[jose] Issues with the WG documents

Mon, 21 Jul 2014 08:10:42 -0700 

Hello Jose WG,
I just review the WG document in the effort of understanding the features that are being addressed and the inter-WG possible interoperability capabilities and / or issues. I have to apologize for not being able to participate to the WG efforts before. 


Unfortunately, it seems (IMHO) that much of the previous work that has 
been done in the security area, most noticeable by the PKIX WG, has been 
practically ignored. In particular (and please forget me if I am raising 
points that have already been addressed in the past - if so, please 
provide me with references so that I can understand these choices), 
here's the overall general issues that I found throughout the documents:


 * *Duplication of Registration for Algorithm Identifiers
   (cross-application).* This is particularly bad because the use of
   text identifiers (even if it is specified that they should be
   unique), might be "overloaded" in their usage because of the chosen
   names. Those identifiers (as today written in the docs) are similar
   to the description, rather than IDs
 * *Format-Dependent content protection* - This seems to be an
   over-engineering of the format where not needed - i.e., content is
   content, not JSON without spaces on one line content.
 * *Algorithm Agility* - I find it odd that, with all the work that has
   been done in the past for moving from specifying algorithm to
   providing specs for extensible algorithms field has been ignored
   (e.g., fixed SHA-1 and SHA-256 specification for certificate identifiers
 * *Interoperability with PKIX formats.* No effort, AFAIK, has been
   done (at least reflected in the documents) about format translation
   from the structures used from the PKIX group into JSON - that would
   provide a more useful tool for integrating JSON into existing
   cryptographic libraries (ease of deployment and format interoperability)


Last, I found it very weird the following notation:

    ASCII(BASE64(...))


since the BASE64 is an ASCII representation, what does the ASCII() specs 
mean in this case and why it is needed?


Best Regards,
Dr. Pala


_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose






















					Reply via email to