Web Object Encryption and Signing (woes) ========================================
Background ---------- JSON (an acronym for JavaScript Object Notation) is a text format for the serialization of structured data. It is derived from the JavaScript programming language for representing simple data structures and associative arrays, called objects. Despite its relationship to JavaScript, it is language-independent, with parsers available for almost every programming language. The JSON format is described in RFC 4627 and builds on two structures: * A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or associative array. * An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence. The JSON format is often used for serializing and transmitting structured data over a network connection. It was initially used in the Web environment to transmit data between a server and web application, serving as an alternative to XML. Now, JSON is being used in various other protocols as well. With the increased usage of JSON in protocols there is now also the desire to offer security services, such as encryption, and message signing, for JSON encoded data. Different proposals for providing these security services have been defined and implemented. Examples are: JSON Web Token [JWT], Simple Web Tokens [SWT], Magic Signatures [MagicSignatures], JSON Simple Sign [JSS], JavaScript Message Security Format [JSMS]. This working group aims to develop specifications to standardize these security services for JSON encoded data to improve interoperability, and to increase confidence in the offered security functionality based on the expert review process utilized in the IETF. Future work in the group may offer support for other security services. Re-chartering of the group is, however, required. This working group aims to re-use well-defined concepts from Cryptographic Message Syntax (CMS) [CMS], XML Digital Signature [XMLDSIG] and XML Encryption [XMLENC] since the group aims to develop a JavaScript-developer-friendly JSON-equivalent for CMS. Since this work is within the realm of the security domain respective experts will be involved. References ---------- [JWT] M. Jones, et al. "JSON Web Signature (JWS)", draft-jones-json-web-signature-01 (work in progress), Mar. 2011. [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", September 2010. [MagicSignatures] Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic Signatures", August 2010. [SWT] Hardt, D. and Y. Goland, "Simple Web Token (SWT)", Version 0.9.5.1, November 2009. XMLDIG] W3C, "XML Signature Syntax and Processing (Second Edition)", available at http://www.w3.org/TR/xmldsig-core/, Jun. 2008. [XMLENC] W3C, "XML Encryption Syntax and Processing", available at http://www.w3.org/TR/xmlenc-core/, Dec. 2002. [CMS] R. Housley, "Cryptographic Message Syntax", RFC 3852, Jul. 2004. [JSMS] E. Rescorla, J. Hildebrand, "JavaScript Message Security Format", draft-rescorla-jsms-00 (work in progress), Mar. 2011. Deliverables ------------ This group is chartered to work on two documents: 1) A Standards Track document specifying how to apply a digital signature and a keyed message digest to JSON encoded data. 2) A Standards Track document illustrating how to encrypt JSON encoded data. Goals and Milestones -------------------- Aug 2011 Submit JSON object signing document as a WG item. Aug 2011 Submit JSON object encryption document as a WG item. Mar 2012 Start Working Group Last Call on JSON object signing document. Mar 2012 Start Working Group Last Call on JSON object encryption document. Apr 2012 Submit JSON object signing document to IESG for consideration as Standards Track document. Apr 2012 Submit JSON object encryption document to IESG for consideration as Standards Track document.
_______________________________________________ woes mailing list [email protected] https://www.ietf.org/mailman/listinfo/woes
