Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)
draft-ietf-jose-use-cases-06
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2014-04-11
|
06 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2014-03-27
|
06 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2014-03-04
|
06 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2014-01-15
|
06 | Amy Vezza | State changed to RFC Ed Queue from Approved-announcement sent |
2014-01-15
|
06 | (System) | IANA Action state changed to No IC from In Progress |
2014-01-15
|
06 | (System) | IANA Action state changed to In Progress |
2014-01-14
|
06 | (System) | RFC Editor state changed to EDIT |
2014-01-14
|
06 | (System) | Announcement was received by RFC Editor |
2014-01-14
|
06 | Cindy Morgan | State changed to Approved-announcement sent from IESG Evaluation::AD Followup |
2014-01-14
|
06 | Cindy Morgan | IESG has approved the document |
2014-01-14
|
06 | Cindy Morgan | Closed "Approve" ballot |
2014-01-14
|
06 | Cindy Morgan | Ballot approval text was generated |
2014-01-14
|
06 | Cindy Morgan | Ballot writeup was changed |
2014-01-05
|
06 | Stephen Farrell | [Ballot comment] Thanks for changing the reference to FIPS. The new text still isn't my favourite - I don't have that high an opinion of … [Ballot comment] Thanks for changing the reference to FIPS. The new text still isn't my favourite - I don't have that high an opinion of those kinds of evaluations in general - but I guess the WG won't go wild mimicing FIPS 140-2. --- old comments below, didn't check 'em but feel free to follow up if need be abstract: CMS isn't "in the past" suggest you make that present tense since this does not in any way OBSOLETE CMS. abstract: I'm also not sure that "overtaken" is right. Seems to me that these encoding schemes are fashion-items with an about 5 year "season" so being so definitive might look a bit silly next season. If you buy that, there'd maybe be other changes to make too. Generally, I don't think this needs to or should be doing a sales-pitch, and the same goes for the XML discussion too. intro: PGP is probably better "known" than S/MIME as a mail security solution. section 2: MAC == signing? Yuk. That does lead to developer confusion IMO. section 5: s/Several working groups/Several IETF working groups/ section 5: I thought Persona wasn't quite JOSE? Maybe I'm remembering wrong though (didn't check) typos: applicaitions, "JWT token" 5.4: What we use is OTR though. A ref to that would be good, just after you say that the CMS based approach hasn't been deployed. 5.7: This is a bit vague. I believe there are JOSE object that cannot be processed by the WebCrypto API and that there are WebCrypto algorithms that are not defined in JOSE, so API outputs cannot all be JOSE conformant. Is that correct? If so, then I think you need to say that for truth-in-advertising reasons. The fact that the WG think that's ok makes me sad. See also the secdir review [1] which calls out a few nits. [1] https://www.ietf.org/mail-archive/web/secdir/current/msg04481.html |
2014-01-05
|
06 | Stephen Farrell | [Ballot Position Update] Position for Stephen Farrell has been changed to No Objection from Discuss |
2013-12-30
|
06 | Gunter Van de Velde | Closed request for Last Call review by OPSDIR with state 'No Response' |
2013-12-27
|
06 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2013-12-27
|
06 | Richard Barnes | IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed |
2013-12-27
|
06 | Richard Barnes | New version available: draft-ietf-jose-use-cases-06.txt |
2013-12-23
|
05 | Benoît Claise | [Ballot Position Update] Position for Benoit Claise has been changed to No Objection from No Record |
2013-12-19
|
05 | Cindy Morgan | State changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation |
2013-12-19
|
05 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Simon Josefsson. |
2013-12-19
|
05 | Barry Leiba | [Ballot comment] Given that the shepherd says, "it does not have sufficient apps area review," and "it needs more review outside of the group to … [Ballot comment] Given that the shepherd says, "it does not have sufficient apps area review," and "it needs more review outside of the group to make sure that the correct set of requirements has been setup for the solution," and given the questions we've raised about the interest in using the JOSE WG's product, it would have been good if the shepherd had done more to get App Area review -- perhaps more on apps-discuss (one of the chairs did post a note on 29 July), and by explicitly asking for Applications Directorate review (I'll talk with the appsdir team lead about watching for JOSE documents). Along with that, the document says, at the start of Section 5, "Several working groups developing application-layer protocols have expressed a desire to use the JOSE data formats in their designs for end-to-end security features." What are those working groups (the subsections indicate at least OAUTH, XMPP, ALTO, ATOCA, CORE, and W3C Web Crypto), and, apart from OAUTH, which is mentioned in the writeup, have the others of those reviewed this document? On to the document... A pet peeve of mine in the Introduction (you can play with my pets, or kick them aside, as you see fit): CMS is defined using Abstract Syntax Notation 1 (ASN.1) and traditionally encoded using the ASN.1 Distinguished Encoding Rules (DER) There are no traditions operating here. Perhaps you mean "typically", or "usually"? [Barry continues his review while whistling the opening tune from "Fiddler on the Roof"...] In addition to Stephen's comments about the abstract/introduction, with which I wholeheartedly agree (I would strongly prefer that you spin this as an alternative to CMS, not as a replacement): In practice, however, XML-based secure object formats introduce similar levels of complexity to ASN.1, so developers that lack the tools or motivation to handle ASN.1 aren't likely to use XML security either. Do you have anything to back this up with? It seems to me that whether I can cope with XML and whether I can cope with ASN.1 are two entirely separate things. Why on Earth should they be linked -- just because they're both complex? Section 3 begins with another of my pets: "Obviously," -- please, just say "no" to that, and remove the word (and the comma). |
2013-12-19
|
05 | Barry Leiba | [Ballot Position Update] Position for Barry Leiba has been changed to No Objection from Discuss |
2013-12-19
|
05 | Benoît Claise | [Ballot comment] I won't have the time to review the full before the IESG telechat. I just spent 20 minutes on it. Like Stephen, that … [Ballot comment] I won't have the time to review the full before the IESG telechat. I just spent 20 minutes on it. Like Stephen, that sentence made we wonder: Over time, the use of binary object encodings such as ASN.1 has been overtaken by text-based encodings, for example JavaScript Object Notation. I would like to get some OPS (SNMP/NETCONF) experts feedback on this draft regarding the ASN.1/XML statements, and state my position after that. For some statements, it's not clear if they apply only to applications, or also to protocols. Most likely, with 2 DISCUSSes, this draft won't be approved today. So I have no intention to DEFER the draft. |
2013-12-19
|
05 | Benoît Claise | Ballot comment text updated for Benoit Claise |
2013-12-19
|
05 | Barry Leiba | [Ballot discuss] Preamble: Given that the shepherd says, "it does not have sufficient apps area review," and "it needs more review outside of the group … [Ballot discuss] Preamble: Given that the shepherd says, "it does not have sufficient apps area review," and "it needs more review outside of the group to make sure that the correct set of requirements has been setup for the solution," and given the questions we've raised about the interest in using the JOSE WG's product, it would have been good if the shepherd had done more to get App Area review -- perhaps more on apps-discuss (one of the chairs did post a note on 29 July), and by explicitly asking for Applications Directorate review (I'll talk with the appsdir team lead about watching for JOSE documents). The DISCUSS point: Along with that, the document says, at the start of Section 5, "Several working groups developing application-layer protocols have expressed a desire to use the JOSE data formats in their designs for end-to-end security features." What are those working groups (the subsections indicate at least OAUTH, XMPP, ALTO, ATOCA, CORE, and W3C Web Crypto), and, apart from OAUTH, which is mentioned in the writeup, have the others of those reviewed this document? |
2013-12-19
|
05 | Barry Leiba | [Ballot comment] A pet peeve of mine in the Introduction (you can play with my pets, or kick them aside, as you see fit): … [Ballot comment] A pet peeve of mine in the Introduction (you can play with my pets, or kick them aside, as you see fit): CMS is defined using Abstract Syntax Notation 1 (ASN.1) and traditionally encoded using the ASN.1 Distinguished Encoding Rules (DER) There are no traditions operating here. Perhaps you mean "typically", or "usually"? [Barry continues his review while whistling the opening tune from "Fiddler on the Roof"...] In addition to Stephen's comments about the abstract/introduction, with which I wholeheartedly agree (I would strongly prefer that you spin this as an alternative to CMS, not as a replacement): In practice, however, XML-based secure object formats introduce similar levels of complexity to ASN.1, so developers that lack the tools or motivation to handle ASN.1 aren't likely to use XML security either. Do you have anything to back this up with? It seems to me that whether I can cope with XML and whether I can cope with ASN.1 are two entirely separate things. Why on Earth should they be linked -- just because they're both complex? Section 3 begins with another of my pets: "Obviously," -- please, just say "no" to that, and remove the word (and the comma). |
2013-12-19
|
05 | Barry Leiba | [Ballot Position Update] New position, Discuss, has been recorded for Barry Leiba |
2013-12-19
|
05 | Stephen Farrell | [Ballot discuss] 6.2 says "do what FIPS says" more-or-less. I don't think that should rise to this level of requirement. The first sentence is fine, … [Ballot discuss] 6.2 says "do what FIPS says" more-or-less. I don't think that should rise to this level of requirement. The first sentence is fine, but the 2nd is not IMO. |
2013-12-19
|
05 | Stephen Farrell | [Ballot comment] abstract: CMS isn't "in the past" suggest you make that present tense since this does not in any way OBSOLETE CMS. abstract: I'm … [Ballot comment] abstract: CMS isn't "in the past" suggest you make that present tense since this does not in any way OBSOLETE CMS. abstract: I'm also not sure that "overtaken" is right. Seems to me that these encoding schemes are fashion-items with an about 5 year "season" so being so definitive might look a bit silly next season. If you buy that, there'd maybe be other changes to make too. Generally, I don't think this needs to or should be doing a sales-pitch, and the same goes for the XML discussion too. intro: PGP is probably better "known" than S/MIME as a mail security solution. section 2: MAC == signing? Yuk. That does lead to developer confusion IMO. section 5: s/Several working groups/Several IETF working groups/ section 5: I thought Persona wasn't quite JOSE? Maybe I'm remembering wrong though (didn't check) typos: applicaitions, "JWT token" 5.4: What we use is OTR though. A ref to that would be good, just after you say that the CMS based approach hasn't been deployed. 5.7: This is a bit vague. I believe there are JOSE object that cannot be processed by the WebCrypto API and that there are WebCrypto algorithms that are not defined in JOSE, so API outputs cannot all be JOSE conformant. Is that correct? If so, then I think you need to say that for truth-in-advertising reasons. The fact that the WG think that's ok makes me sad. See also the secdir review [1] which calls out a few nits. [1] https://www.ietf.org/mail-archive/web/secdir/current/msg04481.html |
2013-12-19
|
05 | Stephen Farrell | [Ballot Position Update] New position, Discuss, has been recorded for Stephen Farrell |
2013-12-18
|
05 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2013-12-18
|
05 | Sean Turner | Changed consensus to Yes from Unknown |
2013-12-18
|
05 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2013-12-18
|
05 | Stewart Bryant | [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant |
2013-12-17
|
05 | Jari Arkko | [Ballot comment] Thanks for a well written document. |
2013-12-17
|
05 | Jari Arkko | [Ballot Position Update] New position, Yes, has been recorded for Jari Arkko |
2013-12-17
|
05 | Richard Barnes | [Ballot Position Update] New position, Recuse, has been recorded for Richard Barnes |
2013-12-17
|
05 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2013-12-16
|
05 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel |
2013-12-12
|
05 | Sean Turner | State changed to IESG Evaluation from Waiting for Writeup |
2013-12-12
|
05 | Sean Turner | Ballot has been issued |
2013-12-12
|
05 | Sean Turner | [Ballot Position Update] New position, Yes, has been recorded for Sean Turner |
2013-12-12
|
05 | Sean Turner | Created "Approve" ballot |
2013-12-12
|
05 | Sean Turner | Ballot writeup was changed |
2013-12-10
|
05 | (System) | IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed |
2013-12-10
|
05 | Amanda Baber | IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-jose-use-cases-05, which is currently in Last Call, and has the following comments: We understand that this document doesn't require … IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-jose-use-cases-05, which is currently in Last Call, and has the following comments: We understand that this document doesn't require any IANA actions. IANA requests that the IANA Considerations section of the document remain in place upon publication. If this assessment is not accurate, please respond as soon as possible. |
2013-12-06
|
05 | (System) | State changed to Waiting for Writeup from In Last Call (ends 2013-12-06) |
2013-11-28
|
05 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Mauricio Sanchez |
2013-11-28
|
05 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Mauricio Sanchez |
2013-11-28
|
05 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Simon Josefsson |
2013-11-28
|
05 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Simon Josefsson |
2013-11-25
|
05 | Jean Mahoney | Request for Last Call review by GENART is assigned to Pete McCann |
2013-11-25
|
05 | Jean Mahoney | Request for Last Call review by GENART is assigned to Pete McCann |
2013-11-22
|
05 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2013-11-22
|
05 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Use Cases and Requirements for … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)) to Informational RFC The IESG has received a request from the Javascript Object Signing and Encryption WG (jose) to consider the following document: - 'Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-12-06. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Many Internet applications have a need for object-based security mechanisms in addition to security mechanisms at the network layer or transport layer. In the past, the Cryptographic Message Syntax (CMS) has provided a binary secure object format based on ASN.1. Over time, the use of binary object encodings such as ASN.1 has been overtaken by text-based encodings, for example JavaScript Object Notation. This document defines a set of use cases and requirements for a secure object format encoded using JavaScript Object Notation (JSON), drawn from a variety of application security mechanisms currently in development. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-jose-use-cases/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-jose-use-cases/ballot/ No IPR declarations have been submitted directly on this I-D. |
2013-11-22
|
05 | Amy Vezza | State changed to In Last Call from Last Call Requested |
2013-11-22
|
05 | Sean Turner | Placed on agenda for telechat - 2013-12-19 |
2013-11-22
|
05 | Sean Turner | Last call was requested |
2013-11-22
|
05 | Sean Turner | Ballot approval text was generated |
2013-11-22
|
05 | Sean Turner | Ballot writeup was generated |
2013-11-22
|
05 | Sean Turner | State changed to Last Call Requested from AD Evaluation |
2013-11-22
|
05 | Sean Turner | Last call announcement was generated |
2013-11-05
|
05 | Sean Turner | State changed to AD Evaluation from Publication Requested |
2013-10-27
|
05 | Jim Schaad | IETF WG state changed to Submitted to IESG for Publication from Submitted to IESG for Publication |
2013-10-27
|
05 | Jim Schaad | Annotation tag Doc Shepherd Follow-up Underway cleared. |
2013-10-27
|
05 | Jim Schaad | State Change Notice email list changed to jose-chairs@tools.ietf.org, draft-ietf-jose-use-cases@tools.ietf.org |
2013-10-27
|
05 | Jim Schaad | Responsible AD changed to Sean Turner |
2013-10-27
|
05 | Jim Schaad | Working group state set to Submitted to IESG for Publication |
2013-10-27
|
05 | Jim Schaad | IETF WG state changed to Submitted to IESG for Publication |
2013-10-27
|
05 | Jim Schaad | IESG state changed to Publication Requested |
2013-10-27
|
05 | Jim Schaad | IESG state set to Publication Requested |
2013-10-27
|
05 | Jim Schaad | IESG process started in state Publication Requested |
2013-10-27
|
05 | Jim Schaad | Changed document writeup |
2013-10-27
|
05 | Jim Schaad | Document shepherd changed to Jim Schaad |
2013-09-05
|
05 | Richard Barnes | New version available: draft-ietf-jose-use-cases-05.txt |
2013-08-15
|
04 | Richard Barnes | New version available: draft-ietf-jose-use-cases-04.txt |
2013-07-31
|
03 | Jim Schaad | Intended Status changed to Informational from None |
2013-07-28
|
03 | Jim Schaad | Document shepherd changed to Karen O'Donoghue |
2013-07-28
|
03 | Jim Schaad | IETF WG state changed to WG Consensus: Waiting for Write-Up from Waiting for WG Chair Go-Ahead |
2013-07-28
|
03 | Jim Schaad | Annotation tag Doc Shepherd Follow-up Underway set. Annotation tag Revised I-D Needed - Issue raised by WG cleared. |
2013-07-14
|
03 | Richard Barnes | New version available: draft-ietf-jose-use-cases-03.txt |
2013-07-08
|
02 | Jim Schaad | IETF WG state changed to Waiting for WG Chair Go-Ahead from In WG Last Call |
2013-07-08
|
02 | Jim Schaad | Annotation tag Revised I-D Needed - Issue raised by WG set. |
2013-05-31
|
02 | Jim Schaad | IETF WG state changed to In WG Last Call from WG Document |
2013-05-29
|
02 | Richard Barnes | New version available: draft-ietf-jose-use-cases-02.txt |
2013-05-26
|
01 | Richard Barnes | New version available: draft-ietf-jose-use-cases-01.txt |
2013-03-20
|
00 | Richard Barnes | New version available: draft-ietf-jose-use-cases-00.txt |