← Back to Blog Home

Coze Vs. JOSE

We get asked a lot, how does Coze compare to JOSE?

Coze is a cryptographic JSON messaging specification. It is open source (BSD 3) and has a reference implementation is written in Go along with a Javascript implementation a CLI library, and an awesome online tool.

Coze is simple

How Coze Started

When we first started, we knew we needed a dependable cryptographic framework for Cyphr.me which as it is deeply dependent on cryptography. We needed a standardized way to reference messages, replay attack prevention, signature malleability prevention, and other critical features we expected from a cryptographic framework.

We surveyed existing tools and among those was JOSE. At first glance JOSE looked promising, but as we dug into it we quickly realized it was not suitable for our needs. Implementing JOSE, or even just JWT, would have been hard and didn't have the features we anticipated. If we employed JOSE, it would have been for a specification that we were not happy with and needed additional restrictions on to meet our needs.

So we journeyed out on our own, and started work on what we first called the "radical cyphr", name such because it was a "radical" departure from existing tools. We knew that "radical cyphr" was a terrible name, and Jared joked that we should just name it "Cyphr JOSE", or "CO-SEE" for short. Eureka, Coze! We looked up the meaning, "a friendly talk; a chat" and it was perfect for a messaging standard.

We first worked privately on the specification, and then publicly released Coze on Jun 8, 2021, which is 30 years and one day after the initial release of PGP 1.0 as a nod to cypherpunk Phil Zimmermann.

Coze, compared to JOSE, made design changes that focus on a simplified specification that's easy for application deployment. We'll focus on larger concerns while omitting the smaller technical differences. Sometimes people are unaware of JOSE and know of the more specific JWT, but the following applies to "Coze Vs. JWT" as well.

The both Coze and JOSE share:

• Both permit several cipher suits ("algs") and easily supports new standards. (ES244, ES256, ES384, ES512, Ed25519, Ed25519ph)
• Both use at least some JSON in their construction.
• Coze and JOSE (the later RFC 7638) both define programmatic references for keys. Keys are probably where Coze and JOSE are the most similar.

Coze

• Is JSON.
• Coze messages are smaller than JWT's.
• The Coze specification is much smaller than JOSE or JWT.
• Prohibits signature malleability.
• Prohibits base 64 malleability.
• Prohibits JSON duplicate fields which alleviates a category of security concern.
• Coze provides built-in replay protection using czd.
• Does not suffer from re-encode ballooning.
• Has a feature complete online tool.
• Provides a reference implementation.
• Defines general purpose canonicalization.

Cozies are smaller than JWT's

JOSE

(Including JWS, JWK, JWE, and JWT)

• JWT is not JSON.
  • JWS is JSON, but it's not idiomatic JSON. For example, it base64 encodes JSON into JSON for headers.
• JWT is downstream of other JOSE specs, JWS, JWE, JWK. For a complete JWT implementation, it needs to be implemented in view of JWS, JWE, and JWK which are all complex. We're not aware of any JWT library that does this, all JWT libraries we're aware of are partial implementations.
• JOSE/JWT does not prohibit signature malleability.
  • Great presentation that touches on signature malleability
• JOSE/JWT does not prohibit base 64 malleability. (See Base64 Malleability in Practice)
• JOSE/JWT does not prohibit duplicate JSON fields which is a security concern (See An Exploration of JSON Interoperability Vulnerabilities and control-f "duplicate")
• JOSE/JWT re-encode balloons which significantly increases the size of messages.
• JOSE has no built in replay protection. JOSE places the burden of defining unique message identifiers onto applications. This also means various systems are not out-of-the-box compatible. See rfc7515-10.10
• The functionality of JOSE online tools is limited
• JOSE and JWT has no reference implementation.
• JOSE does not define general purpose canonicalization.

Cozies are human readable. JWT's are not.

Overall, we're very please with Coze, and use it heavily throughout Cyphr.me. We hope the open source community finds it useful, or in the very least as an example pushing progress forward. Coze glady accepts contributors on the existing Go or Javascript implementation. The Coze project would also be thrilled to have implementation in other languages, such as Python, Rust, and PHP.

We're planning future posts comparing to Coze other specifications (ssh, SSHSIG, signify, pgp, PEM, the rest of JOSE (JWK, JWS) PASETO, PASERK, Bitcoin, Ethereum), but until then see the coze_vs.md document.

We hope you enjoy Coze!

← Back to Blog Home