Session Date/Time: 10 Nov 2023 14:30

jose

Summary

This meeting covered several topics related to JSON Object Signing and Encryption (JOSE) and Concise Object Sequence Sequence (COSE). The discussions focused on the Web Proof specifications, use of Hybrid Public Key Encryption (HPKE) with JOSE, fully specified algorithm values, and guidance for protocol implementers and designers regarding JOSE and COSE payloads. The key decision was to re-charter the working group to include maintenance of existing specifications, which will then allow for adoption calls for several drafts.

Key Discussion Points

Web Proof Specifications: Updates on aligning with CFRG's BBS signatures draft, addressing GitHub issues, and dependencies on the BLS key representations draft in COSE. The large number of open issues needs to be triaged and prioritized. Concerns were raised about the evolving nature of BBS signatures. Discussion about potentially adding support for blinded signatures for verifiable credentials use cases.
HPKE with JOSE: Presentation on a draft for using HPKE with JOSE, aiming for alignment with the COSE working group's approach. Only base mode is currently registered, with other modes potentially added via feature specifications. Questions about the need for test vectors, and why the encapsulated key is in a header.
Fully Specified Algorithm Values: Discussion of a draft to register fully specified algorithm values to avoid ambiguity with polymorphic algorithms. The goal is to update existing RFCs and guide designated experts to prevent registration of more polymorphic algorithms. Questions about the impact on the COSE working group and the handling of conflicting curve parameters. Concerns were raised about the potential for key misuse and the need to bind keys to specific cryptographic operations.
Guidance for JOSE/COSE Payload Handling: Presentation of a draft providing guidance for implementers to make good decisions about JOSE and COSE payloads. It addresses potential security issues related to key identification, payload processing, and API design. There was general agreement on the importance of this type of guidance, and how it may relate to API design, and how keys are identified. The need for developer-friendly tools and test cases was emphasized.

Decisions and Action Items

Re-chartering: The working group reached consensus to update the charter to include maintenance of existing specifications. Roman will update the charter text accordingly, and the milestones may need to be updated.
HPKE with JOSE: Send a call for adoption once the working group charter is updated and after addressing the existing comments.
Fully Specified Algorithms: Send a call for adoption to the mailing list after the working group charter is updated.
JOSE/COSE Payload Guidance: Haunas will update the guidance draft and resubmit a new version after feedback from additional working group members.

Next Steps

Roman will update the working group charter.
Calls for adoption will be sent to the mailing list for the HPKE with JOSE draft and the fully specified algorithms draft after the charter has been updated.
Haunas will update the JOSE/COSE Payload Guidance document based on feedback.
Continue triage of the open issues in the Web Proof specifications.