IETF Logo Mail Archive

Re: [Jwt-reg-review] Request to register claim: sig_val_claims

Brian Campbell <bcampbell@pingidentity.com> Sun, 16 January 2022 13:59 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8B2A3A0EC9 for <jwt-reg-review@ietfa.amsl.com>; Sun, 16 Jan 2022 05:59:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nDs6glYvW6q for <jwt-reg-review@ietfa.amsl.com>; Sun, 16 Jan 2022 05:59:24 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8C1D3A0EC4 for <jwt-reg-review@ietf.org>; Sun, 16 Jan 2022 05:59:23 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id x7so47578460lfu.8 for <jwt-reg-review@ietf.org>; Sun, 16 Jan 2022 05:59:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6H2xwSI9hBYat9Y2obbj8Zn9c/qjLlx6PStdFOz+Ib0=; b=L8akUUfoX5gqAzpbbhQWlq3hplwkT4K9ZI+Klzt6AucKLh1oeOWX7rV0Ioj7CZtW3E bBk8TUgjwxuE29/0w6KzX0WxSwWm6B+dn/pm/YnGVLxE2N15hGm2urHI2kL3zUh1s0c9 XTxT7ScoVm+h70rF1YRHF5DFxjdZDMtHAfZFJMSODkE/XJoqyp7mTRbRkYv6yQw1/BkN joX20ebQFnA9sv1jkd69JjuXevovBwI6LSheHyNvtPevVg42tZ7vT9qbXrd9vci3xIiH 4PQ7tT8Dl+GXS6XT8/HY8TwDGZdg0EU7GuLiyWpdB1D65Sm9Bi+e/unNYDA35wq9S6Sb 0vEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6H2xwSI9hBYat9Y2obbj8Zn9c/qjLlx6PStdFOz+Ib0=; b=3+u+d0ZY3yOKfGHKAr6QFE1gmljjnU6JGxxyRjP63bensdFvsJ4ah/qZ2ZiCQ3CbRF sZC0+ASwdr2BRrC/nSSseD3ZmrpqnRjpHSn21lmJhTSj8jSh9RyP5VjyN0751T7NL6kd HeAmgzOgGwOi5QwdXOwHBErQUX3r7l2m64o4SbFel8a+vjYI3iS5YDZpd1z912MQQmTs 6b97CtgNwcLEBfg3Zfy4k0NNA8E3KhzH76CZn3exB2M/kFxiz6LbxG1Mi9uiDG0Kgdsg n9Sg3VT3xCqvWK3GQe7enpdMSjWhtmKPetTELW9ZynJXsctRH8dIxN8NxkCNySpsIEul CxlQ==
X-Gm-Message-State: AOAM531UwD2Q7GytmAfktpQ5YNC/YevLGgKlWmoVehTHccJmDYOC41MZ s0w0rbyyrkMgup9ZLnTPHEZj0+Oj5h8UIO1EgUBfyC/SjD3nlDGbBgyblQ6ztY9DtPkobnhjmRY aIsSdrizcPk5wi/ckTRhQ6U6OCA==
X-Google-Smtp-Source: ABdhPJzkHRhM5Jy2ayBNw19f43Y71h+pqzoWKD+zEgAmruTKpnW3xdpPN5DXZkpMIM46DYhFw8UirnLgMkLmMoxD5Dg=
X-Received: by 2002:a05:6512:2304:: with SMTP id o4mr6784620lfu.686.1642341560963; Sun, 16 Jan 2022 05:59:20 -0800 (PST)
MIME-Version: 1.0
References: <SJ0PR00MB10052992FA47D0DFA90CF3F4F5539@SJ0PR00MB1005.namprd00.prod.outlook.com> <CA+k3eCS5j6XDE8u090DNDDewk-k-vVhvxXv9v_UedYbbcuF9mw@mail.gmail.com> <3575c353-6576-06a7-fab9-5f2e91fe256e@aaa-sec.com>
In-Reply-To: <3575c353-6576-06a7-fab9-5f2e91fe256e@aaa-sec.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 16 Jan 2022 06:58:54 -0700
Message-ID: <CA+k3eCQ6PVxWDyvnvcnMYmr-M5QE6XrzKEEU3=Dy=jtvq4oOVg@mail.gmail.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="000000000000577d2c05d5b371d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/GQzpp0csYi0UP01rihN7-H5eJ_g>
Subject: Re: [Jwt-reg-review] Request to register claim: sig_val_claims
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jan 2022 13:59:29 -0000

It'd be a media type registration - the text in 3.11.  Use Explicit Typing
<https://datatracker.ietf.org/doc/html/rfc8725#section-3.11> of the JWT BCP
explains it a bit more and references RFC8417 that has
https://datatracker.ietf.org/doc/html/rfc8417#section-7.3 as an example of
such a registration request. Looking for +jwt in the registry
https://www.iana.org/assignments/media-types/media-types.xhtml will turn up
a few others too.

I believe you could define its use in SVT however makes sense given the
constraints you have with existing implementations or whatever. I.e. typ
has to be either jwt or svt+jwt. I suppose that waters it down a bit but is
possible.

Or maybe it's not worth doing at this point. It was just something that
jumped out at me when trying to do a quick review of the draft.

On Sat, Jan 15, 2022 at 7:01 AM Stefan Santesson <stefan@aaa-sec.com> wrote:

> Brian,
>
> Thank you for the suggestion. Our current implementations use the jwt type
> declaration as this technically is a JWT. This also works well with
> standard tools as long as we can define the claim as requested here.
>
> Having a specific type like svt+jwt might be a good idea. I'm not sure
> exactly what implications that brings to our current implementations. If we
> register a "svt+jwt" type, could it's user be optional? How would we go
> ahead and do the registration of this type?
>
> /Stefan
>
>
> Den 2022-01-14 kl. 22:24, skrev Brian Campbell:
>
> Honestly, I can't really wrap my head around this kind of signature
> indirection so I'll just say that I'm okay with the registration of the
> claim name "sig_val_claims".
>
> Because the document is defining this SVT, which is one particular kind of
> JWT, I wonder if it'd be worthwhile to consider explicitly typing it, as
> recommended in https://datatracker.ietf.org/doc/html/rfc8725#section-3.11,
> with something like a "typ":"svt+jwt" header rather than the general and
> kinda meaningless "typ":"jwt"?
>
>
> On Wed, Jan 12, 2022 at 7:44 PM Mike Jones <Michael.Jones=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
>> I approve of the registration of this claim.
>>
>>                                 -- Mike
>>
>> -----Original Message-----
>> From: Jwt-reg-review <jwt-reg-review-bounces@ietf.org> On Behalf Of
>> Stefan Santesson
>> Sent: Friday, September 3, 2021 8:33 AM
>> To: jwt-reg-review@ietf.org
>> Cc: Russ Housley <housley@vigilsec.com>
>> Subject: [EXTERNAL] [Jwt-reg-review] Request to register claim:
>> sig_val_claims
>>
>> Hi,
>>
>> The draft https://datatracker.ietf.org/doc/draft-santesson-svt/ is being
>> requested for publication as individual submission
>>
>> This draft includes the request to register the claim name
>> "sig_val_claims" as follows:
>>
>> 6.1.  Claim Names Registration
>>
>>
>>    This section registers the "sig_val_claims" claim name in the IANA
>>    "JSON Web Token Claims" registry established by Section 10.1 in
>>    [RFC7519].
>>
>> 6.1.1.  Registry Contents
>>
>>    *  Claim Name: "sig_val_claims"
>>    *  Claim Description: Signature Validation Token Claims
>>    *  Change Controller: IESG
>>    *  Specification Document(s): Section 3.2.3 of {this document}
>>
>>
>> The draft specifies a Token having the form of a JWT which includes this
>> defined claim.
>>
>> The rationale for this claim is described in the referenced document.
>>
>> The solution is deployed is real services and it is considered for
>> national government usage which is the main reason to publish the
>> specification as an informational RFC.
>>
>>
>>
>> /Stefan Santesson
>>
>>
>> _______________________________________________
>> Jwt-reg-review mailing list
>> Jwt-reg-review@ietf.org
>> https://www.ietf.org/mailman/listinfo/jwt-reg-review
>> _______________________________________________
>> Jwt-reg-review mailing list
>> Jwt-reg-review@ietf.org
>> https://www.ietf.org/mailman/listinfo/jwt-reg-review
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email