RE: FW: JOSE -19 drafts intended for Working Group Last Call from Mike Jones on 2013-12-29 (public-webcrypto@w3.org from December 2013)

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Sun, 29 Dec 2013 20:33:09 +0000
To: Ryan Sleevi <sleevi@google.com>
CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <4E1F6AAD24975D4BA5B16804296739437CD7A866@TK5EX14MBXC286.redmond.corp.microsoft.>
You’re welcome.

For context, this is less “gross” than overloading the existing simple “use” field with comma-separated strings such as “signOnly,verifyOnly”, which I believe is the current WebCrypto WG proposal.  And it doesn’t break the deployments that are already in production using “use” as-is.

                                                            -- Mike

From: Ryan Sleevi [mailto:sleevi@google.com]
Sent: Sunday, December 29, 2013 12:05 PM
To: Mike Jones
Cc: public-webcrypto@w3.org
Subject: Re: FW: JOSE -19 drafts intended for Working Group Last Call


Thanks for the quick work, Mike.

It does seem that there is still active discussion in JOSE on this, with Richard Barnes offering a very compelling counter proposal. Individually, I still have concerns that this introduces something "gross" (as far as spec taste and ambiguity goes), but if JOSE is inflexible on backwards compatibility, a path forward. I think Richard's would be a much cleaner solution, but I'll try to keep that discussion centered in JOSE.

This would be a very important time for WrbCrypto contributors, consumers, and implementors to raise points with JOSE if we want to actually see a round peg fit the round hole, rather than trying to shove a square peg through. Please do contribute to the discussions in the IETF.
On Dec 29, 2013 11:57 AM, "Mike Jones" <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
FYI, the “use_details” JSON Web Key (JWK) field, which directly uses the WebCrypto KeyUsage array values, is now in the JWK spec.  See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-19#section-3.3.  And as also previously discussed, the “Implementation Requirements” algorithm registry fields have been renamed to “JOSE Implementation Requirements” to make it clear that these requirements apply only to JWS and JWE implementations – not to all uses of the algorithms.  See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-19#section-7.1.


I believe that together, these changes unblock any issues for WebCrypto to directly use JWK.

                                                            -- Mike

From: jose [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of Mike Jones
Sent: Sunday, December 29, 2013 4:49 AM
To: jose@ietf.org<mailto:jose@ietf.org>
Cc: Sean Turner
Subject: [jose] JOSE -19 drafts intended for Working Group Last Call

JSON Object Signing and Encryption (JOSE) -19 drafts have been published that address all my remaining to-do items for the open issues.  I believe the remainder of the issues are either ready to close because of actions already taken in the drafts (the majority of them), require further input to identify any specific remaining proposed actions, if any (a few of them), or will be considered during Working Group Last Call (a few of them).  Only editorial changes and one addition were made – no breaking changes.

In short, I believe I have addressed everything needed to bring us to Working Group Last Call for the JWS, JWE, JWK, and JWA specs.  (Chairs and Sean, please let me know whether you agree or whether you believe anything else remains to be done before WGLC.)

The one addition was to add the optional “use_details” JWK field, as discussed on the JOSE list and the WebCrypto list.  While I realize that this proposal hasn’t gotten much review yet (I believe due to the holidays), I wanted to get it in so people can review it in context, and as a concrete step towards meeting a perceived need for additional JWK functionality from the WebCrypto working group.  It’s cleanly separable from the rest of the spec, so if the JOSE WG ends up hating it, we can always take it back out and possibly move it to a separate spec.  But at least we have a concrete write-up of it now to review.

I also made a one-paragraph change to the JSON Web Token (JWT) spec to reference text in JWE, rather than duplicating it in JWT.

See the History entries for details of the (small number of) changes made.

The drafts are available at:

•        http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-19


•        http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-19


•        http://tools.ietf.org/html/draft-ietf-jose-json-web-key-19


•        http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-19


•        http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-14


HTML formatted versions are also available at:

•        http://self-issued.info/docs/draft-ietf-jose-json-web-signature-19.html


•        http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-19.html


•        http://self-issued.info/docs/draft-ietf-jose-json-web-key-19.html


•        http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-19.html


•        http://self-issued.info/docs/draft-ietf-oauth-json-web-token-14.html


                                                            -- Mike
Received on Sunday, 29 December 2013 20:34:18 UTC