Re: Digital Signatures for Credentials

On 11/21/2014 06:20 AM, Manu Sporny wrote:
> On 11/20/2014 09:34 PM, Harry Halpin wrote:
>> +1. That's why there is not a debate - it's out of scope for Social 
>> WG.
> 
> You said:
> 
> 1. "For the Social Web WG, as regards JSON, we will use JOSE"
> 2. "I think the Social WG will use JOSE for all existing and
>     future Web standards in this space"
> 
> There is disagreement with both of those statements. That is the debate.
> 
> The debate is not whether or not Social Web WG will take up the Graph
> Normalization or SM work. It's that a W3C staffer has seemed to imply
> that JOSE is going to be railroaded through the Social Web WG.

Yes, because W3C work that is going on a normative track (Rec-track) in
general (such as the Social Web work) cites other normative standards,
particularly for something as relatively basic as digital signatures.
This applies for *any* W3C Recommendation at the current time. If Social
Web work is normatively dependent on SM, it would not be able to
progress through Rec track. The IETF has a normative standard for
digital signatures for JSON, i.e. JOSE.

I have already redirected you to where the parts of SM that are relevant
can go.  Good luck!

I would also hold that widespread security review is exceptionally
important in terms of security-related standards. JOSE has had that,
while SM at the time had various objections. I suggest returning to JOSE
and arguing your use-cases around 1) default and 2) clear-text signatures.

> 
>> I doubt at least any signature-facing parts such work would be 
>> standardized in *any* W3C WG without objections from the IETF given 
>> the obvious overlap.
> 
> I expect there to be objections if the work goes forward. Approaching
> the JOSE group last year did not lead to even an acknowledgment of the
> problems inherent in JOSE. The JOSE group is committed to JOSE, which is
> as expected. W3C has a rich history of competing specifications - XHTML2
> vs. HTML5, RDFa vs. Microdata, JSON-LD vs. RDF/JSON, etc.

And these have been a catastrophe for developers and have led to
unnecessary fragmentation of the Open Web Platform, which is what we are
trying to avoid in standards in the first place :)

Also, in general we do not have a rich history of competing
specifications with the IETF, for which the Internet should be thankful
for - and the few cases where this has happened (URL debate) have been
also similarly considered failures.

> 
>> It's my job to say what in and out of scope as W3C staff and as 
>> author of the charter, which took many months of consensus work to 
>> come to agreement at the AC.
> 
> Again, I agree with your read on the charter. I'm taking exception with
> you saying these two things:
> 
> 1. "For the Social Web WG, as regards JSON, we will use JOSE"
> 2. "I think the Social WG will use JOSE for all existing and
>     future Web standards in this space"

We will use *normative standards* for digital signatures in particular
because they have had wide-spread security review, implementation, and
adoption. SM has neither normative status or has widespread security
review, while JOSE has. Thus, I see no problem with JOSE for reasons
iterated earlier. If you have problems, please bring them up with JOSE.

> 
>> It is also highly inappropriate to confuse the IETF about the formal
>>  status of the "Secure Messaging" work at the W3C 
> 
> The specification clearly says "Community Group Draft Report" and always
> has:
> 
> https://web-payments.org/specs/source/secure-messaging/
> 
>> by not mentioning 
>> that you are chair of a *Community* Group (i.e. no formal W3C 
>> standing) and that the objections you had to SM came from you as an 
>> individual or a Community Group, not the W3C.
> 
> For those that don't want to read the threads to figure out what Harry
> is referring to:
> 
> 1. I was asked by Karen O'Donoghue and Richard Barnes to send my
>    review comments on the JOSE specs to the JOSE mailing list.
> 2. I did that, but failed to be precise about my affiliations
>    (which was a mistake on my part).
> 3. Harry sent an email 1 hour and 15 minutes later to clear things up.

Yes, because you were also imprecise at the face-to-face at TPAC in 2013
 - and at events like the IGF 2013. W3C staff has numerous times asked
you to correctly state the normative status of your work and state your
role more precisely, as being unclear can and has caused confusion .
Other members and folks at the IETF have also had to ask the W3C staff
to tell you to be more precise. Please do so in the future.

Manu, I understand you have lots of time for discussing things that are
out of scope item. I would prefer the Social Web WG focus on our
deliverables.  Thus, continue please do your work to mature  or move
your discussion of SM to the JOSE WG.

    cheers,
        harry


> 
> -- manu
> 

Received on Friday, 21 November 2014 10:41:03 UTC