Skip to main content

Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)
draft-ietf-jose-use-cases-06

Revision differences

Document history

Date Rev. By Action
2014-04-11
06 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2014-03-27
06 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2014-03-04
06 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2014-01-15
06 Amy Vezza State changed to RFC Ed Queue from Approved-announcement sent
2014-01-15
06 (System) IANA Action state changed to No IC from In Progress
2014-01-15
06 (System) IANA Action state changed to In Progress
2014-01-14
06 (System) RFC Editor state changed to EDIT
2014-01-14
06 (System) Announcement was received by RFC Editor
2014-01-14
06 Cindy Morgan State changed to Approved-announcement sent from IESG Evaluation::AD Followup
2014-01-14
06 Cindy Morgan IESG has approved the document
2014-01-14
06 Cindy Morgan Closed "Approve" ballot
2014-01-14
06 Cindy Morgan Ballot approval text was generated
2014-01-14
06 Cindy Morgan Ballot writeup was changed
2014-01-05
06 Stephen Farrell
[Ballot comment]

Thanks for changing the reference to FIPS. The new text
still isn't my favourite - I don't have that high an opinion
of …
[Ballot comment]

Thanks for changing the reference to FIPS. The new text
still isn't my favourite - I don't have that high an opinion
of those kinds of evaluations in general - but I guess the
WG won't go wild mimicing FIPS 140-2.

--- old comments below, didn't check 'em but feel
free to follow up if need be

abstract: CMS isn't "in the past" suggest you make
that present tense since this does not in any way
OBSOLETE CMS.

abstract: I'm also not sure that "overtaken" is
right.  Seems to me that these encoding schemes are
fashion-items with an about 5 year "season" so being
so definitive might look a bit silly next season.  If
you buy that, there'd maybe be other changes to make
too. Generally, I don't think this needs to or should
be doing a sales-pitch, and the same goes for the XML
discussion too.

intro: PGP is probably better "known" than S/MIME as
a mail security solution.

section 2: MAC == signing? Yuk. That does lead to
developer confusion IMO.

section 5: s/Several working groups/Several IETF
working groups/

section 5: I thought Persona wasn't quite JOSE?
Maybe I'm remembering wrong though (didn't check)

typos: applicaitions, "JWT token"

5.4: What we use is OTR though. A ref to that would
be good, just after you say that the CMS based
approach hasn't been deployed.

5.7: This is a bit vague. I believe there are JOSE
object that cannot be processed by the WebCrypto API
and that there are WebCrypto algorithms that are not
defined in JOSE, so API outputs cannot all be JOSE
conformant. Is that correct? If so, then I think you
need to say that for truth-in-advertising reasons.
The fact that the WG think that's ok makes me sad.

See also the secdir review [1] which calls out a
few nits.

  [1] https://www.ietf.org/mail-archive/web/secdir/current/msg04481.html
2014-01-05
06 Stephen Farrell [Ballot Position Update] Position for Stephen Farrell has been changed to No Objection from Discuss
2013-12-30
06 Gunter Van de Velde Closed request for Last Call review by OPSDIR with state 'No Response'
2013-12-27
06 (System) Sub state has been changed to AD Followup from Revised ID Needed
2013-12-27
06 Richard Barnes IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed
2013-12-27
06 Richard Barnes New version available: draft-ietf-jose-use-cases-06.txt
2013-12-23
05 Benoît Claise [Ballot Position Update] Position for Benoit Claise has been changed to No Objection from No Record
2013-12-19
05 Cindy Morgan State changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation
2013-12-19
05 Tero Kivinen Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Simon Josefsson.
2013-12-19
05 Barry Leiba
[Ballot comment]
Given that the shepherd says, "it does not have sufficient apps area review," and "it needs more review outside of the group to …
[Ballot comment]
Given that the shepherd says, "it does not have sufficient apps area review," and "it needs more review outside of the group to make sure that the correct set of requirements has been setup for the solution," and given the questions we've raised about the interest in using the JOSE WG's product, it would have been good if the shepherd had done more to get App Area review -- perhaps more on apps-discuss (one of the chairs did post a note on 29 July), and by explicitly asking for Applications Directorate review (I'll talk with the appsdir team lead about watching for JOSE documents).

Along with that, the document says, at the start of Section 5, "Several working groups developing application-layer protocols have expressed a desire to use the JOSE data formats in their designs for end-to-end security features."  What are those working groups (the subsections indicate at least OAUTH, XMPP, ALTO, ATOCA, CORE, and W3C Web Crypto), and, apart from OAUTH, which is mentioned in the writeup, have the others of those reviewed this document?

On to the document...

A pet peeve of mine in the Introduction (you can play with my pets, or kick them aside, as you see fit):
  CMS is defined using Abstract Syntax
  Notation 1 (ASN.1) and traditionally encoded using the ASN.1
  Distinguished Encoding Rules (DER)

There are no traditions operating here.  Perhaps you mean "typically", or "usually"?

[Barry continues his review while whistling the opening tune from "Fiddler on the Roof"...]

In addition to Stephen's comments about the abstract/introduction, with which I wholeheartedly agree (I would strongly prefer that you spin this as an alternative to CMS, not as a replacement):

  In
  practice, however, XML-based secure object formats introduce similar
  levels of complexity to ASN.1, so developers that lack the tools or
  motivation to handle ASN.1 aren't likely to use XML security either.

Do you have anything to back this up with?  It seems to me that whether I can cope with XML and whether I can cope with ASN.1 are two entirely separate things.  Why on Earth should they be linked -- just because they're both complex?

Section 3 begins with another of my pets: "Obviously," -- please, just say "no" to that, and remove the word (and the comma).
2013-12-19
05 Barry Leiba [Ballot Position Update] Position for Barry Leiba has been changed to No Objection from Discuss
2013-12-19
05 Benoît Claise
[Ballot comment]
I won't have the time to review the full before the IESG telechat. I just spent 20 minutes on it.
Like Stephen, that …
[Ballot comment]
I won't have the time to review the full before the IESG telechat. I just spent 20 minutes on it.
Like Stephen, that sentence made we wonder:
  Over time, the use of binary object encodings such as ASN.1 has been
  overtaken by text-based encodings, for example JavaScript Object
  Notation.

I would like to get some OPS (SNMP/NETCONF) experts feedback on this draft regarding the ASN.1/XML statements, and state my position after that. For some statements, it's not clear if they apply only to applications, or also to protocols.
Most likely, with 2 DISCUSSes, this draft won't be approved today. So I have no intention to DEFER the draft.
2013-12-19
05 Benoît Claise Ballot comment text updated for Benoit Claise
2013-12-19
05 Barry Leiba
[Ballot discuss]
Preamble:
Given that the shepherd says, "it does not have sufficient apps area review," and "it needs more review outside of the group …
[Ballot discuss]
Preamble:
Given that the shepherd says, "it does not have sufficient apps area review," and "it needs more review outside of the group to make sure that the correct set of requirements has been setup for the solution," and given the questions we've raised about the interest in using the JOSE WG's product, it would have been good if the shepherd had done more to get App Area review -- perhaps more on apps-discuss (one of the chairs did post a note on 29 July), and by explicitly asking for Applications Directorate review (I'll talk with the appsdir team lead about watching for JOSE documents).

The DISCUSS point:
Along with that, the document says, at the start of Section 5, "Several working groups developing application-layer protocols have expressed a desire to use the JOSE data formats in their designs for end-to-end security features."  What are those working groups (the subsections indicate at least OAUTH, XMPP, ALTO, ATOCA, CORE, and W3C Web Crypto), and, apart from OAUTH, which is mentioned in the writeup, have the others of those reviewed this document?
2013-12-19
05 Barry Leiba
[Ballot comment]
A pet peeve of mine in the Introduction (you can play with my pets, or kick them aside, as you see fit):
  …
[Ballot comment]
A pet peeve of mine in the Introduction (you can play with my pets, or kick them aside, as you see fit):
  CMS is defined using Abstract Syntax
  Notation 1 (ASN.1) and traditionally encoded using the ASN.1
  Distinguished Encoding Rules (DER)

There are no traditions operating here.  Perhaps you mean "typically", or "usually"?

[Barry continues his review while whistling the opening tune from "Fiddler on the Roof"...]

In addition to Stephen's comments about the abstract/introduction, with which I wholeheartedly agree (I would strongly prefer that you spin this as an alternative to CMS, not as a replacement):

  In
  practice, however, XML-based secure object formats introduce similar
  levels of complexity to ASN.1, so developers that lack the tools or
  motivation to handle ASN.1 aren't likely to use XML security either.

Do you have anything to back this up with?  It seems to me that whether I can cope with XML and whether I can cope with ASN.1 are two entirely separate things.  Why on Earth should they be linked -- just because they're both complex?

Section 3 begins with another of my pets: "Obviously," -- please, just say "no" to that, and remove the word (and the comma).
2013-12-19
05 Barry Leiba [Ballot Position Update] New position, Discuss, has been recorded for Barry Leiba
2013-12-19
05 Stephen Farrell
[Ballot discuss]

6.2 says "do what FIPS says" more-or-less. I don't
think that should rise to this level of requirement.
The first sentence is fine, …
[Ballot discuss]

6.2 says "do what FIPS says" more-or-less. I don't
think that should rise to this level of requirement.
The first sentence is fine, but the 2nd is not IMO.
2013-12-19
05 Stephen Farrell
[Ballot comment]


abstract: CMS isn't "in the past" suggest you make
that present tense since this does not in any way
OBSOLETE CMS.

abstract: I'm …
[Ballot comment]


abstract: CMS isn't "in the past" suggest you make
that present tense since this does not in any way
OBSOLETE CMS.

abstract: I'm also not sure that "overtaken" is
right.  Seems to me that these encoding schemes are
fashion-items with an about 5 year "season" so being
so definitive might look a bit silly next season.  If
you buy that, there'd maybe be other changes to make
too. Generally, I don't think this needs to or should
be doing a sales-pitch, and the same goes for the XML
discussion too.

intro: PGP is probably better "known" than S/MIME as
a mail security solution.

section 2: MAC == signing? Yuk. That does lead to
developer confusion IMO.

section 5: s/Several working groups/Several IETF
working groups/

section 5: I thought Persona wasn't quite JOSE?
Maybe I'm remembering wrong though (didn't check)

typos: applicaitions, "JWT token"

5.4: What we use is OTR though. A ref to that would
be good, just after you say that the CMS based
approach hasn't been deployed.

5.7: This is a bit vague. I believe there are JOSE
object that cannot be processed by the WebCrypto API
and that there are WebCrypto algorithms that are not
defined in JOSE, so API outputs cannot all be JOSE
conformant. Is that correct? If so, then I think you
need to say that for truth-in-advertising reasons.
The fact that the WG think that's ok makes me sad.

See also the secdir review [1] which calls out a
few nits.

  [1] https://www.ietf.org/mail-archive/web/secdir/current/msg04481.html
2013-12-19
05 Stephen Farrell [Ballot Position Update] New position, Discuss, has been recorded for Stephen Farrell
2013-12-18
05 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2013-12-18
05 Sean Turner Changed consensus to Yes from Unknown
2013-12-18
05 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2013-12-18
05 Stewart Bryant [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant
2013-12-17
05 Jari Arkko [Ballot comment]
Thanks for a well written document.
2013-12-17
05 Jari Arkko [Ballot Position Update] New position, Yes, has been recorded for Jari Arkko
2013-12-17
05 Richard Barnes [Ballot Position Update] New position, Recuse, has been recorded for Richard Barnes
2013-12-17
05 Martin Stiemerling [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling
2013-12-16
05 Adrian Farrel [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel
2013-12-12
05 Sean Turner State changed to IESG Evaluation from Waiting for Writeup
2013-12-12
05 Sean Turner Ballot has been issued
2013-12-12
05 Sean Turner [Ballot Position Update] New position, Yes, has been recorded for Sean Turner
2013-12-12
05 Sean Turner Created "Approve" ballot
2013-12-12
05 Sean Turner Ballot writeup was changed
2013-12-10
05 (System) IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed
2013-12-10
05 Amanda Baber
IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-jose-use-cases-05, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require …
IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-jose-use-cases-05, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions. IANA requests that the IANA Considerations section of the document remain in place upon publication.

If this assessment is not accurate, please respond as soon as possible.
2013-12-06
05 (System) State changed to Waiting for Writeup from In Last Call (ends 2013-12-06)
2013-11-28
05 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Mauricio Sanchez
2013-11-28
05 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Mauricio Sanchez
2013-11-28
05 Tero Kivinen Request for Last Call review by SECDIR is assigned to Simon Josefsson
2013-11-28
05 Tero Kivinen Request for Last Call review by SECDIR is assigned to Simon Josefsson
2013-11-25
05 Jean Mahoney Request for Last Call review by GENART is assigned to Pete McCann
2013-11-25
05 Jean Mahoney Request for Last Call review by GENART is assigned to Pete McCann
2013-11-22
05 Amy Vezza IANA Review state changed to IANA - Review Needed
2013-11-22
05 Amy Vezza
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Use Cases and Requirements for …
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)) to Informational RFC


The IESG has received a request from the Javascript Object Signing and
Encryption WG (jose) to consider the following document:
- 'Use Cases and Requirements for JSON Object Signing and Encryption
  (JOSE)'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2013-12-06. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  Many Internet applications have a need for object-based security
  mechanisms in addition to security mechanisms at the network layer or
  transport layer.  In the past, the Cryptographic Message Syntax (CMS)
  has provided a binary secure object format based on ASN.1.  Over
  time, the use of binary object encodings such as ASN.1 has been
  overtaken by text-based encodings, for example JavaScript Object
  Notation.  This document defines a set of use cases and requirements
  for a secure object format encoded using JavaScript Object Notation
  (JSON), drawn from a variety of application security mechanisms
  currently in development.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-jose-use-cases/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-jose-use-cases/ballot/


No IPR declarations have been submitted directly on this I-D.


2013-11-22
05 Amy Vezza State changed to In Last Call from Last Call Requested
2013-11-22
05 Sean Turner Placed on agenda for telechat - 2013-12-19
2013-11-22
05 Sean Turner Last call was requested
2013-11-22
05 Sean Turner Ballot approval text was generated
2013-11-22
05 Sean Turner Ballot writeup was generated
2013-11-22
05 Sean Turner State changed to Last Call Requested from AD Evaluation
2013-11-22
05 Sean Turner Last call announcement was generated
2013-11-05
05 Sean Turner State changed to AD Evaluation from Publication Requested
2013-10-27
05 Jim Schaad IETF WG state changed to Submitted to IESG for Publication from Submitted to IESG for Publication
2013-10-27
05 Jim Schaad Annotation tag Doc Shepherd Follow-up Underway cleared.
2013-10-27
05 Jim Schaad State Change Notice email list changed to jose-chairs@tools.ietf.org, draft-ietf-jose-use-cases@tools.ietf.org
2013-10-27
05 Jim Schaad Responsible AD changed to Sean Turner
2013-10-27
05 Jim Schaad Working group state set to Submitted to IESG for Publication
2013-10-27
05 Jim Schaad IETF WG state changed to Submitted to IESG for Publication
2013-10-27
05 Jim Schaad IESG state changed to Publication Requested
2013-10-27
05 Jim Schaad IESG state set to Publication Requested
2013-10-27
05 Jim Schaad IESG process started in state Publication Requested
2013-10-27
05 Jim Schaad Changed document writeup
2013-10-27
05 Jim Schaad Document shepherd changed to Jim Schaad
2013-09-05
05 Richard Barnes New version available: draft-ietf-jose-use-cases-05.txt
2013-08-15
04 Richard Barnes New version available: draft-ietf-jose-use-cases-04.txt
2013-07-31
03 Jim Schaad Intended Status changed to Informational from None
2013-07-28
03 Jim Schaad Document shepherd changed to Karen O'Donoghue
2013-07-28
03 Jim Schaad IETF WG state changed to WG Consensus: Waiting for Write-Up from Waiting for WG Chair Go-Ahead
2013-07-28
03 Jim Schaad Annotation tag Doc Shepherd Follow-up Underway set. Annotation tag Revised I-D Needed - Issue raised by WG cleared.
2013-07-14
03 Richard Barnes New version available: draft-ietf-jose-use-cases-03.txt
2013-07-08
02 Jim Schaad IETF WG state changed to Waiting for WG Chair Go-Ahead from In WG Last Call
2013-07-08
02 Jim Schaad Annotation tag Revised I-D Needed - Issue raised by WG set.
2013-05-31
02 Jim Schaad IETF WG state changed to In WG Last Call from WG Document
2013-05-29
02 Richard Barnes New version available: draft-ietf-jose-use-cases-02.txt
2013-05-26
01 Richard Barnes New version available: draft-ietf-jose-use-cases-01.txt
2013-03-20
00 Richard Barnes New version available: draft-ietf-jose-use-cases-00.txt