ietf
[Top] [All Lists]

Re: WG Review: CBOR Object Signing and Encryption (cose)

2015-05-26 13:31:58
First, I appreciate the effort that went into this charter text. It is
clear, understandable, and properly focused.

That being said...

On Fri, May 22, 2015 at 2:52 PM, Phillip Hallam-Baker 
<phill(_at_)hallambaker(_dot_)com>
wrote:
When CBOR was proposed, the group working on it asserted that it was a
private initiative, outside IETF process and they had no obligation to
consider other design approaches.

There was an appeal regarding the publication of CBOR for which the outcome
was: 1) IETF process was not followed, and 2) but the RFC is already
published and some bells cannot be unrung. Fair enough, however basing
further IETF work on it may not be wrong but does not seem right either.
Phillip, having been active in the JSON wg and a known security-area
participant, has a broader point that different design decisions may have
been made had we known things would go this far.

I also noticed that the active draft for this effort has a normative
dependency on CDDL. Working groups such as TZDIST were told they could not
normatively depend on JCR. Again, fair enough. But what is to happen here?
Given the parallels drawn between CBOR and JSON, it would be unfortunate
for the IETF to bless one "JSON schema language" without a wider
discussion. I am not saying they shouldn't use CDDL, but it would be best
if the relationship between it and JSON were more clearly understood.

-andy