JSON Web Messaging (JWM): What are they and why are they useful for secure messaging sytems?

From IIW

JSON Web Messaging (JWM): What Are They & Why Are They Useful For Secure Messaging Systems?

Session: 12E

Convener: Kyle Den Hartog

Notes-taker(s): Ryo Kajiwara

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:



(related: Consent to Create Binding http://wiki.idesg.org/wiki/index.php/Consent_to_Create_Binding short-lived vs long-lived: when consent changes over time)

JWM: way to encode application-level messages

use JWE to protect integrity

JWS to associate messages with a non-repudiable digital signature


JWTs are good as tokens, except it's not good for messages

more optimized towards secure messaging use cases

multi-recipient architectures

JWMs do not allow `none` format of JWT

not dealing with the delivery mechanism -> usage of DIDComm

IETF working group? -> trying to get it to dispatch

trying to present it at next IETF

didn't specify anything like DIDs at this level (for recipients/senders)

unguessability of the ID?

Authenticated Encryption

signing is one thing, you can also use AE

ECDH-1PU http://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-03

intermediaries that want to make decisions without knowing the content

signatures that are understandable by intermediaries

multi-level nested JWM

  • sign then encrypt, not encrypt then sign
  • but if "sign then encrypt" (=e2e encrypted), intermediaries can't interpret the sign

differentiation of metadata of the message and content of the message

standard attributes of JWM is message metadata-y

you can put whatever in the body

it will be a useful feature

or else everyone will have to invent a way to not collide

Q: Was JWS built with transports without encryption in mind? What protocol (for transport/delivery) was on your mind when you were developing this spec? -> HTTPS. keeping the message when the user is offline. with HTTPS the transport is secured, but data at rest is not secured, so having the message encrypted at message level also helps.

Comment: Direction for taking this draft forward. Contact Application Area Director at IETF. JMAP WG does something similar (not exactly fitting current charter)