(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)? Why is this the proper
type of RFC? Is this type of RFC indicated in the title page header?
This document is being requested for publication as a Proposed Standard. The
document was produced with the expectation that it would be widely used in
conjunction with the JSON Web Signature (JWS), JSON Web Encryption (JWE),
and JSON Web Key (JWK) documents as part of a suite of documents providing
security services for JSON. As such, it is reasonable for these documents to
progress on the standards track. The intended status is shown on the title page.
(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:
This document, the JSON Web Algorithms (JWA) specification, registers
cryptographic algorithms and identifiers to be used with the JSON Web
Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK)
specifications. It establishes several IANA registries for these identifiers.
Working Group Summary:
The document has clear working group consensus for publication, and has
been reviewed by several WG participants since its initial adoption as a
working group item. The question of what cryptographic algorithms should be
included was somewhat difficult as it is for any process trying to determine
which algorithms should be included. The considerations included what is
implemented, available, broadly used, and adequate from a security
perspective. The issue of algorithms that are potentially less desirable but
more broadly implemented was considered.
This document has been reviewed and revised many times. There are multiple
implementations of this document. Some of these are listed at:
https://openid.net/developers/libraries/ (see the JWT/JWS/JWE/JWK/JWA
Implementations section). There were no specific external expert reviews
conducted; however, the WGLC notification was sent to the W3C WebCrypto
Karen O'Donoghue is acting as the Document Shepherd. Kathleen Moriarty is
the Responsible Area Director.
(3) Briefly describe the review of this document that was performed by the
Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the IESG.
The document shepherd has followed the working group process and reviewed
the final document and feels this document is ready for IESG review.
(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?
The document shepherd does not have any concerns about the reviews that
(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP,
XML, or internationalization? If so, describe the review that took place.
This document doesnÕt require any special reviews beyond those planned
during the IESG review process. As a security specification, additional security
reviews during this process are expected.
(6) Describe any specific concerns or issues that the Document Shepherd has
with this document that the Responsible Area Director and/or the IESG should
be aware of? For example, perhaps he or she is uncomfortable with certain
parts of the document, or has concerns whether there really is a need for it. In
any event, if the WG has discussed those issues and has indicated that it still
wishes to advance the document, detail those concerns here.
The Document Shepherd is comfortable with this document as a stable set of
algorithms and the definition of registries for the addition of further
algorithms. There has also been some coordination with the W3C WebCrypto
working group regarding the definition and use of these registries. The
documents represent the consensus of the working group.
(7) Has each author confirmed that any and all appropriate IPR disclosures
required for full conformance with the provisions of BCP 78 and BCP 79 have
already been filed. If not, explain why?
The author has confirmed that he has dealt with all appropriate IPR
(8) Has an IPR disclosure been filed that references this document? If so,
summarize any WG discussion and conclusion regarding the IPR disclosures.
Certicom Corporation has filed an IPR discloser on draft-ietf-jose-json-web-
algorithms dealing with elliptical curve technologies. These patents are the
normal IPR disclosure from Certicom and received only a brief discussion. The
group was notified of an additional possible patent from IBM, but no discloser
was ever filed and no discussion was ever held on the patent. (The patent
appears to be a mechanical transformation of XML digital signatures and
mapping it onto JSON.)
(9) How solid is the WG consensus behind this document? Does it represent
the strong concurrence of a few individuals, with others being silent, or does
the WG as a whole understand and agree with it?
The document represents strong WG consensus, but as in all things involving
cryptographic algorithms these days, there were some dissenting opinions
along the way.
(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarize the areas of conflict in separate email
messages to the Responsible Area Director.
There have been no threats of anyone appealing the documents.
(11) Identify any ID nits the Document Shepherd has found in this document.
(See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist).
Boilerplate checks are not enough; this check needs to be thorough.
The following nit errors were identified. These nits are all related to downrefs
to algorithm documents and are discussed further in (15).
** Downref: Normative reference to an Informational RFC: RFC 2104
** Downref: Normative reference to an Informational RFC: RFC 2898
** Downref: Normative reference to an Informational RFC: RFC 3394
** Downref: Normative reference to an Informational RFC: RFC 6090
(12) Describe how the document meets any required formal review criteria,
such as the MIB Doctor, media type, and URI type reviews.
There are no formal review criteria for this document.
(13) Have all references within this document been identified as either
normative or informative?
All references are tagged as normative or informative.
(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?
All normative references are on track for completion or are completed.
(15) Are there downward normative references (see RFC 3967)? If so, list
these downward references to support the Area Director in the Last Call
There are a number of down-references to information documents. These are
all algorithm documents so this is normal procedure.
RFC 2104 - HMAC: Keyed-Hashing for Message Authentication
RFC 2898 - PKCS #5: Password-Based Cryptography Specification Version
RFC 3394 - Advanced Encryption Standard (AES) Key Wrap Algorithm
RFC 6090 - Fundamental Elliptic Curve Cryptography Algorithms
(16) Will publication of this document change the status of any existing RFCs?
Are those RFCs listed on the title page header, listed in the abstract, and
discussed in the introduction? If the RFCs are not listed in the Abstract and
Introduction, explain why, and point to the part of the document where the
relationship of this document to the other RFCs is discussed. If this information
is not in the document, explain why the WG considers it unnecessary.
These documents are all first time documents. They will not change the status
of any existing documents.
(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes are
associated with the appropriate reservations in IANA registries. Confirm that
any referenced IANA registries have been clearly identified. Confirm that
newly created IANA registries include a detailed specification of the initial
contents for the registry, that allocations procedures for future registrations
are defined, and a reasonable name for the new registry has been suggested
(see RFC 5226).
This document defines the following IANA registries including a name, initial
entries, and future allocation procedures:
JSON Web Signature and Encryption Algorithms Registry
JSON Web Encryption Compression Algorithms Registry
JSON Web Key Types Registry
JSON Web Key Elliptic Curve Registry
Additionally, this document adds entries to the following IANA registries:
JSON Web Signature and Encryption Header Parameters (defined in JWS)
JSON Web Key Parameters Registry (defined in JWK)
(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in
selecting the IANA Experts for these new registries.
All of the registries created by these documents are designated as requiring
Expert Review. The registries to be created are:
* JSON Web Signature Encryption Algorithm Registry
* JSON Web Encryption Compression Algorithm Registry
* JSON Web Key Types Registry
* JSON Web Key Elliptic Curve Registry
At this time it is known that there will be new allocations from the W3C
WebCrypto WG and the IETF OAuth WG. Selection of expert reviewers needs to
be broader than the current set of authors give the potential scope of the
(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal language,
such as XML code, BNF rules, MIB definitions, etc.
There are no formal language sections in these documents.