Re: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)

Fri, 10 Jul 2020 13:22:55 -0700 

I must admit, I was surprised to see this RFC, because very little discussion 
of it happened on the JOSE mailing list.  The last mention I can see of it was 
in February 2019 - the same time you were proposing to take this to 
SecDispatch.  I never heard of it again after that.

So that any future related efforts have an opportunity for widespread review, 
particularly if they are JOSE related, I'd request that you and others working 
on them also post drafts to the JOSE mailing list, even if you're working in 
the Independent Stream.

There are things I would have commented on in JCS if I'd seen intermediate 
drafts before it became an RFC.  (For instance, I would have asked for explicit 
serialization instructions for the one ASCII control character not in the range 
0x00-0x1F - 0x7F (DEL).)

                                Thanks,
                                -- Mike

-----Original Message-----
From: jose <[email protected]> On Behalf Of Anders Rundgren
Sent: Friday, July 10, 2020 11:41 AM
To: [email protected]
Subject: [jose] Beyond RFC 8785 (JSON Canonicalization Scheme)

After virtually eons of time https://www.rfc-editor.org/rfc/rfc8785 has finally 
been published.
It wouldn't have happened without the input from the IETF community!

Since canonicalization in itself is fairly useless, there are several 
additional work-items building on JCS (RFC 8785) in the pipe-line:

On-line demo/test using JWS: https://mobilepki.org/jws-jcs On-line demo/test 
using an "unwrapped" JWS called JSON Signature Format (JSF): 
https://mobilepki.org/jsf-lab

A real-world implementation by OWASP using JSF: 
https://cyclonedx.org/use-cases/#authenticity

There is also an "unwrapped" JWE called JSON Encryption Format (JEF), currently 
published as an HTML document: 
https://cyberphone.github.io/doc/security/jef.html

If anybody out there would be interested in "RFC-ing" JWS-JCS, JSF, or JEF, 
please drop me a line.

The current plan is publishing the additional RFCs using the Independent 
Stream, rather than as IETF standards.

Anders

_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to