe the parameters, and I'm concerned that underspecification here will hurt.  The second and third columns don't seem to add much over the description (the second column is all "string").  I'd suggest that you give each parameter a numbered section.  That way, they appear in the TOC.

The x5u parameter identifies what exactly?  Is it the URI for a resource that, upon retrieval (e.g., HTTP GET), produces an X.509 certificate (chain)?  I think that's what you mean.  The example seems to use base64url encoding, which seems pointless.

"Utilizing TLS" also needs to be expanded.  You obviously need to ensure that the authority providing the resource is authenticated and that the representation you retrieve is free from modification, so say that.

The "typ" parameter seems a little underspecified.

The epk parameter isn't a string by its description, though the table indicates that it is.  ...unless you wanted to base64url encode the JSON object.

The alg and enc parameters use StringOrURI as their definition.  There are no URIs defined for either.  I suspect that there is something in there you are wanting to get at, but I recommend that just "String" is sufficient.  After all, someone is going to have to decide if "alg": "http://foo" is equal to "alg": "HTTP://FOO" and I don't want to have to be that guy.  Saying that you character-wise compare the strings for equality is really, really good.

That doesn't preclude the definition of a scheme where URIs are used to prevent collisions in the namespace, but I suspect that your existing text on public/private use of codes is sufficient.

BTW, I like your decision to make all parameters mandatory.  This is less a concern with encryption as it is with signature, but it seems like it's better to be consistent across the two.

--Martin

On 2011-09-07 at 14:37:56, Mike Jones wrote:
> I'm pleased to announce the publication of the first draft 
> <http://self-issued.info/docs/draft-jones-json-web-encryption-00.html>
> of the JSON Web Encryption (JWE)
> <http://self-issued.info/docs/draft-jones-json-web-encryption.html>
> specification. It enables JSON-based encryption of content in a 
> parallel manner to how the JSON Web Signature (JWS) <http://self- 
> issued.info/docs/draft-jones-json-web-signature.html>
> specification enables JSON-based signing of content.
> 
> My thanks to John Bradley, Nat Sakimura, Eric Rescorla, and Joe 
> Hildebrand for helping make this initial version a reality!
> 
> The specification is available at these locations:
> 
> *
> http://www.ietf.org/internet-drafts/draft-jones-json-web-encryption-
> 00.t
> xt
> 
> *
> http://www.ietf.org/internet-drafts/draft-jones-json-web-encryption-
> 00.x
> ml
> 
> *
> http://self-issued.info/docs/draft-jones-json-web-encryption-00.html
> 
> *
> http://self-issued.info/docs/draft-jones-json-web-encryption-00.txt
> 
> *
> http://self-issued.info/docs/draft-jones-json-web-encryption-00.xml
> 
> *
> http://self-issued.info/docs/draft-jones-json-web-encryption.html
> (will point to new versions as they are posted)
> 
> *
> http://self-issued.info/docs/draft-jones-json-web-encryption.txt (will 
> point to new versions as they are posted)
> 
> *
> http://self-issued.info/docs/draft-jones-json-web-encryption.xml (will 
> point to new versions as they are posted)
> 
> *
> http://svn.openid.net/repos/specifications/json_web_encryption/1.0/
> (Subversion repository, with html, txt, and html versions available)
> 
> 
> 
> I also posted about this at http://self-issued.info/?p=538 
> <http://self-issued.info/?p=538> .
> 
> 
> 
>                                                             -- Mike
> 
>