- From: Richard Barnes <rbarnes@bbn.com>
- Date: Fri, 18 Jan 2013 16:57:00 -0500
- To: Ryan Sleevi <sleevi@google.com>
- Cc: Harry Halpin <hhalpin@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
> Richard, > > It's very clear from both charters that JOSE and WebCrypto are > separate projects, separate efforts, and seek to meet a separate set > of goals. While there is some commonality, I strongly object to the > suggestion that they are at all related in purpose enough to derive > value from sharing algorithms. > > In all the people I've talked to who have expressed interests or use > cases for this API, not a single person has expressed any interest in > JOSE. It's certainly clear that the use of JWE, JWT, JW*, JWK, while > certainly possible through this API, are NOT the sole intended > consumers. > > At it's core, JOSE is a wire format. The WebCrypto API is an API. No > amount of rechartering in either WG is going to change this reality. > The decisions made should best reflect their intended purposes and use > cases, and should not be arbitrarily and unnecessarily joined. > > It does not make any sense to me whatsoever to have an API definition > handled through an IANA registry nor through a wire representational > form, especially one as inefficient (for *Web Apps*) and > programmer-unfriendly as JOSE. > > JOSE MUST make decisions that best reflect its' design requirements - > including efficient URL representation - while the WebCrypto API MUST > make decisions that best reflect users' and authors' needs - which > extend well beyond JOSE. There is an inherent incompatibility in these > MUSTs - a point I well understood that we'd previously reached > consensus on, as reflected in the decisions on ISSUE-13. Ryan, I can't agree that WebCrypto and JOSE are as separate as you claim. WebCrypto needs to represent crypto constructs in JavaScript, JOSE in JSON; the difference in concept is only really serialization. If we don't coordinate, we're going to have duplication. These babies are inherently conjoined. As far as the need for JW* from users, the lack of interest is not actually that surprising. It's a network effect thing. Right now, everyone you're trying to talk to is speaking some ancient ASN.1 language that your JS has to interoperate with. If JOSE lives up to its charter, it should be a web-friendly replacement for things like CMS and PKCS12, so that future applications can not have to deal with ASN.1. The trick for WebCrypto is to be able to support the legacy stuff while also looking forward. We do agree, however, that the current JOSE specs are developer-hostile, especially in the web environment. It prioritizes wire compactness over developer utility in the worst possible way. That's a major flaw in a JOSE, and a discussion that we should have over there. Maybe I'm the only one who's fantasizing about a world where building secure apps is actually straightforward, with JOSE as a secure object format instead of CMS, and WebCrypto for the processing instead of platform APIs. But I think that's the world we should be trying to build here, and we shouldn't be stopped by the failings of our current *draft* specs. --Richard
Received on Friday, 18 January 2013 21:57:27 UTC