IETF Logo Mail Archive

Re: [Ace] "sub" and "iss" ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02

Mike Jones <Michael.Jones@microsoft.com> Fri, 22 June 2018 20:59 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E61130EF2 for <ace@ietfa.amsl.com>; Fri, 22 Jun 2018 13:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0Av7r7ONKAy for <ace@ietfa.amsl.com>; Fri, 22 Jun 2018 13:59:31 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710123.outbound.protection.outlook.com [40.107.71.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E216B130EEB for <ace@ietf.org>; Fri, 22 Jun 2018 13:59:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s+NSnJKMdTUyNwoNe3uon6hH1dDemjKMRaNB5opDmvQ=; b=Lpj5kvrKwk2dQS+oqjdjl2grB/1sDtchmfIRD+RjMRtMwOHzF5YBqsY6ZdFeRzRwOsLJEN2Kkh6w/re0lTyPNixbYNLrxLF2/ZI7LMypUTdig4PXP+nV4Z43ws//k1CEOxFNLNEyyF6guZy6Z0pCw6verWXH5fGS4QmFeKXA31Q=
Received: from MW2PR00MB0298.namprd00.prod.outlook.com (52.132.148.29) by MW2PR00MB0346.namprd00.prod.outlook.com (52.132.148.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.931.0; Fri, 22 Jun 2018 20:59:29 +0000
Received: from MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::d927:b78e:8e51:1747]) by MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::d927:b78e:8e51:1747%2]) with mapi id 15.20.0930.000; Fri, 22 Jun 2018 20:59:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Roman Danyliw <rdd@cert.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: "sub" and "iss" ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02
Thread-Index: AdQJ/3hMPxiML8tzRZiI8rJseWPrOAAbEEEg
Date: Fri, 22 Jun 2018 20:59:28 +0000
Message-ID: <MW2PR00MB0298B993D3D52C018A33CD7FF5750@MW2PR00MB0298.namprd00.prod.outlook.com>
References: <VI1PR0801MB2112BB6040C1328028D566F8FA750@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB2112BB6040C1328028D566F8FA750@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [8.46.76.24]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MW2PR00MB0346; 7:F2SAwxp9nuctbHcyws/HwSz2dEfRU2VQ+hxR69fdWyS47FcQ56az7noAqwxFk+ooT+OVBy2BrzqO6VlU4Ojru60tnRC9lz19eSC/+KCD2T6sUrh8uwF9FoUndoiwbmzXP4jTyCunhgSpNV+XFemb6QKpJ/Qi73/afkHcnxrdN7foLczmUkZ7pi+XkopFMOElu3dO3gqAaThbVtjuBosv6tXOzwYPJiX5Ydfzi1QOKPUNHTGwCj8DdNSralRTMxsM
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 941fc550-cff6-4436-7003-08d5d8830b81
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:(223705240517415); BCL:0; PCL:0; RULEID:(7020095)(4652020)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600026)(711020)(48565401081)(2017052603328)(7193020); SRVR:MW2PR00MB0346;
x-ms-traffictypediagnostic: MW2PR00MB0346:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <MW2PR00MB0346C447376797EDE10CB94AF5750@MW2PR00MB0346.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705)(223705240517415);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(3231254)(2018427008)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:MW2PR00MB0346; BCL:0; PCL:0; RULEID:; SRVR:MW2PR00MB0346;
x-forefront-prvs: 071156160B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(366004)(346002)(39380400002)(376002)(40434004)(13464003)(199004)(189003)(2906002)(486006)(26005)(229853002)(6346003)(76176011)(86612001)(99286004)(53546011)(6506007)(476003)(6306002)(9686003)(6436002)(97736004)(7696005)(446003)(55016002)(3280700002)(11346002)(102836004)(186003)(59450400001)(305945005)(478600001)(8936002)(68736007)(106356001)(2900100001)(53936002)(6246003)(110136005)(81156014)(316002)(2501003)(81166006)(8676002)(10290500003)(3660700001)(14454004)(22452003)(66066001)(86362001)(74316002)(3846002)(5250100002)(72206003)(5890100001)(5660300001)(7736002)(966005)(10090500001)(6116002)(8990500004)(105586002)(33656002)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR00MB0346; H:MW2PR00MB0298.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-message-info: F688knSPgvreOs9mF5h9FQvtyR43aFVTYA1uhE8KUFe2a2nKp9wjeYIGD5QMvLBUAedflDsP+UEQ9gsF8dDfgz3PaB9e/YFx6bPEpGvUtoRVqPCx53zEi78yr6HQnJ8rPx1MjWL9TDyWyb+sdl6DnoHJu5Xrhs+nctX/SkQ2NMVyIS8sJRJ+bEgNbb9cQW/2qEdIRbbCs9w0QAgeY67c2LSWUN+pffgguTJQcgF/uvpg5cebCR4AKSg3q8l2sQYNMewN1LVoOsHcEfiBD+moDPqAW0ekC71TGpdSX1239UDN8lNonWZBf3VMjEwS6i9uulip5QjAezWd1KiWMsxMrw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 941fc550-cff6-4436-7003-08d5d8830b81
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2018 20:59:28.5548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR00MB0346
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Vij1IWYxGnA1MyDsJxC478c2KdU>
Subject: Re: [Ace] "sub" and "iss" ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 20:59:35 -0000

I'm working on simplifying this in a way similar to what Hannes proposed, and in a way also previously promised to Jim (removing "normally", etc.), but also in a way that makes it clear that the exactly claims to be used are an application-specific choice.

				-- Mike

-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Hannes Tschofenig
Sent: Friday, June 22, 2018 6:36 AM
To: Roman Danyliw <rdd@cert.org>; ace@ietf.org
Subject: [Ace] "sub" and "iss" ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02

Hi Roman,

this is also a good question:

> (3) (Editorial) Page 4, Section 3.0, I read to the end of this section by which point there has been discussion of "sub" or "iss".  I was left wondering about how to interpret the case where both are present and none are.

Here is the text from the draft:

"
   The presenter can be identified in one of several ways by the CWT
   depending upon the application requirements.  If the CWT contains a
   "sub" (subject) claim [CWT], the presenter is normally the subject
   identified by the CWT.  (In some applications, the subject identifier
   will be relative to the issuer identified by the "iss" (issuer) claim
   [CWT].)  If the CWT contains no "sub" claim, the presenter is
   normally the issuer identified by the CWT using the "iss" claim.  The
   case in which the presenter is the subject of the CWT is analogous to
   Security Assertion Markup Language (SAML) 2.0
   [OASIS.saml-core-2.0-os] SubjectConfirmation usage.  At least one of
   the "sub" and "iss" claims is typically present in the CWT and some
   use cases may require that both be present.
"

The CWT PoP document does not define the subject or issuer claims.
The document also not mandate a specific set of claims to be included in a CWT since this is application profile specific.

Hence, I am wondering whether we could shorten the paragraph above, which is actually a bit confusing.

"
This specification adds a new claim to offer the proof-of-possession functionality.
There are various claims already defined and the IANA claims registry [REF] contains the most up-to-date list of standardized claims. Application using the CWT functionality define what claims have to be used.

  The presenter can, if necessary, be identified in one of several ways by the CWT
   depending upon the application requirements.  If the CWT contains a
   "sub" (subject) claim [CWT], the presenter is the subject
   identified by the CWT. In some cases, there CWT may not include a "sub"
   claim, which allows the presenter to remain anonymous.
"

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email