Re: Digital Signatures for Credentials from Harry Halpin on 2014-11-21 (public-socialweb@w3.org from November 2014)

From: Harry Halpin <hhalpin@w3.org>
Date: Fri, 21 Nov 2014 03:34:45 +0100
To: Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org, public-socialweb@w3.org, Stéphane Boyera <boyera@w3.org>
Message-ID: <546EA4C5.3070303@w3.org>
On 11/21/2014 03:02 AM, Manu Sporny wrote:
> On 11/19/2014 02:30 PM, Harry Halpin wrote:
>> There is no debate. JOSE is a standard for JSON that has had high 
>> review and adoption from the IETF. SM is a proposed specification 
>> from a Community Group for RDF that is out of scope for the Social 
>> Web WG, although conceivably some future WG at the IETF could find 
>> their normalization algorithm useful.
> 
> It's not the place of a W3C staff contact to declare victory and shut
> down a debate. You're overstepping your authority, Harry.
> 
> Clearly, people are arguing about JOSE vs. SM. There is a debate, even
> if you don't want there to be one.
> 
> Here are the points where I agree with you:
> 
> * Standardizing SM via Social Web WG is clearly out of scope of the
>   charter. No one has asked Social Web WG to take on that work.
> * The RDF Graph Normalization stuff will happen in a group that cares
>   about that sort of thing, not in the Social Web WG.
> * It's probably not worth debating whether or not RDF Graph
>   Normalization or SM is going to happen in the Social Web WG.

+1. That's why there is not a debate - it's out of scope for Social WG.

I'm also saying baking a standard that directly overlaps with an IETF
standard the W3C has an active liaison with is not a good idea - that
goes for any standard, not just SM. If you feel otherwise, please feel
to consult with the rest of W3C, Stephane etc. would agree. I doubt at
least any signature-facing parts such work would be standardized in
*any* W3C WG without objections from the IETF given the obvious overlap.

If you wish to keep pushing for some kind of 'algorithm signature
defaults' and clear text signatures that do not go over base-64
encoding, which there could be some use-cases for, I recommend
separating those use-cases from the RDF-centric work and going back to
JOSE with those modular use-cases rather than 'competing'
pre-specification.

> 
> However, stating that JOSE is the obvious choice for digital signatures
> in the Social Web WG, the Web Payments CG, the Credentials CG, the
> Linked Data Platform, or even the Web Payments IG is very far from
> reality and you'll find that there will be considerable push-back if the
> Social Web WG tries to railroad the use of JOSE through on something
> that touches Linked Data.
> 
>> For the Social Web WG, as regards JSON, we will use JOSE as SM is out
>> of scope as its not part of our deliverables. If another WG 
>> standardizes SM (which I would be doubtful of), then I'm happy to 
>> reconsider.
> 
> It's not for you alone to decide which digital signature mechanism the
> Social Web WG is going to use. W3C operates on consensus, and there is
> currently no consensus on which digital signature mechanism would be
> best. It's highly inappropriate of a W3C staff contact (you) to assert
> that a group /will/ use a particular technology, especially when that
> very "decision" is being challenged by multiple people in the community.


Rather than argue, I have redirected you to the right places where that
argument is actually within scope. This argument is out of scope for the
Social Web WG. It's my job to say what in and out of scope as W3C staff
and as author of the charter, which took many months of consensus work
to come to agreement at the AC.

A "digital signature" mechanism is not in the charter as a deliverable
of a Social Web WG (nor would it be), nor would I see any reason to use
a non-standardized one when the IETF has already produced such a
standard. As outlined earlier, the compelling technical reason is the
use of RDF, which is a non-starter given we are focused normatively on
JSON, so non-JSON alternative RDF syntaxes are also out of scope, as
we've discussed already in WG. The other reasons are not compelling but
you could put them by IETF JOSE to see their reaction.

It is also highly inappropriate to confuse the IETF about the formal
status of the "Secure Messaging" work at the W3C by not mentioning that
you are chair of a *Community* Group (i.e. no formal W3C standing) and
that the objections you had to SM came from you as an individual or a
Community Group, not the W3C.

https://www.ietf.org/mail-archive/web/jose/current/msg03736.html

General response from fairly negative, but doesn't mean you can't try again:
https://www.ietf.org/mail-archive/web/jose/current/msg03782.html

Note confusion had to be clarified that this was not a W3C spec, as we
were in middle of supporting JOSE in WebCrypto, as was Persona at the time:

https://www.ietf.org/mail-archive/web/jose/current/msg03738.html

I would prefer not keep repeating this cycle - as would a number of W3C
members and people at the IETF.

   cheers,
        harry



> 
> -- manu
>
Received on Friday, 21 November 2014 02:34:55 UTC