Re: [External Reviews] IETF JOSE WG seeking review of drafts - was Re: IETF JOSE WG seeking review of drafts

The review requested is of specific JOSE drafts, namely,
https://tools.ietf.org/id/draft-jones-jose-jws-signing-input-options-00.txt
(and, if of interest,
https://tools.ietf.org/id/draft-jones-jose-key-managed-json-web-signature-01.txt
)

On 07/20/2015 08:49 AM, David Ezell wrote:
> Thanks Wendy and Manu:
> I'm moving this thread to External Reviews - that TF can schedule discussion independently of the IG if needed.
> 
> I would prefer (it's not mandatory) that we respond to IETF as a group as we did to the comments from X9.

The IETF's JOSE WG has concluded its other work, and will conclude
without issuing these drafts as RFCs unless people come forward to work
on them. So, if these drafts look useful, or look as though they'd be
useful with minor changes, then please review and respond. If they look
as though they'd require major redesign to do anything useful, then JOSE
is probably not looking to reopen the box that far. I forwarded because
I thought the signing-input-options draft might be responsive to some of
the concerns I had heard in NYC about using JOSE for message signing. At
this stage, I'd say that individual responses are adequate -- it's far
from a WG Last Call.

--Wendy

> Best regards,
> David
> 
> -----Original Message-----
> From: Manu Sporny [mailto:msporny@digitalbazaar.com]
> Sent: Monday, July 20, 2015 12:12 AM
> To: public-webpayments-ig@w3.org
> Subject: Re: IETF JOSE WG seeking review of drafts
> 
> On 07/19/2015 11:25 PM, Wendy Seltzer wrote:
>> Would anyone be available to review this draft to provide comments to
>> that WG? I sent the below ping to their list.
> 
> Digital Bazaar would be happy to do a review of the draft and provide comments. Note that we performed a review two years ago with unfavorable results (no changes, that we know of, were made to JOSE as a result):
> 
> http://manu.sporny.org/2013/sm-vs-jose/
> 
> Here were the takeaways from the prior review of JOSE:
> 
> * The Linked Data Signatures specification utilizes a much simpler approach than the JSON Web Algorithms specification while supporting the same level of algorithm agility.
> 
> * The Linked Data Signatures specification provides four major advantages over the JSON Web Key format: 1) the key information is expressed at a higher level, which makes it easier to work with for Web developers, 2) it allows key information to be discovered by dereferencing the key ID, 3) the key information can be published (and
> extended) in a variety of Linked Data formats, and 4) it provides the ability to assign ownership information to keys.
> 
> * The Linked Data Signatures specifications use of a native Linked Data format removes the requirement for a specification like JSON Web Token.
> As far as the Linked Data Signatures specification is concerned, there is just data, which you can then digitally sign and encrypt. This makes the data easier to work with for Web developers as they can continue to use their application data as-is instead of attempting to restructure it into a JSON Web Token.
> 
> * The major difference between the Linked Data Encryption and JSON Web Encryption specifications has to do with how the encryption parameters are specified as well as how many of them there can be. The Linked Data Encryption specification expresses only one encryption mechanism and outlines the algorithms and keys external to the message, which leads to a reduction in complexity. The JSON Web Encryption specification allows many more types of encryption schemes to be used, at the expense of added complexity.
> 
> * The Linked Data Signatures specification does not need to encode its payloads, but does require a normalization algorithm. It supports discovery of signature key data so that signatures can be verified using standard Web protocols. The JSON Web Signatures specification is more flexible from an algorithmic standpoint and simpler from a signature verification standpoint. The downside is that the only data input format must be from the message itself and can’t be from an external Linked Data source, like an HTML+RDFa web page listing items for sale. Linked Data Signatures signatures are natively cross-format compatible, JSON Web Signatures are not.
> 
> The response thread to the prior review can be found here:
> https://www.ietf.org/mail-archive/web/jose/current/msg03736.html
> 
> Linked Data Signatures
> https://web-payments.org/specs/source/ld-signatures/
> 
> Linked Data Encryption
> https://web-payments.org/specs/source/secure-messaging/#message-encryption-algorithm
> 
> Note that if the draft-jones-jose-jws-signing-input-options-00 spec were to continue, it would only partially address one of the issues above.
> That said, we're happy to try doing a review again and see if this new approach that the JOSE group is suggesting would move us closer to converging.
> 
> We're under a bit of a heavy workload at the moment, when would the review be due?
> 
> -- manu
> 
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc.
> blog: Web Payments: The Architect, the Sage, and the Moral Voice https://manu.sporny.org/2015/payments-collaboration/
> 
> ________________________________
> This electronic message, including attachments, is intended only for the use of the individual or company named above or to which it is addressed. The information contained in this message shall be considered confidential and proprietary, and may include confidential work product. If you are not the intended recipient, please be aware that any unauthorized use, dissemination, distribution or copying of this message is strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and deleting this email immediately.
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Monday, 20 July 2015 14:16:12 UTC