Re: [Ace] CWT-PoP & Multiple PoP keys

Mike Jones <Michael.Jones@microsoft.com> Wed, 20 June 2018 15:48 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1F512F1AC for <ace@ietfa.amsl.com>; Wed, 20 Jun 2018 08:48:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FirqUX9LJzDo for <ace@ietfa.amsl.com>; Wed, 20 Jun 2018 08:48:09 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0116.outbound.protection.outlook.com [104.47.42.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B36D120049 for <ace@ietf.org>; Wed, 20 Jun 2018 08:48:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cGRI0HFo2LTiUVK2LZCAVOR1fUmRUwrsjGFk5AxNC8Y=; b=Y9NtW8ZitiL+0H6CP7GU4yA0TY4tRMxxu7GVs3At2aasmxzHate/R/0XgTCVMVqqSEL+Ad2a0GVPbjdd3/4VcmseCfiaAoA109Jmpvbglwjb6Ne41A5UjJZaU6dnoXD73Yd/eNHAEGVoVlVthg95GAaksHuAnct7tLOzqtIlzG4=
Received: from SN6PR00MB0301.namprd00.prod.outlook.com (52.132.117.155) by SN6PR00MB0334.namprd00.prod.outlook.com (52.132.118.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.921.0; Wed, 20 Jun 2018 15:48:07 +0000
Received: from SN6PR00MB0301.namprd00.prod.outlook.com ([fe80::1835:2a6b:5366:6133]) by SN6PR00MB0301.namprd00.prod.outlook.com ([fe80::1835:2a6b:5366:6133%5]) with mapi id 15.20.0926.000; Wed, 20 Jun 2018 15:48:07 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ludwig Seitz <ludwig.seitz@ri.se>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] CWT-PoP & Multiple PoP keys
Thread-Index: AdQIY2SAG/d3FGSqSlGPkPFJdW2VHQAAuX+AABHr2tA=
Date: Wed, 20 Jun 2018 15:48:07 +0000
Message-ID: <SN6PR00MB03018C4863D65694E16F9A18F5770@SN6PR00MB0301.namprd00.prod.outlook.com>
References: <VI1PR0801MB211205E0BA138E58D99E485DFA770@VI1PR0801MB2112.eurprd08.prod.outlook.com> <2e1720cf-ae24-552a-8eff-0fe1aefda46d@ri.se>
In-Reply-To: <2e1720cf-ae24-552a-8eff-0fe1aefda46d@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.47.80.188]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR00MB0334; 7:oOW2kS2ugjF8jbD4yAm9QamWjsJNHwJu73xCqQPtL4m12+NMzMBguIv0dzFRSuV4WtNBc1ScJkUIRkro6P+sbwvRy2Ogp89f7cevfYe0Ruhw8/rN7SAuKKMDLXmhEKJi0+NuURgxDSGh0j7da8Pe0Mj1onXNyK1nqbKqqMA2KB/LRHBQYSd9sPnGFcJCVtFQQjqy9C0PcFa/0ztgrLkFUa2WFC6VtGyrePem8zUvkkUvjVnCP7ZbfJkJlzGGaKMB
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 96c99894-1721-4576-d9e5-08d5d6c537d0
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(48565401081)(2017052603328)(7193020); SRVR:SN6PR00MB0334;
x-ms-traffictypediagnostic: SN6PR00MB0334:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-prvs: <SN6PR00MB0334BE16022A8BD1231ABD53F5770@SN6PR00MB0334.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(3002001)(93006095)(93001095)(3231254)(2018427008)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:SN6PR00MB0334; BCL:0; PCL:0; RULEID:; SRVR:SN6PR00MB0334;
x-forefront-prvs: 070912876F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(39860400002)(39380400002)(396003)(366004)(13464003)(189003)(199004)(33656002)(5660300001)(6246003)(8990500004)(476003)(486006)(446003)(186003)(11346002)(66066001)(2900100001)(7696005)(102836004)(97736004)(26005)(76176011)(59450400001)(74316002)(6506007)(53936002)(53546011)(8676002)(81166006)(2906002)(81156014)(3846002)(6116002)(10090500001)(9686003)(229853002)(22452003)(316002)(6436002)(55016002)(99286004)(110136005)(6306002)(68736007)(3280700002)(3660700001)(14454004)(105586002)(2501003)(5250100002)(966005)(86362001)(8936002)(305945005)(5890100001)(10290500003)(25786009)(7736002)(72206003)(478600001)(86612001)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR00MB0334; H:SN6PR00MB0301.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: DyEdlsq8Aqa7r0bggjTT76WZm18LxljQetdSFEyw90iQFX/ir+M1O8g1AIYxrLJy+4X2yyFMWRcu2dyq9mfn3hXcONsGaJbY30CGYvJ59LiQnSTe21AM2Y+AdCwTmdHE8SsWo28lJ5UtpbUW32XI4ibmIkTpxss0VuCQXwOkSNt9g2aKWYuKqSMmcDNhybCdIhOXXVcivquSqha5Fvhkj1ABe+h6ab/5PXXvKqkvZuqSQ6NTgqtSomG8HDklEy/2qGwMyrdspSa8MiG/5u60y4HVUyYbC1pNHBKy5koa8dWU0rf+QgKxvdBWByumqvjsMLv1/R4+udLGNyBgBd274g==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 96c99894-1721-4576-d9e5-08d5d6c537d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jun 2018 15:48:07.4447 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR00MB0334
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/O0mr9YO0s0QTyl1cR9DdLPpnXww>
Subject: Re: [Ace] CWT-PoP & Multiple PoP keys
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 15:48:13 -0000

Good.  Having resolved this, I believe we should be in position to do a release addressing the WGLC comments this week.

				-- Mike

-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Ludwig Seitz
Sent: Wednesday, June 20, 2018 12:14 AM
To: ace@ietf.org
Subject: Re: [Ace] CWT-PoP & Multiple PoP keys

On 2018-06-20 08:57, Hannes Tschofenig wrote:
> Hi Jim,
> 
> I had a chat with Mike about relaxing the CWT-PoP spec to allow 
> multiple PoP keys in a single CWT token.
> 
> He is concerned about the departure from RFC 7800 and, after giving it 
> a bit more thoughts, I believe there is an issue. Initially, when we 
> started the work our promise was that this is really just an 
> alternative encoding of RFC 7800. With changes like those we are 
> obviously breaking that concept. Having multiple keys within a single 
> CWT is a corner case and I am not sure anymore whether I indeed want 
> to go into that direction. In our implementation we are also not using 
> multiple keys in a single CWT either.
> 
> Ciao
> 
> Hannes
>

I agree that having multiple PoP keys in cnf for CWT-PoP seem like overkill. After all this is a draft aimed at constrained environments.
I also sympathize with Mike's suggestion to keep CWT-PoP aligned with RFC 7800.

/Ludwig


> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended

Sending confidential email to a public mailing list again Hannes? You are a rebel ;-)


-- 
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace