RE: ACTION-92 | JOSE Use Case from Mike Jones on 2013-07-09 (public-webcrypto@w3.org from July 2013)

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Tue, 9 Jul 2013 01:04:18 +0000
To: Ryan Sleevi <sleevi@google.com>
CC: Arun Ranganathan <arun@mozilla.com>, "Web Cryptography Working Group (public-webcrypto@w3.org)" <public-webcrypto@w3.org>
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B6A6AA5@TK5EX14MBXC283.redmond.corp.microsoft.>

I'd be fine with describing the use case as "It MUST be possible to implement a complete JOSE implementation on WebCrypto, provided that the underlying WebCrypto implementation implements the JOSE MTI algorithms."

					-- Mike

-----Original Message-----
From: Ryan Sleevi [mailto:sleevi@google.com] 
Sent: Monday, July 08, 2013 5:59 PM
To: Mike Jones
Cc: Arun Ranganathan; Web Cryptography Working Group (public-webcrypto@w3.org)
Subject: Re: ACTION-92 | JOSE Use Case

That is, mandatory to implement, not MTA.

On Mon, Jul 8, 2013 at 5:58 PM, Ryan Sleevi <sleevi@google.com> wrote:
> Mike,
>
> Given that JOSE has MTA algorithms, I'm not sure that's possible to 
> guarantee. I don't think it's a reasonable spec restriction, as much 
> as it is a reasonable goal.
>
> On Mon, Jul 8, 2013 at 5:56 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>> That's part of it.  But I would make sure that there is a section in the Use Cases document that states that it should be possible to build a complete JOSE implementation using the WebCrypto APIs.  That's the core of the JOSE use case.
>>
>>                                 Thanks,
>>                                 -- Mike
>>
>> -----Original Message-----
>> From: Arun Ranganathan [mailto:arun@mozilla.com]
>> Sent: Monday, July 08, 2013 6:57 AM
>> To: Web Cryptography Working Group (public-webcrypto@w3.org)
>> Subject: ACTION-92 | JOSE Use Case
>>
>> I think I can close ACTION-92 assigned to me, which is to account for the JOSE use case.
>>
>> A few observations:
>>
>> 1. The "JOSE use case" is actually the API's consumption of "JWK" in import/export.  Everything else is an application layer consideration (and the use cases document makes mention of the use of JWT for assertions, for example).  By stipulating a use case that allows for import (and export) in JWK format, I think the JOSE use case is accounted for.
>>
>> Since the remaining JOSE formats are not directly "natively" consumed by the API, I don't think they constitute a use case (and in fact can already be used by JavaScript web applications).
>>
>> Mike: please let me know if you disagree.
>>
>> 2. I think the WebCrypto API's CryptoOperationData should include the possibility of JWK as JSON.  Maybe:
>>
>> typedef (ArrayBuffer or ArrayBufferView or DOMString) 
>> CryptoOperationData;
>>
>> But we should restrict it to be used only for import/export.
>>
>> The use cases document is: 
>> https://dvcs.w3.org/hg/webcrypto-usecases/raw-file/4ee6bd222b1c/Overview.html
>>

Received on Tuesday, 9 July 2013 01:05:08 UTC