Re: [Jwt-reg-review] Request to register claim: sig_val_claims

Stefan Santesson <stefan@aaa-sec.com> Sat, 12 March 2022 12:50 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 767123A0B42 for <jwt-reg-review@ietfa.amsl.com>; Sat, 12 Mar 2022 04:50:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cmRB0rdudIA for <jwt-reg-review@ietfa.amsl.com>; Sat, 12 Mar 2022 04:49:55 -0800 (PST)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E14E3A0B21 for <jwt-reg-review@ietf.org>; Sat, 12 Mar 2022 04:49:54 -0800 (PST)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 867A22EADC69 for <jwt-reg-review@ietf.org>; Sat, 12 Mar 2022 13:49:52 +0100 (CET)
Received: from s899.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 76FF22E2919A; Sat, 12 Mar 2022 13:49:52 +0100 (CET)
Received: from s474.loopia.se (unknown [172.22.191.5]) by s899.loopia.se (Postfix) with ESMTP id 742C12C977EC; Sat, 12 Mar 2022 13:49:52 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s934.loopia.se ([172.22.191.5]) by s474.loopia.se (s474.loopia.se [172.22.190.14]) (amavisd-new, port 10024) with LMTP id SbytmcNw4CIe; Sat, 12 Mar 2022 13:49:51 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.229.17.25
Received: from [10.0.1.129] (unknown [90.229.17.25]) (Authenticated sender: mailstore2@aaa-sec.com) by s934.loopia.se (Postfix) with ESMTPSA id 55EFE7DCB85; Sat, 12 Mar 2022 13:49:51 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------H4JVN5f1556tTDSQx6FBsQ49"
Message-ID: <116b4bed-97c2-30a0-cf26-30f58681cf91@aaa-sec.com>
Date: Sat, 12 Mar 2022 13:49:51 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Thunderbird/98.0
Content-Language: en-GB
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, Russ Housley <housley@vigilsec.com>
References: <SJ0PR00MB10052992FA47D0DFA90CF3F4F5539@SJ0PR00MB1005.namprd00.prod.outlook.com> <CA+k3eCS5j6XDE8u090DNDDewk-k-vVhvxXv9v_UedYbbcuF9mw@mail.gmail.com> <3575c353-6576-06a7-fab9-5f2e91fe256e@aaa-sec.com> <CA+k3eCQ6PVxWDyvnvcnMYmr-M5QE6XrzKEEU3=Dy=jtvq4oOVg@mail.gmail.com> <132b91ae-440a-29d1-5f45-d46754cb79d1@aaa-sec.com> <CA+k3eCTaSVyD8DBDURVHx1uiCmW4n+Jh_Veew40JvTw+cBPmVg@mail.gmail.com>
From: Stefan Santesson <stefan@aaa-sec.com>
Organization: 3xA Security AB
In-Reply-To: <CA+k3eCTaSVyD8DBDURVHx1uiCmW4n+Jh_Veew40JvTw+cBPmVg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/4qY4dFPjY7Sft2a13lhNk47CeyI>
Subject: Re: [Jwt-reg-review] Request to register claim: sig_val_claims
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Mar 2022 12:50:01 -0000

Hi,

As I understand this, the  registration of this claim is approved.

How do we proceed with this registration?

/Stefan


On 2022-01-18 14:53, Brian Campbell wrote:
> Yeah, correct, the typ suggestion does not affect registration of the
> sig_cal_calims claim.
>
> On Sun, Jan 16, 2022 at 1:17 PM Stefan Santesson <stefan@aaa-sec.com>
> wrote:
>
>     Thank you!
>
>     The suggestion is tempting. We will discuss how to progress on
>     this matter if it is worth doing.
>
>     However, if I understand this right, this does not affect
>     registration of the sig_cal_calims claim identifier right?
>
>     /Stefan
>
>
>
>     Den 2022-01-16 kl. 14:58, skrev Brian Campbell:
>>     It'd be a media type registration - the text in 3.11.  Use
>>     Explicit Typing
>>     <https://datatracker.ietf.org/doc/html/rfc8725#section-3.11> of
>>     the JWT BCP explains it a bit more and references RFC8417 that
>>     has https://datatracker.ietf.org/doc/html/rfc8417#section-7.3 as
>>     an example of such a registration request. Looking for +jwt in
>>     the registry
>>     https://www.iana.org/assignments/media-types/media-types.xhtml
>>     will turn up a few others too.
>>
>>     I believe you could define its use in SVT however makes sense
>>     given the constraints you have with existing implementations or
>>     whatever. I.e. typ has to be either jwt or svt+jwt. I suppose
>>     that waters it down a bit but is possible.
>>
>>     Or maybe it's not worth doing at this point. It was just
>>     something that jumped out at me when trying to do a quick review
>>     of the draft.
>>
>>     On Sat, Jan 15, 2022 at 7:01 AM Stefan Santesson
>>     <stefan@aaa-sec.com> wrote:
>>
>>         Brian,
>>
>>         Thank you for the suggestion. Our current implementations use
>>         the jwt type declaration as this technically is a JWT. This
>>         also works well with standard tools as long as we can define
>>         the claim as requested here.
>>
>>         Having a specific type like svt+jwt might be a good idea. I'm
>>         not sure exactly what implications that brings to our current
>>         implementations. If we register a "svt+jwt" type, could it's
>>         user be optional? How would we go ahead and do the
>>         registration of this type?
>>
>>         /Stefan
>>
>>
>>         Den 2022-01-14 kl. 22:24, skrev Brian Campbell:
>>>         Honestly, I can't really wrap my head around this kind of
>>>         signature indirection so I'll just say that I'm okay with
>>>         the registration of the claim name "sig_val_claims".
>>>
>>>         Because the document is defining this SVT, which is one
>>>         particular kind of JWT, I wonder if it'd be worthwhile to
>>>         consider explicitly typing it, as recommended in
>>>         https://datatracker.ietf.org/doc/html/rfc8725#section-3.11,
>>>         with something like a "typ":"svt+jwt" header rather than the
>>>         general and kinda meaningless "typ":"jwt"?
>>>          
>>>
>>>         On Wed, Jan 12, 2022 at 7:44 PM Mike Jones
>>>         <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
>>>
>>>             I approve of the registration of this claim.
>>>
>>>                                             -- Mike
>>>
>>>             -----Original Message-----
>>>             From: Jwt-reg-review <jwt-reg-review-bounces@ietf.org>
>>>             On Behalf Of Stefan Santesson
>>>             Sent: Friday, September 3, 2021 8:33 AM
>>>             To: jwt-reg-review@ietf.org
>>>             Cc: Russ Housley <housley@vigilsec.com>
>>>             Subject: [EXTERNAL] [Jwt-reg-review] Request to register
>>>             claim: sig_val_claims
>>>
>>>             Hi,
>>>
>>>             The draft
>>>             https://datatracker.ietf.org/doc/draft-santesson-svt/ is
>>>             being requested for publication as individual submission
>>>
>>>             This draft includes the request to register the claim
>>>             name "sig_val_claims" as follows:
>>>
>>>             6.1.  Claim Names Registration
>>>
>>>
>>>                This section registers the "sig_val_claims" claim
>>>             name in the IANA
>>>                "JSON Web Token Claims" registry established by
>>>             Section 10.1 in
>>>                [RFC7519].
>>>
>>>             6.1.1.  Registry Contents
>>>
>>>                *  Claim Name: "sig_val_claims"
>>>                *  Claim Description: Signature Validation Token Claims
>>>                *  Change Controller: IESG
>>>                *  Specification Document(s): Section 3.2.3 of {this
>>>             document}
>>>
>>>
>>>             The draft specifies a Token having the form of a JWT
>>>             which includes this defined claim.
>>>
>>>             The rationale for this claim is described in the
>>>             referenced document.
>>>
>>>             The solution is deployed is real services and it is
>>>             considered for national government usage which is the
>>>             main reason to publish the specification as an
>>>             informational RFC.
>>>
>>>
>>>
>>>             /Stefan Santesson
>>>
>>>
>>>             _______________________________________________
>>>             Jwt-reg-review mailing list
>>>             Jwt-reg-review@ietf.org
>>>             https://www.ietf.org/mailman/listinfo/jwt-reg-review
>>>             _______________________________________________
>>>             Jwt-reg-review mailing list
>>>             Jwt-reg-review@ietf.org
>>>             https://www.ietf.org/mailman/listinfo/jwt-reg-review
>>>
>>>
>>>         /CONFIDENTIALITY NOTICE: This email may contain confidential
>>>         and privileged material for the sole use of the intended
>>>         recipient(s). Any review, use, distribution or disclosure by
>>>         others is strictly prohibited.  If you have received this
>>>         communication in error, please notify the sender immediately
>>>         by e-mail and delete the message and any file attachments
>>>         from your computer. Thank you./ 
>>
>>
>>     /CONFIDENTIALITY NOTICE: This email may contain confidential and
>>     privileged material for the sole use of the intended
>>     recipient(s). Any review, use, distribution or disclosure by
>>     others is strictly prohibited.  If you have received this
>>     communication in error, please notify the sender immediately by
>>     e-mail and delete the message and any file attachments from your
>>     computer. Thank you./ 
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited.  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any
> file attachments from your computer. Thank you./