JSON Web Messaging (JWM): What are they and why are they useful for secure messaging sytems?
JSON Web Messaging (JWM): What Are They & Why Are They Useful For Secure Messaging Systems?
Session: 12E
Convener: Kyle Den Hartog
Notes-taker(s): Ryo Kajiwara
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
http://tools.ietf.org/html/draft-looker-jwm-01
http://github.com/mattrglobal/jwm
(related: Consent to Create Binding http://wiki.idesg.org/wiki/index.php/Consent_to_Create_Binding short-lived vs long-lived: when consent changes over time)
JWM: way to encode application-level messages
use JWE to protect integrity
JWS to associate messages with a non-repudiable digital signature
http://medium.com/mattr-global/jwm-a-new-standard-for-secure-messaging-a21d3daa4403
JWTs are good as tokens, except it's not good for messages
more optimized towards secure messaging use cases
multi-recipient architectures
JWMs do not allow `none` format of JWT
not dealing with the delivery mechanism -> usage of DIDComm
IETF working group? -> trying to get it to dispatch
trying to present it at next IETF
didn't specify anything like DIDs at this level (for recipients/senders)
unguessability of the ID?
Authenticated Encryption
signing is one thing, you can also use AE
ECDH-1PU http://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-03
intermediaries that want to make decisions without knowing the content
signatures that are understandable by intermediaries
multi-level nested JWM
- sign then encrypt, not encrypt then sign
- but if "sign then encrypt" (=e2e encrypted), intermediaries can't interpret the sign
differentiation of metadata of the message and content of the message
standard attributes of JWM is message metadata-y
you can put whatever in the body
it will be a useful feature
or else everyone will have to invent a way to not collide
Q: Was JWS built with transports without encryption in mind? What protocol (for transport/delivery) was on your mind when you were developing this spec?
-> HTTPS. keeping the message when the user is offline. with HTTPS the transport is secured, but data at rest is not secured, so having the message encrypted at message level also helps.
Comment: Direction for taking this draft forward. Contact Application Area Director at IETF. JMAP WG does something similar (not exactly fitting current charter)