For https://tools.ietf.org/id/draft-jones-jose-key-managed-json-web-signature-01.txt I'd recommend that it not be published or pursued further.
Perhaps my view is narrow or naive but I don't see the value in having the key key management layer for a MAC key. The very question of "why" was asked <https://www.ietf.org/mail-archive/web/jose/current/msg04957.html> twice <https://www.ietf.org/mail-archive/web/jose/current/msg04996.html> during the course of one of the only threads on the WG list regarding KMJWS <https://www.ietf.org/mail-archive/web/jose/current/threads.html#04956>but was never answered that I can see. Perhaps the question was lost amidst the lively rhetoric in the rest of the thread. But I think it's a valid question nonetheless and, short of hearing some pretty compelling answers, I don't see any reason to add another document and the additional options and complexity that it'd bring. I do also see the potential for confusion and security problems arising from maybe thinking, of having the interaction between libraries and applications tricked into thinking, that combinations like {"alg":"RSA-OAEP","mac":"HS256"} used in the draft <https://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-01#appendix-A> provides more than it actually does, which is only an assurance of integrity of the message since the MAC was computed by any anonymous sender and doesn't authenticate the sender in any way. I don't have strong opinions about https://tools.ietf.org/id/draft-jones-jose-jws-signing-input-options-00.txt as I've not seen a need for it in my work but there seems to be other interest in such a scheme. On Wed, Jul 1, 2015 at 9:37 AM, Karen O'Donoghue <[email protected]> wrote: > Folks, > > With the thumbprint draft progressing through the process, we have two > remaining individual drafts to decide what to do with. The options include: > 1) adopt as working group drafts; 2) ask for AD sponsorship of individual > drafts; or 3) recommend that they not be published. Please express your > thoughts on what we should do with these drafts. Jim, Kathleen, and I would > like to make a decision in the Prague timeframe, so please respond by 15 > July. > > > https://tools.ietf.org/id/draft-jones-jose-jws-signing-input-options-00.txt > > > https://tools.ietf.org/id/draft-jones-jose-key-managed-json-web-signature-01.txt > > Thanks, > Karen > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
