There might be some nice ideas in the JSON-LD-based Secure Messaging. However, a crypto spec that uses encryption without authentication (no AEAD), uses raw CBC mode, thinks CBC stands for *cyclic* block chaining, puts "BEGIN *PRIVATE* KEY" in a field named publicKeyPem, requires RDF Graph Normalization that seems far removed from JSON, etc does not feel like a great basis.
-- James Manger > -----Original Message----- > From: jose [mailto:[email protected]] On Behalf Of Manu Sporny > Sent: Thursday, 12 December 2013 8:44 AM > To: JOSE WG > Subject: [jose] Review Comments: Web Payments, Secure Messaging, and > JOSE > > Hi all, > > These are review comments on the JOSE stack of specifications before > they enter Last Call. The purpose of these comments is to try and > figure > out if we can align multiple security, identity, and digital signature > initiatives. > > My name is Manu Sporny, I'm the current chair at W3C for the RDFa, > JSON-LD, and Web Payments groups. I'm also a specification editor for > multiple Linked Data, Security, Identity, and JSON-based digital > signature specifications. > > A few months ago, a number of the groups I'm involved with did a full > review the JOSE stack of specifications to ensure that we were not > duplicating work performed by the JOSE group. The result of that review > is available here: > > http://manu.sporny.org/2013/sm-vs-jose/ > > A number of implementers involved in the Linked Data and Web Payments > work at W3C have chosen a different authentication, authorization, and > digital signature stack than the one that is being created here. This > decision came after much hand wringing and implementation feedback. We > used to be based on OpenID, and were headed down the JOSE route before > deciding to create an ecosystem that we believe is going to be simpler > for Web Developers to work with. > > To be clear, this is not to imply that the JOSE or OpenID work is not > useful to a number of communities, but rather that it is not a stack > that lends itself well to the work we're doing in various groups at the > W3C and IETF. To give a very high-level outline of the different > choices > we have made: > > * JSON-LD spec for message format (instead of pure JSON) > * Secure Messaging spec for digital signatures (instead of JOSE) > * Persona for authn (instead of OpenID) > * HTTP Signatures & Secure Messaging for authz (instead of OpenID) > ... > "publicKeyPem": "-----BEGIN PRIVATE > KEY-----\nMIIBG0BA...OClDQAB\n-----END PRIVATE KEY-----\n" > } > ... > placing all parameters in an opaque blob of information that > has a clear beginning and end (-----BEGIN RSA PRIVATE > KEY-----, and --- END RSA PRIVATE KEY ---) _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
