Hi all,
as mentioned earlier I have requested a BOF about the JSON signature
topic and the IESG discussed the various BOF proposals this Tuesday.
FYI, here are all the BOF proposals:
http://trac.tools.ietf.org/bof/trac/
The BOF was not approved because the IESG felt we need more time for
preparation. That's not a problem.
We will discuss the topic in the OAuth working group meeting, and the
security area director, Sean Turner, will create a separate mailing list
to involve a larger audience.
So, you might ask yourself what is the big issue here. Well. In some
sense, the main question that seems to be there is why aren't we using
CMS to protect JSON payloads (instead of developing our own signature
mechanisms). I believe that this is a fair question to ask why existing
and deployed functionality hasn't been used.
To some extend this question relates to the overall question of what
cryptographic functionality is available with browsers, what are the
usage scenarios (e.g. does JavaScript need to be used to compute a
signature over the JSON token, what functionality can reside in a
browser, etc.).
These types of topics will be raised and we should discuss them on the
mailing list, once it is created (which should happen today according to
Sean).
Ciao
Hannes
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
