IETF Logo Mail Archive

Re: [Jwt-reg-review] Request to register claim: sig_val_claims

Stefan Santesson <stefan@aaa-sec.com> Sun, 16 January 2022 20:17 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 879213A0113 for <jwt-reg-review@ietfa.amsl.com>; Sun, 16 Jan 2022 12:17:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xh_KHIre4By6 for <jwt-reg-review@ietfa.amsl.com>; Sun, 16 Jan 2022 12:17:13 -0800 (PST)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09EF53A010A for <jwt-reg-review@ietf.org>; Sun, 16 Jan 2022 12:17:12 -0800 (PST)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 0AC5F2EA68AC for <jwt-reg-review@ietf.org>; Sun, 16 Jan 2022 21:17:07 +0100 (CET)
Received: from s630.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id EF90B2E2A37F; Sun, 16 Jan 2022 21:17:06 +0100 (CET)
Received: from s898.loopia.se (unknown [172.22.191.6]) by s630.loopia.se (Postfix) with ESMTP id DF3AA13ACE00; Sun, 16 Jan 2022 21:17:06 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s899.loopia.se ([172.22.191.6]) by s898.loopia.se (s898.loopia.se [172.22.190.17]) (amavisd-new, port 10024) with LMTP id TZjtoWkpbCAJ; Sun, 16 Jan 2022 21:17:05 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.229.17.25
Received: from [10.0.1.114] (unknown [90.229.17.25]) (Authenticated sender: mailstore2@aaa-sec.com) by s899.loopia.se (Postfix) with ESMTPSA id C79982C961E8; Sun, 16 Jan 2022 21:17:05 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------tgZUnCqSfuj0NOh0sWOz7dvZ"
Message-ID: <132b91ae-440a-29d1-5f45-d46754cb79d1@aaa-sec.com>
Date: Sun, 16 Jan 2022 21:17:05 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Thunderbird/97.0
Content-Language: en-GB
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, Russ Housley <housley@vigilsec.com>
References: <SJ0PR00MB10052992FA47D0DFA90CF3F4F5539@SJ0PR00MB1005.namprd00.prod.outlook.com> <CA+k3eCS5j6XDE8u090DNDDewk-k-vVhvxXv9v_UedYbbcuF9mw@mail.gmail.com> <3575c353-6576-06a7-fab9-5f2e91fe256e@aaa-sec.com> <CA+k3eCQ6PVxWDyvnvcnMYmr-M5QE6XrzKEEU3=Dy=jtvq4oOVg@mail.gmail.com>
From: Stefan Santesson <stefan@aaa-sec.com>
Organization: 3xA Security AB
In-Reply-To: <CA+k3eCQ6PVxWDyvnvcnMYmr-M5QE6XrzKEEU3=Dy=jtvq4oOVg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/Ayx4k2NJo62rcdxsQJ5b_-aiPes>
Subject: Re: [Jwt-reg-review] Request to register claim: sig_val_claims
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jan 2022 20:17:19 -0000

Thank you!

The suggestion is tempting. We will discuss how to progress on this
matter if it is worth doing.

However, if I understand this right, this does not affect registration
of the sig_cal_calims claim identifier right?

/Stefan



Den 2022-01-16 kl. 14:58, skrev Brian Campbell:
> It'd be a media type registration - the text in 3.11.  Use Explicit
> Typing <https://datatracker.ietf.org/doc/html/rfc8725#section-3.11> of
> the JWT BCP explains it a bit more and references RFC8417 that has
> https://datatracker.ietf.org/doc/html/rfc8417#section-7.3 as an
> example of such a registration request. Looking for +jwt in the
> registry
> https://www.iana.org/assignments/media-types/media-types.xhtml will
> turn up a few others too.
>
> I believe you could define its use in SVT however makes sense given
> the constraints you have with existing implementations or whatever.
> I.e. typ has to be either jwt or svt+jwt. I suppose that waters it
> down a bit but is possible.
>
> Or maybe it's not worth doing at this point. It was just something
> that jumped out at me when trying to do a quick review of the draft.
>
> On Sat, Jan 15, 2022 at 7:01 AM Stefan Santesson <stefan@aaa-sec.com>
> wrote:
>
>     Brian,
>
>     Thank you for the suggestion. Our current implementations use the
>     jwt type declaration as this technically is a JWT. This also works
>     well with standard tools as long as we can define the claim as
>     requested here.
>
>     Having a specific type like svt+jwt might be a good idea. I'm not
>     sure exactly what implications that brings to our current
>     implementations. If we register a "svt+jwt" type, could it's user
>     be optional? How would we go ahead and do the registration of this
>     type?
>
>     /Stefan
>
>
>     Den 2022-01-14 kl. 22:24, skrev Brian Campbell:
>>     Honestly, I can't really wrap my head around this kind of
>>     signature indirection so I'll just say that I'm okay with the
>>     registration of the claim name "sig_val_claims".
>>
>>     Because the document is defining this SVT, which is one
>>     particular kind of JWT, I wonder if it'd be worthwhile to
>>     consider explicitly typing it, as recommended in
>>     https://datatracker.ietf.org/doc/html/rfc8725#section-3.11, with
>>     something like a "typ":"svt+jwt" header rather than the general
>>     and kinda meaningless "typ":"jwt"?
>>      
>>
>>     On Wed, Jan 12, 2022 at 7:44 PM Mike Jones
>>     <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
>>
>>         I approve of the registration of this claim.
>>
>>                                         -- Mike
>>
>>         -----Original Message-----
>>         From: Jwt-reg-review <jwt-reg-review-bounces@ietf.org> On
>>         Behalf Of Stefan Santesson
>>         Sent: Friday, September 3, 2021 8:33 AM
>>         To: jwt-reg-review@ietf.org
>>         Cc: Russ Housley <housley@vigilsec.com>
>>         Subject: [EXTERNAL] [Jwt-reg-review] Request to register
>>         claim: sig_val_claims
>>
>>         Hi,
>>
>>         The draft
>>         https://datatracker.ietf.org/doc/draft-santesson-svt/ is
>>         being requested for publication as individual submission
>>
>>         This draft includes the request to register the claim name
>>         "sig_val_claims" as follows:
>>
>>         6.1.  Claim Names Registration
>>
>>
>>            This section registers the "sig_val_claims" claim name in
>>         the IANA
>>            "JSON Web Token Claims" registry established by Section
>>         10.1 in
>>            [RFC7519].
>>
>>         6.1.1.  Registry Contents
>>
>>            *  Claim Name: "sig_val_claims"
>>            *  Claim Description: Signature Validation Token Claims
>>            *  Change Controller: IESG
>>            *  Specification Document(s): Section 3.2.3 of {this document}
>>
>>
>>         The draft specifies a Token having the form of a JWT which
>>         includes this defined claim.
>>
>>         The rationale for this claim is described in the referenced
>>         document.
>>
>>         The solution is deployed is real services and it is
>>         considered for national government usage which is the main
>>         reason to publish the specification as an informational RFC.
>>
>>
>>
>>         /Stefan Santesson
>>
>>
>>         _______________________________________________
>>         Jwt-reg-review mailing list
>>         Jwt-reg-review@ietf.org
>>         https://www.ietf.org/mailman/listinfo/jwt-reg-review
>>         _______________________________________________
>>         Jwt-reg-review mailing list
>>         Jwt-reg-review@ietf.org
>>         https://www.ietf.org/mailman/listinfo/jwt-reg-review
>>
>>
>>     /CONFIDENTIALITY NOTICE: This email may contain confidential and
>>     privileged material for the sole use of the intended
>>     recipient(s). Any review, use, distribution or disclosure by
>>     others is strictly prohibited.  If you have received this
>>     communication in error, please notify the sender immediately by
>>     e-mail and delete the message and any file attachments from your
>>     computer. Thank you./ 
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited.  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any
> file attachments from your computer. Thank you./

v2.23.0 | Report a Bug | By Email