| The extension part of it would be âan extension to add a top-level property to each object called âsignaturesâ with a type of âlist of signatureâ and an extension to add a new object. But people have always been able to add their objects. Everything else is not an extension but rather how you do it. The other extension that might be useful for STIX land is an extension to the âidentityâ object to enable a way to share public keys. But that part is not what I am talking about.
It appears that JMG just took what we did in CACAO and tweaked a few things and submitted it. What I want to know is what are the changes and why did he do them? The designs we have in CACAO are a based on a compromise between what we need for signing JSON data and the IETFâs JOSE Working Group. Keep in mind that the design we have in CACAO is also in process to go through the IETFâs system to become an RFC. So understanding what JMG has changed and why he did it, is critical. Otherwise you might very well end up with a solution for STIX that is incompatible with the rest of the industry.
Bret
We will try to get a list of differences out to you. A mechanical diff wonât work in this case, so we will create a high level overview. Please be aware that this is coming forward as an extension object, not as an update to the specification at this time. Emily ZjQcmQRYFpfptBannerStart This Message Is From an External Sender | This message came from outside your organization. |
|
|
ZjQcmQRYFpfptBannerEnd
Iâm unable to attend such a meeting (due to many conflicts) but I would also ask the team provide a delta presentation or doc and help provide insight/why a delta needs to exist. I generally agree that coming up with 2 solutions for digital signing on STIX/CACAO (fundamentally JSON) makes no sense and will likely undermine the whole objective. Would it be possible for someone to provide a summary on the differences? Any insight on pro/con on what the delta does would also help. Iâm very familiar with the CACAO (fundamentally its just JSON) signing. So it would help me understand better if such a delta existed.
Hi Bret, Are you able to join us next week to discuss your concerns and hear the rationale for the differences? Emily ZjQcmQRYFpfptBannerStart This Message Is From an External Sender | This message came from outside your organization. |
|
|
ZjQcmQRYFpfptBannerEnd
HI Emily, I would like to see a diff of this proposal from the proposal I submitted to this TC based on what CACAO did. From what I can tell, JMG just tweaked my original content. So a diff would be very helpful since the CACAO version is already being used in the wild. Reinventing the wheel is never a good idea and diminishes the value of OASIS as whole. Bret
John-Mark sent out his proposal for JSON Signing last week. I got some reports that some people did not receive his email. For next weekâs meeting, please review the proposal here: and come prepared to discuss.
|