- From: Arun Ranganathan <arun@mozilla.com>
- Date: Tue, 9 Jul 2013 10:21:59 -0400
- To: Mike Jones <Michael.Jones@microsoft.com>
- Cc: Ryan Sleevi <sleevi@google.com>, "Web Cryptography Working Group (public-webcrypto@w3.org)" <public-webcrypto@w3.org>
On Jul 8, 2013, at 9:04 PM, Mike Jones wrote: > I'd be fine with describing the use case as "It MUST be possible to implement a complete JOSE implementation on WebCrypto, provided that the underlying WebCrypto implementation implements the JOSE MTI algorithms." > The use cases document isn't really normative, so RFC2119 keywords like "MUST" won't really be useful in it. The way I see it is that JOSE is not a "crypto spec" but rather a (very very useful) encoding of crypto parameters. These encoded parameters are used within an application, but the underlying system upon which the application runs (in our case, a browser) is ultimately responsible for the implementation of algorithms. The use of such an encoding makes at best an optimistic assumption about the underlying implementation. We should coax developers to use the aspects of JOSE we actually think will work well. The use cases document mentions use of JWT for assertions (as in the BrowserID case), AND lists JWK as a first-class citizen of the requirements list within the use cases (for instance, for importing public keys across the web). Why not be explicit and safe, and have a use cases document that's pragmatic? By explicitly listing "JWK" as a requirement (which I think is mandatory) and by also showing code using JWT, I think we're doing the right thing here. Of course, further use cases which describe an application (e.g. like BrowserID, or Signed WebMail, or something of that sort) which also leverage the JOSE formats, would be MORE than welcome :-) Contributions warmly solicited! -- A*
Received on Tuesday, 9 July 2013 14:22:30 UTC