- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Mon, 20 Jul 2015 00:12:12 -0400
- To: public-webpayments-ig@w3.org
On 07/19/2015 11:25 PM, Wendy Seltzer wrote: > Would anyone be available to review this draft to provide comments > to that WG? I sent the below ping to their list. Digital Bazaar would be happy to do a review of the draft and provide comments. Note that we performed a review two years ago with unfavorable results (no changes, that we know of, were made to JOSE as a result): http://manu.sporny.org/2013/sm-vs-jose/ Here were the takeaways from the prior review of JOSE: * The Linked Data Signatures specification utilizes a much simpler approach than the JSON Web Algorithms specification while supporting the same level of algorithm agility. * The Linked Data Signatures specification provides four major advantages over the JSON Web Key format: 1) the key information is expressed at a higher level, which makes it easier to work with for Web developers, 2) it allows key information to be discovered by dereferencing the key ID, 3) the key information can be published (and extended) in a variety of Linked Data formats, and 4) it provides the ability to assign ownership information to keys. * The Linked Data Signatures specifications use of a native Linked Data format removes the requirement for a specification like JSON Web Token. As far as the Linked Data Signatures specification is concerned, there is just data, which you can then digitally sign and encrypt. This makes the data easier to work with for Web developers as they can continue to use their application data as-is instead of attempting to restructure it into a JSON Web Token. * The major difference between the Linked Data Encryption and JSON Web Encryption specifications has to do with how the encryption parameters are specified as well as how many of them there can be. The Linked Data Encryption specification expresses only one encryption mechanism and outlines the algorithms and keys external to the message, which leads to a reduction in complexity. The JSON Web Encryption specification allows many more types of encryption schemes to be used, at the expense of added complexity. * The Linked Data Signatures specification does not need to encode its payloads, but does require a normalization algorithm. It supports discovery of signature key data so that signatures can be verified using standard Web protocols. The JSON Web Signatures specification is more flexible from an algorithmic standpoint and simpler from a signature verification standpoint. The downside is that the only data input format must be from the message itself and can’t be from an external Linked Data source, like an HTML+RDFa web page listing items for sale. Linked Data Signatures signatures are natively cross-format compatible, JSON Web Signatures are not. The response thread to the prior review can be found here: https://www.ietf.org/mail-archive/web/jose/current/msg03736.html Linked Data Signatures https://web-payments.org/specs/source/ld-signatures/ Linked Data Encryption https://web-payments.org/specs/source/secure-messaging/#message-encryption-algorithm Note that if the draft-jones-jose-jws-signing-input-options-00 spec were to continue, it would only partially address one of the issues above. That said, we're happy to try doing a review again and see if this new approach that the JOSE group is suggesting would move us closer to converging. We're under a bit of a heavy workload at the moment, when would the review be due? -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Web Payments: The Architect, the Sage, and the Moral Voice https://manu.sporny.org/2015/payments-collaboration/
Received on Monday, 20 July 2015 04:12:38 UTC