Discussion:
[OAUTH-WG] [Ace] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00
Kepeng Li
2016-05-09 12:38:11 UTC
Permalink
We got several supports and no objections, so it is concluded that the draft
is adopted as an ACE WG item, with the change that we remove the "web¡° from
the name.

Authors: please resubmit the current draft as
draft-ietf-ace-cbor-token-00.txt; we will start processing further changes
in the WG process.(If you already know about technical issues, please use
the WG tracker for now; editorial issues might be tracked easier on github.)

We will also add this item in our ACE charter.

Kind Regards
Kepeng (ACE co-chair)

·¢ŒþÈË: Li Kepeng <***@alibaba-inc.com>
ÈÕÆÚ: Thursday, 7 April, 2016 9:34 am
ÖÁ: "***@ietf.org" <***@ietf.org>
³­ËÍ: Kathleen Moriarty <***@gmail.com>, Hannes
Tschofenig <***@gmx.net>, <***@ietf.org>, <***@ietf.org>,
Stephen Farrell <***@cs.tcd.ie>
Ö÷Ìâ: [Ace] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00

To: ACE WG
Cc: OAuth and COSE WG

Hello all,

This note begins a Call For Adoption for
draft-wahlstroem-ace-cbor-web-token-00 [1]
to be adopted as an ACE working group item, and added in the charter.
The call ends on April 22, 2016.

Keep in mind that adoption of a document does not mean the document
as-is is ready for publication. It is merely acceptance of the
document as a starting point for what will be the final product
of the ACE working group. The working group is free to make changes to
the document according to the normal consensus process.

Please reply on this thread with expressions of support or opposition,
preferably with comments, regarding accepting this as a work item.

Note that this email was also copied to OAuth and COSE WG, in order to
get input from wider audience.

Thanks,

Kind Regards
Kepeng (ACE co-chair)

[1] https://datatracker.ietf.org/doc/draft-wahlstroem-ace-cbor-web-token/

_______________________________________________ Ace mailing list
***@ietf.org https://www.ietf.org/mailman/listinfo/ace
Carsten Bormann
2016-05-09 14:31:34 UTC
Permalink
Post by Kepeng Li
draft-ietf-ace-cbor-token-00.txt;
For the record, I do not think that ACE has a claim on the term "CBOR
Token". While the term token is not used in RFC 7049, there are many
tokens that could be expressed in CBOR or be used in applying CBOR to a
problem.

ACE CBOR Token is fine, though.
(Or, better, CBOR ACE Token, CAT.)

Grüße, Carsten
Justin Richer
2016-05-10 00:49:29 UTC
Permalink
We can also call it the “COSE Token”. As a chair of the COSE working group, I’m fine with that amount of co-branding.

— Justin
Post by Carsten Bormann
Post by Kepeng Li
draft-ietf-ace-cbor-token-00.txt;
For the record, I do not think that ACE has a claim on the term "CBOR
Token". While the term token is not used in RFC 7049, there are many
tokens that could be expressed in CBOR or be used in applying CBOR to a
problem.
ACE CBOR Token is fine, though.
(Or, better, CBOR ACE Token, CAT.)
Grüße, Carsten
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose
Erik Wahlström
2016-05-10 08:43:50 UTC
Permalink
Or keep the CBOR Web Token (CWT) for two major reasons:
- To show the very close relationship to JWT. It relies heavily on JWT and
it's iana registry. It is essentially a JWT but in CBOR/COSE instead of
JSON/JOSE.
- I would not say that JWT is the only format that works for the web, and
it's even used in other, non-traditional, web protocols. That means I don't
have a problem with the W in CWT at all. Why would JSON be the only web
protocol?

Then we also have one smaller (a lot smaller) reason, it's the fact that it
can be called "cot" just like JWT is called a "jot" and I figured that our
"cozy chairs" would very much like that fact because then it's essentially
a "cozy cot" :)

/ Erik
We can also call it the “COSE Token”. As a chair of the COSE working
group, I’m fine with that amount of co-branding.
— Justin
Post by Carsten Bormann
Post by Kepeng Li
draft-ietf-ace-cbor-token-00.txt;
For the record, I do not think that ACE has a claim on the term "CBOR
Token". While the term token is not used in RFC 7049, there are many
tokens that could be expressed in CBOR or be used in applying CBOR to a
problem.
ACE CBOR Token is fine, though.
(Or, better, CBOR ACE Token, CAT.)
GrÌße, Carsten
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
Ace mailing list
https://www.ietf.org/mailman/listinfo/ace
Mike Jones
2016-05-10 08:50:38 UTC
Permalink
I also feel strongly that the name should remain CBOR Web Token. CWT is a beneficiary of the intellectual and deployment heritage from the Simple Web Token (SWT) and JSON Web Token (JWT). CWT is intentionally parallel to JWT. The name should stay parallel as well.

The “Web” part of the “CBOR Web Token” name can be taken as a reference to the Web of Things (see https://en.wikipedia.org/wiki/Web_of_Things). As Erik correctly points out JSON is not the only data representation that makes things in the Web and the Web of Things.

-- Mike

From: Ace [mailto:ace-***@ietf.org] On Behalf Of Erik Wahlström
Sent: Tuesday, May 10, 2016 1:44 AM
To: Justin Richer <***@mit.edu>
Cc: Kathleen Moriarty <***@gmail.com>; Kepeng Li <***@alibaba-inc.com>; ***@ietf.org; Carsten Bormann <***@tzi.org>; Hannes Tschofenig <***@gmx.net>; <***@ietf.org> <***@ietf.org>; cose <***@ietf.org>
Subject: Re: [Ace] [COSE] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00

Or keep the CBOR Web Token (CWT) for two major reasons:
- To show the very close relationship to JWT. It relies heavily on JWT and it's iana registry. It is essentially a JWT but in CBOR/COSE instead of JSON/JOSE.
- I would not say that JWT is the only format that works for the web, and it's even used in other, non-traditional, web protocols. That means I don't have a problem with the W in CWT at all. Why would JSON be the only web protocol?

Then we also have one smaller (a lot smaller) reason, it's the fact that it can be called "cot" just like JWT is called a "jot" and I figured that our "cozy chairs" would very much like that fact because then it's essentially a "cozy cot" :)

/ Erik


On Tue, May 10, 2016 at 2:49 AM, Justin Richer <***@mit.edu<mailto:***@mit.edu>> wrote:
We can also call it the “COSE Token”. As a chair of the COSE working group, I’m fine with that amount of co-branding.

— Justin
Post by Carsten Bormann
Post by Kepeng Li
draft-ietf-ace-cbor-token-00.txt;
For the record, I do not think that ACE has a claim on the term "CBOR
Token". While the term token is not used in RFC 7049, there are many
tokens that could be expressed in CBOR or be used in applying CBOR to a
problem.
ACE CBOR Token is fine, though.
(Or, better, CBOR ACE Token, CAT.)
GrÌße, Carsten
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
Ace mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/ace
Justin Richer
2016-05-10 12:57:27 UTC
Permalink
You’re missing my original complaint: Until this token can be directly encoded into web technologies, like HTTP headers and HTML pages, then it has no business being called a “Web” anything. As it is, it’s a binary encoding that would need an additional wrapper, like base64url perhaps, to be placed into web spaces. It can be used in CoAP and native CBOR structures as-is, which is what it’s designed to do.

The “web” part of JWT is very important. A JWT can be used, as-is, in any part of an HTTP message: headers, query, form, etc. It can also be encoded as a string in other data structures in just about any language without any additional transformation, including HTML, XML, and JSON. This makes the JWT very “webby”, and this is a feature set that this new token doesn’t share. Ergo, it has no business being called a “web” token regardless of its heritage.

Both CBOR Token and COSE Token are fine with me.

— Justin
Post by Mike Jones
I also feel strongly that the name should remain CBOR Web Token. CWT is a beneficiary of the intellectual and deployment heritage from the Simple Web Token (SWT) and JSON Web Token (JWT). CWT is intentionally parallel to JWT. The name should stay parallel as well.
The “Web” part of the “CBOR Web Token” name can be taken as a reference to the Web of Things (see https://en.wikipedia.org/wiki/Web_of_Things <https://en.wikipedia.org/wiki/Web_of_Things>). As Erik correctly points out JSON is not the only data representation that makes things in the Web and the Web of Things.
-- Mike
  <>
Sent: Tuesday, May 10, 2016 1:44 AM
Subject: Re: [Ace] [COSE] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00
- To show the very close relationship to JWT. It relies heavily on JWT and it's iana registry. It is essentially a JWT but in CBOR/COSE instead of JSON/JOSE.
- I would not say that JWT is the only format that works for the web, and it's even used in other, non-traditional, web protocols. That means I don't have a problem with the W in CWT at all. Why would JSON be the only web protocol?
Then we also have one smaller (a lot smaller) reason, it's the fact that it can be called "cot" just like JWT is called a "jot" and I figured that our "cozy chairs" would very much like that fact because then it's essentially a "cozy cot" :)
/ Erik
We can also call it the “COSE Token”. As a chair of the COSE working group, I’m fine with that amount of co-branding.
— Justin
Post by Carsten Bormann
Post by Kepeng Li
draft-ietf-ace-cbor-token-00.txt;
For the record, I do not think that ACE has a claim on the term "CBOR
Token". While the term token is not used in RFC 7049, there are many
tokens that could be expressed in CBOR or be used in applying CBOR to a
problem.
ACE CBOR Token is fine, though.
(Or, better, CBOR ACE Token, CAT.)
GrÌße, Carsten
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose <https://www.ietf.org/mailman/listinfo/cose>
_______________________________________________
Ace mailing list
https://www.ietf.org/mailman/listinfo/ace <https://www.ietf.org/mailman/listinfo/ace>
Phil Hunt (IDM)
2016-05-10 15:14:22 UTC
Permalink
I don't have this issue. I see your point, but I think the constrained branding makes it clear.

IOW. When the specs say "constrained web" the use means to me that the tokens for the constrained set of binary protocols which all tend to be in parallel architecture with web apis anyway.

Phil
Post by Justin Richer
You’re missing my original complaint: Until this token can be directly encoded into web technologies, like HTTP headers and HTML pages, then it has no business being called a “Web” anything. As it is, it’s a binary encoding that would need an additional wrapper, like base64url perhaps, to be placed into web spaces. It can be used in CoAP and native CBOR structures as-is, which is what it’s designed to do.
The “web” part of JWT is very important. A JWT can be used, as-is, in any part of an HTTP message: headers, query, form, etc. It can also be encoded as a string in other data structures in just about any language without any additional transformation, including HTML, XML, and JSON. This makes the JWT very “webby”, and this is a feature set that this new token doesn’t share. Ergo, it has no business being called a “web” token regardless of its heritage.
Both CBOR Token and COSE Token are fine with me.
— Justin
Post by Mike Jones
I also feel strongly that the name should remain CBOR Web Token. CWT is a beneficiary of the intellectual and deployment heritage from the Simple Web Token (SWT) and JSON Web Token (JWT). CWT is intentionally parallel to JWT. The name should stay parallel as well.
The “Web” part of the “CBOR Web Token” name can be taken as a reference to the Web of Things (see https://en.wikipedia.org/wiki/Web_of_Things). As Erik correctly points out JSON is not the only data representation that makes things in the Web and the Web of Things.
-- Mike
Sent: Tuesday, May 10, 2016 1:44 AM
Subject: Re: [Ace] [COSE] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00
- To show the very close relationship to JWT. It relies heavily on JWT and it's iana registry. It is essentially a JWT but in CBOR/COSE instead of JSON/JOSE.
- I would not say that JWT is the only format that works for the web, and it's even used in other, non-traditional, web protocols. That means I don't have a problem with the W in CWT at all. Why would JSON be the only web protocol?
Then we also have one smaller (a lot smaller) reason, it's the fact that it can be called "cot" just like JWT is called a "jot" and I figured that our "cozy chairs" would very much like that fact because then it's essentially a "cozy cot" :)
/ Erik
We can also call it the “COSE Token”. As a chair of the COSE working group, I’m fine with that amount of co-branding.
— Justin
Post by Carsten Bormann
Post by Kepeng Li
draft-ietf-ace-cbor-token-00.txt;
For the record, I do not think that ACE has a claim on the term "CBOR
Token". While the term token is not used in RFC 7049, there are many
tokens that could be expressed in CBOR or be used in applying CBOR to a
problem.
ACE CBOR Token is fine, though.
(Or, better, CBOR ACE Token, CAT.)
GrÌße, Carsten
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
Ace mailing list
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose
Justin Richer
2016-05-10 20:36:57 UTC
Permalink
Then how about the ACE Constrained Token (ACT)?

— Justin
Post by Phil Hunt (IDM)
I don't have this issue. I see your point, but I think the constrained branding makes it clear.
IOW. When the specs say "constrained web" the use means to me that the tokens for the constrained set of binary protocols which all tend to be in parallel architecture with web apis anyway.
Phil
Post by Justin Richer
You’re missing my original complaint: Until this token can be directly encoded into web technologies, like HTTP headers and HTML pages, then it has no business being called a “Web” anything. As it is, it’s a binary encoding that would need an additional wrapper, like base64url perhaps, to be placed into web spaces. It can be used in CoAP and native CBOR structures as-is, which is what it’s designed to do.
The “web” part of JWT is very important. A JWT can be used, as-is, in any part of an HTTP message: headers, query, form, etc. It can also be encoded as a string in other data structures in just about any language without any additional transformation, including HTML, XML, and JSON. This makes the JWT very “webby”, and this is a feature set that this new token doesn’t share. Ergo, it has no business being called a “web” token regardless of its heritage.
Both CBOR Token and COSE Token are fine with me.
— Justin
Post by Mike Jones
I also feel strongly that the name should remain CBOR Web Token. CWT is a beneficiary of the intellectual and deployment heritage from the Simple Web Token (SWT) and JSON Web Token (JWT). CWT is intentionally parallel to JWT. The name should stay parallel as well.
The “Web” part of the “CBOR Web Token” name can be taken as a reference to the Web of Things (see https://en.wikipedia.org/wiki/Web_of_Things <https://en.wikipedia.org/wiki/Web_of_Things>). As Erik correctly points out JSON is not the only data representation that makes things in the Web and the Web of Things.
-- Mike
  <>
Sent: Tuesday, May 10, 2016 1:44 AM
Subject: Re: [Ace] [COSE] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00
- To show the very close relationship to JWT. It relies heavily on JWT and it's iana registry. It is essentially a JWT but in CBOR/COSE instead of JSON/JOSE.
- I would not say that JWT is the only format that works for the web, and it's even used in other, non-traditional, web protocols. That means I don't have a problem with the W in CWT at all. Why would JSON be the only web protocol?
Then we also have one smaller (a lot smaller) reason, it's the fact that it can be called "cot" just like JWT is called a "jot" and I figured that our "cozy chairs" would very much like that fact because then it's essentially a "cozy cot" :)
/ Erik
We can also call it the “COSE Token”. As a chair of the COSE working group, I’m fine with that amount of co-branding.
— Justin
Post by Carsten Bormann
Post by Kepeng Li
draft-ietf-ace-cbor-token-00.txt;
For the record, I do not think that ACE has a claim on the term "CBOR
Token". While the term token is not used in RFC 7049, there are many
tokens that could be expressed in CBOR or be used in applying CBOR to a
problem.
ACE CBOR Token is fine, though.
(Or, better, CBOR ACE Token, CAT.)
GrÌße, Carsten
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose <https://www.ietf.org/mailman/listinfo/cose>
_______________________________________________
Ace mailing list
https://www.ietf.org/mailman/listinfo/ace <https://www.ietf.org/mailman/listinfo/ace>
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose <https://www.ietf.org/mailman/listinfo/cose>
Erik Wahlström
2016-05-11 11:42:17 UTC
Permalink
That's a very value scenario actually. Even so that it should actually be
handled in the draft.
Scenario: In the continuum of large and small devices an unconstrained
client and AS goes through the hoops of issuing a token using standard
(HTTP/JSON). The Resource Server however is constrained and would very much
like a CWT when it communicates with the Client. That means that in the AS
to Client response from the token endpoint the binary token should actually
be wrapped by base64url.
I can definitely see that being added to the draft.
/ Erik
Post by Justin Richer
You’re missing my original complaint: Until this token can be directly
encoded into web technologies, like HTTP headers and HTML pages, then it
has no business being called a “Web” anything. As it is, it’s a binary
encoding that would need an additional wrapper, like base64url perhaps, to
be placed into web spaces. It can be used in CoAP and native CBOR
structures as-is, which is what it’s designed to do.
The “web” part of JWT is very important. A JWT can be used, as-is, in any
part of an HTTP message: headers, query, form, etc. It can also be encoded
as a string in other data structures in just about any language without any
additional transformation, including HTML, XML, and JSON. This makes the
JWT very “webby”, and this is a feature set that this new token doesn’t
share. Ergo, it has no business being called a “web” token regardless of
its heritage.
Both CBOR Token and COSE Token are fine with me.
— Justin
I also feel strongly that the name should remain CBOR Web Token. CWT is a
beneficiary of the intellectual and deployment heritage from the Simple Web
Token (SWT) and JSON Web Token (JWT). CWT is intentionally parallel to
JWT. The name should stay parallel as well.
The “Web” part of the “CBOR Web Token” name can be taken as a reference to
the Web of Things (see https://en.wikipedia.org/wiki/Web_of_Things). As
Erik correctly points out JSON is not the only data representation that
makes things in the Web and the Web of Things.
-- Mike
Behalf Of *Erik Wahlström
*Sent:* Tuesday, May 10, 2016 1:44 AM
*Subject:* Re: [Ace] [COSE] Call for adoption for
draft-wahlstroem-ace-cbor-web-token-00
- To show the very close relationship to JWT. It relies heavily on JWT and
it's iana registry. It is essentially a JWT but in CBOR/COSE instead of
JSON/JOSE.
- I would not say that JWT is the only format that works for the web, and
it's even used in other, non-traditional, web protocols. That means I don't
have a problem with the W in CWT at all. Why would JSON be the only web
protocol?
Then we also have one smaller (a lot smaller) reason, it's the fact that
it can be called "cot" just like JWT is called a "jot" and I figured that
our "cozy chairs" would very much like that fact because then it's
essentially a "cozy cot" :)
/ Erik
We can also call it the “COSE Token”. As a chair of the COSE working
group, I’m fine with that amount of co-branding.
— Justin
Post by Carsten Bormann
Post by Kepeng Li
draft-ietf-ace-cbor-token-00.txt;
For the record, I do not think that ACE has a claim on the term "CBOR
Token". While the term token is not used in RFC 7049, there are many
tokens that could be expressed in CBOR or be used in applying CBOR to a
problem.
ACE CBOR Token is fine, though.
(Or, better, CBOR ACE Token, CAT.)
GrÌße, Carsten
_______________________________________________
COSE mailing list
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
Ace mailing list
https://www.ietf.org/mailman/listinfo/ace
Loading...