JSON Web Proofs (JWP) Virtual Interim BOF

Wednesday, 12 October 2022, 1700 UTC

1. Administrative and Agenda Bash (Chairs - 10 min)

Reminders: this is a WG-forming BOF. There was a short version in
Philadelphia this is a continuation. Focus is whether or not to have a
formal WG or how we want to tackle the issue.

2. Why are we proposing to do this work? (Jeremie / Mike, 15 minutes)

What is a ZKP:

3. Discussion of the problem (15 minutes)

Brent Zundel

Our roadmap needs this, we want one that is interoperable, we love that
successful containers have been created in the past and want to see this
happen so Avast cn use.

Orie Steele

Excited about doing this work in the IETF to secure JSON knowledge.
Framing is excellent, one asked how much of this is just very specific
to W3C VC? I am excited to use JWP for securing JSON that isn't W3C VC.
JSON and CBOR need knowledge mechanisms that can capture advancements.
There are new capabilities we need to wrap in envelopes. Many use cases
in W3C can leverage this and build - excited to participate and align,
review and comment. Now is the time, so we don't perpetuate the 'custom
container' anti-pattern.

Mike Prorock

Echoing similar support - I'm with MeasureIO, we deal with food security
related to global disease spread this is important,this work prevents
reinvention of the wheel around problems that need to be standardized by
the right people, those familiar with cryptography.

Tobias Looker

Expressing similar support. BBS was recently adopted and like JWP it
recycles clever design decisions for algorighms such as BBS. Strong
supporter of the work.

Karen O'Donaghue

Questions about the clarity of the problem or whether there is a problem
to solve?

Brian Campbell (BC)

With regard to clarity - the proposed charter text is not consistent
with what is stated here. The charter is still focused on unlinkability
& selective disclosure.

Mike Jones (MJ)

Agreed that the draft charter hasn't been updated. We could do that,
expect that the deliverables will be the same but can update to make the
framing consistent with today's presentation.

John Bradley (JB)

Richard Barnes had some skepticism over the plausiblity of the overall
endeavor, wanted to note that. Another email message expressed
skepticism over SD-JWT but thought that JWP should be chartered (this is
John's interpretation). This WG isn't defining low level algs or high
level use, we are just focused on the container, clarifying in the
charter may help to satisfy most people.

Mike Jones

Thanks John for bringing up list comments, the person in the discussion
(Daisuke) did agree that a WG is needed and also noted that if there is
a WG, it should be JOSE


Is there a problem for the IETF to solve? 17 raised, 1 did not raised,
18 participants

Karen O'Donaghue

Consensus is there is a problem to solve.

Carsten Bormann (CB)

Can the not-hand-raiser state why they didn't raise?

Brian Campbell

Was partly struggling with interface, there is a disconnect between the
problem and the proposal to solve it (i.e., the charter)

Carsten Bormann

(in chat) agrees it is not clearly defined

4. How are we proposing to address this problem? (Jeremie - 15 minutes)

JB: clarifications: these documents would be submitted for consideration
to a WG should it be created, these are proposals and could be accepted
by the WG. Not saying these documents are accepted, others may submit
very different proposals. In SD-JWT, multiple objects have been "bodged"

together. In contrast, JWP has less gluing together.

5. Discussion of the possible solution (15 minutes)

MJ: reminder, solutions are the job of the WG. The drafts are an
existence proof - evidence that the problem can be solved
MJ: reviewing questions from last BOf

  1. Isn't JWS/JWT enough? JOSE can't represent ZKP. More ZKP inputs are
    needed and there is no represenation for inputs, as well transform
    or finalize steps are needed
  2. Isn't SD-JWT enough? These comparisons are fair, and SD-JWT has been
    adopted. SD-JWT is explicitly designed to support selective
    disclosure. It is enough for some use cases but doesn't enable rich
    properties that ZKPs do. So SD-JWT is great but doesn't take us all
    the way to solve the problems that ZKPs solve.
  3. What about CBOR? The WG could create a CBOR container and that is in
    scope. Plan is to start with JSON based container recognizing that
    CBOR should be easier due to its native binary support. Hopefully
    the same folks will collaborate.

Carsten Borman: you are hitting right points. Another complication is
compact format and tilde, there is no room for another hierarchy,
nightmare scenario is that design leads to an information model that is
impossible to understand. Would rather not design something completely
around limitations of JWT/JOSE, so question is should we do CBOR design
at the same time and avoid the problem.

MJ: agree and hope Carsten will be there to collaborate. Historical
note: There are 2 serializations in JOSE, compact and JSON. Multiple
signatures are part of that 2nd serialization. It is possible that there
will be 2 serializations in this JWP work too. Even in COSE there were
different optimization paths, not pre-judging what the WG will do.

KO: questions about interest, comments on high level solutions,
willingness to participate

JB: does anyone think existing work adequately addresses the problem?
KO: anyone who disagrees?

Roman Danyliw (Area Director): lets agree there is consensus if nobody
is speaking up. Don't need to use the poll tool.

  1. Is there agreement that existing IETF work does not address this

  2. Is there enough work here for a working group in the IETF?

  3. Is there sufficient interest in doing this work?

  4. Who is willing to participate? (Poll)

  5. Who is willing to review? (Poll)

6. Proposed Charter (15 minutes)

KO: We've heard that it doesn't yet reflect the framing that Jeremie and
Mike provided today.

MJ: I can revise the messaging in charter intro. The deliverables
shouldn't change.

RD: Hearing we have to change charter but consensus check: is there
support for the deliverables as described in the charter?


In chat, CB said he would alter the test vectors a bit that will be for
WG to decide

Consensus call: Would you support chartering a WG around deliverables?

Peter Saint Andre: Question - charter says that there is talk of
creating algs

MJ: We will specify for algs how inputs/outputs are represented but
explicitly disclaim alg work. Will take similar text directly from COSE
charter and fix that text.

KO: confirming changes including test vectors, and statements on making

Shawn Butterfield (SB): is it appropriate to reference SD-JWT?

MJ: there is a reference and intent to coordinate stated directly in the
charter text

SB: (thumbs up)

RD: seems like we have consensus for deliverables, how about rest of
charter (incremental consensus)? We can get consensus on charter as is
then collect feedback on edits and understand magnitude.

KO: anyone opposed to using existing charter as a starting point and
then editing?

RD: Don't need all the design thinking but simple primitives of "this is
what we want to do in extending JOSE". Complexity in charter won't help

KO: Believe we have consensus to use initial charter as draft, MJ will
make edits and will leave a small window for additional suggestions.

JB: Summary: we will make these edits and then will present to the WG
after it is chartered.

RD: agree we have consensus, that we need wordsmithing. It will be
packaged on github. When MJ is done, I will put into datatracker and
then will put the pkg to the JOSE list to check consensus and accuracy.
Call for confirmation and then we'll take next steps (either more edits
or moving on to WG).

7. Proposed Mechanics (10 minutes)

KO: any objections to using the JOSE mailing list or to the WG being

Consensus call: objections to reopening the JOSE WG under the new
proposed charter?

MJ: Propose to remove the TBD from charter and call it JOSE (no

8. AOB (10 minutes)

RD: reminder of IETF process - after confirming consensus on the
charter, it goes to the IESG telechat for initial review, then to
community (2 weeks), then back to IESG for final review, and then WG.

JB: could we use the time as an unofficial space or as a BOF?
RD: probably not

KO: does that mean side meetings can't happen?
RD: no, that is fine

KO: Wiki for side meetings open on Friday. JB and KO will work to get a
side meeting opened up. Meetecho support isn't there for side meetings.

RD: (in chat) a side meeting will be a sign of success