IETF Logo Mail Archive

Re: [jose] Review Comments: Web Payments, Secure Messaging, and JOSE

"Manger, James" <James.H.Manger@team.telstra.com> Mon, 16 December 2013 23:35 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B971AD9B7 for <jose@ietfa.amsl.com>; Mon, 16 Dec 2013 15:35:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.202
X-Spam-Level:
X-Spam-Status: No, score=-0.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpdhbhNJqXKU for <jose@ietfa.amsl.com>; Mon, 16 Dec 2013 15:35:34 -0800 (PST)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id 959F21ADBF7 for <jose@ietf.org>; Mon, 16 Dec 2013 15:35:33 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.95,498,1384261200"; d="scan'208";a="181761809"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipobvi.tcif.telstra.com.au with ESMTP; 17 Dec 2013 10:35:31 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7291"; a="181312188"
Received: from wsmsg3755.srv.dir.telstra.com ([172.49.40.196]) by ipcdvi.tcif.telstra.com.au with ESMTP; 17 Dec 2013 10:34:53 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3755.srv.dir.telstra.com ([172.49.40.196]) with mapi; Tue, 17 Dec 2013 10:34:53 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Manu Sporny <msporny@digitalbazaar.com>, JOSE WG <jose@ietf.org>
Date: Tue, 17 Dec 2013 10:34:51 +1100
Thread-Topic: [jose] Review Comments: Web Payments, Secure Messaging, and JOSE
Thread-Index: Ac72ujILqa0Xnr6bTi+gOly5h3r/AAD+SvZg
Message-ID: <255B9BB34FB7D647A506DC292726F6E115376CFF47@WSMSG3153V.srv.dir.telstra.com>
References: <52A8DCBC.6030801@digitalbazaar.com>
In-Reply-To: <52A8DCBC.6030801@digitalbazaar.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [jose] Review Comments: Web Payments, Secure Messaging, and JOSE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2013 23:35:36 -0000

There might be some nice ideas in the JSON-LD-based Secure Messaging. However, a crypto spec that uses encryption without authentication (no AEAD), uses raw CBC mode, thinks CBC stands for *cyclic* block chaining, puts "BEGIN *PRIVATE* KEY" in a field named publicKeyPem, requires RDF Graph Normalization that seems far removed from JSON, etc does not feel like a great basis.

--
James Manger

> -----Original Message-----
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Manu Sporny
> Sent: Thursday, 12 December 2013 8:44 AM
> To: JOSE WG
> Subject: [jose] Review Comments: Web Payments, Secure Messaging, and
> JOSE
> 
> Hi all,
> 
> These are review comments on the JOSE stack of specifications before
> they enter Last Call. The purpose of these comments is to try and
> figure
> out if we can align multiple security, identity, and digital signature
> initiatives.
> 
> My name is Manu Sporny, I'm the current chair at W3C for the RDFa,
> JSON-LD, and Web Payments groups. I'm also a specification editor for
> multiple Linked Data, Security, Identity, and JSON-based digital
> signature specifications.
> 
> A few months ago, a number of the groups I'm involved with did a full
> review the JOSE stack of specifications to ensure that we were not
> duplicating work performed by the JOSE group. The result of that review
> is available here:
> 
> http://manu.sporny.org/2013/sm-vs-jose/
> 
> A number of implementers involved in the Linked Data and Web Payments
> work at W3C have chosen a different authentication, authorization, and
> digital signature stack than the one that is being created here. This
> decision came after much hand wringing and implementation feedback. We
> used to be based on OpenID, and were headed down the JOSE route before
> deciding to create an ecosystem that we believe is going to be simpler
> for Web Developers to work with.
> 
> To be clear, this is not to imply that the JOSE or OpenID work is not
> useful to a number of communities, but rather that it is not a stack
> that lends itself well to the work we're doing in various groups at the
> W3C and IETF. To give a very high-level outline of the different
> choices
> we have made:
> 
> * JSON-LD spec for message format (instead of pure JSON)
> * Secure Messaging spec for digital signatures (instead of JOSE)
> * Persona for authn (instead of OpenID)
> * HTTP Signatures & Secure Messaging for authz (instead of OpenID)
> 
...
>   "publicKeyPem": "-----BEGIN PRIVATE
> KEY-----\nMIIBG0BA...OClDQAB\n-----END PRIVATE KEY-----\n"
> }
> 
...
>        placing all parameters in an opaque blob of information that
>        has a clear beginning and end (-----BEGIN RSA PRIVATE
>        KEY-----, and --- END RSA PRIVATE KEY ---)

v2.23.0 | Report a Bug | By Email