RE: FW: JOSE -19 drafts intended for Working Group Last Call from Ryan Sleevi on 2013-12-29 (public-webcrypto@w3.org from December 2013)

From: Ryan Sleevi <sleevi@google.com>
Date: Sun, 29 Dec 2013 12:39:28 -0800
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: public-webcrypto@w3.org
Message-ID: <CACvaWvbd+rH5d5axieJs3O+S=j0LM+QKUzG9oJZmzuPUELrT=w@mail.gmail.com>
On Dec 29, 2013 12:33 PM, "Mike Jones" <Michael.Jones@microsoft.com> wrote:
>
> You’re welcome.
>
>
>
> For context, this is less “gross” than overloading the existing simple
“use” field with comma-separated strings such as “signOnly,verifyOnly”,
which I believe is the current WebCrypto WG proposal.  And it doesn’t break
the deployments that are already in production using “use” as-is.
>

It's Mark's proposal, but much like your proposal doesn't imply consensus
in JOSE, Mark's doesn't represent consensus here, so I do not think it fair
to present it as the WGs solution.

That said, Mark's proposal was first and foremost as treating use as an
array is certainly the best for WebCrypto, and elegantly simple. Only if
you see backwards compatibility as a non-negotiable does it begin to go
comma separated.
Richard's proposal is a reasonable balance of purity and B/C preserving
behavior.

>
>
>                                                             -- Mike
>
>
>
> From: Ryan Sleevi [mailto:sleevi@google.com]
> Sent: Sunday, December 29, 2013 12:05 PM
> To: Mike Jones
> Cc: public-webcrypto@w3.org
> Subject: Re: FW: JOSE -19 drafts intended for Working Group Last Call
>
>
>
> Thanks for the quick work, Mike.
>
> It does seem that there is still active discussion in JOSE on this, with
Richard Barnes offering a very compelling counter proposal. Individually, I
still have concerns that this introduces something "gross" (as far as spec
taste and ambiguity goes), but if JOSE is inflexible on backwards
compatibility, a path forward. I think Richard's would be a much cleaner
solution, but I'll try to keep that discussion centered in JOSE.
>
> This would be a very important time for WrbCrypto contributors,
consumers, and implementors to raise points with JOSE if we want to
actually see a round peg fit the round hole, rather than trying to shove a
square peg through. Please do contribute to the discussions in the IETF.
>
> On Dec 29, 2013 11:57 AM, "Mike Jones" <Michael.Jones@microsoft.com>
wrote:
>
> FYI, the “use_details” JSON Web Key (JWK) field, which directly uses the
WebCrypto KeyUsage array values, is now in the JWK spec.  See
http://tools.ietf.org/html/draft-ietf-jose-json-web-key-19#section-3.3.
And as also previously discussed, the “Implementation Requirements”
algorithm registry fields have been renamed to “JOSE Implementation
Requirements” to make it clear that these requirements apply only to JWS
and JWE implementations – not to all uses of the algorithms.  See
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-19#section-7.1
.
>
>
>
> I believe that together, these changes unblock any issues for WebCrypto
to directly use JWK.
>
>
>
>                                                             -- Mike
>
>
>
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
> Sent: Sunday, December 29, 2013 4:49 AM
> To: jose@ietf.org
> Cc: Sean Turner
> Subject: [jose] JOSE -19 drafts intended for Working Group Last Call
>
>
>
> JSON Object Signing and Encryption (JOSE) -19 drafts have been published
that address all my remaining to-do items for the open issues.  I believe
the remainder of the issues are either ready to close because of actions
already taken in the drafts (the majority of them), require further input
to identify any specific remaining proposed actions, if any (a few of
them), or will be considered during Working Group Last Call (a few of
them).  Only editorial changes and one addition were made – no breaking
changes.
>
>
>
> In short, I believe I have addressed everything needed to bring us to
Working Group Last Call for the JWS, JWE, JWK, and JWA specs.  (Chairs and
Sean, please let me know whether you agree or whether you believe anything
else remains to be done before WGLC.)
>
>
>
> The one addition was to add the optional “use_details” JWK field, as
discussed on the JOSE list and the WebCrypto list.  While I realize that
this proposal hasn’t gotten much review yet (I believe due to the
holidays), I wanted to get it in so people can review it in context, and as
a concrete step towards meeting a perceived need for additional JWK
functionality from the WebCrypto working group.  It’s cleanly separable
from the rest of the spec, so if the JOSE WG ends up hating it, we can
always take it back out and possibly move it to a separate spec.  But at
least we have a concrete write-up of it now to review.
>
>
>
> I also made a one-paragraph change to the JSON Web Token (JWT) spec to
reference text in JWE, rather than duplicating it in JWT.
>
>
>
> See the History entries for details of the (small number of) changes made.
>
>
>
> The drafts are available at:
>
> ·        http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-19
>
> ·        http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-19
>
> ·        http://tools.ietf.org/html/draft-ietf-jose-json-web-key-19
>
> ·        http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-19
>
> ·        http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-14
>
>
>
> HTML formatted versions are also available at:
>
> ·
http://self-issued.info/docs/draft-ietf-jose-json-web-signature-19.html
>
> ·
http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-19.html
>
> ·        http://self-issued.info/docs/draft-ietf-jose-json-web-key-19.html
>
> ·
http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-19.html
>
> ·
http://self-issued.info/docs/draft-ietf-oauth-json-web-token-14.html
>
>
>
>                                                             -- Mike
>
>
Received on Sunday, 29 December 2013 20:39:56 UTC