Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken
Benjamin Kaduk <kaduk@mit.edu> Thu, 01 November 2018 23:29 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939C412958B for <jwt-reg-review@ietfa.amsl.com>; Thu, 1 Nov 2018 16:29:25 -0700 (PDT)
X-Quarantine-ID: <wJbMJwn9ezu6>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char 9C hex): Received: ...s kaduk@ATHENA.MIT.EDU)\n\t\234by outgoing.mit[...]
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJbMJwn9ezu6 for <jwt-reg-review@ietfa.amsl.com>; Thu, 1 Nov 2018 16:29:22 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21D8A1271FF for <jwt-reg-review@ietf.org>; Thu, 1 Nov 2018 16:29:21 -0700 (PDT)
X-AuditID: 1209190c-66fff70000005ab4-71-5bdb8c5064e1
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id E9.FA.23220.05C8BDB5; Thu, 1 Nov 2018 19:29:20 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.14.7/8.9.2) with ESMTP id wA1NTJw9016910; Thu, 1 Nov 2018 19:29:19 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) �by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id wA1NTFsj015561 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 1 Nov 2018 19:29:17 -0400
Date: Thu, 01 Nov 2018 18:29:14 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: jwt-reg-review@ietf.org
Message-ID: <20181101232914.GN45914@kduck.kaduk.org>
References: <20181101170618.GC45914@kduck.kaduk.org> <CA+k3eCSgLihY==1mQ-sKJdtuKSuVN0PjNisgvhrt1PiUZQ-5FA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CA+k3eCSgLihY==1mQ-sKJdtuKSuVN0PjNisgvhrt1PiUZQ-5FA@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjleLIzCtJLcpLzFFi42IR4hRV1g3ouR1tsH2NpsXq/zcZLc69bmBy YPJYsuQnk8fdoxdZApiiuGxSUnMyy1KL9O0SuDJmzLnJXPBHseL1rrUsDYwbpbsYOTkkBEwk tj0/x97FyMUhJLCGSWLJnjeMIAkhgQ2MEg39nhCJO0wSP9/tZQdJsAioSLyZ3QtWxAZkN3Rf ZgaxRQT0JW4/nQNWwywgLdF24xdYjbBAusS743eYQGxeoG0Pzu9ng1hQLTF14hNGiLigxMmZ T1ggenUkdm69A1TDATZn+T8OiLC8RPPW2WCrOAUCJVb1fWEFsUUFlCX29h1in8AoOAvJpFlI Js1CmDQLyaQFjCyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdA31cjNL9FJTSjcxgoNakmcH45k3 XocYBTgYlXh4I1RvRwuxJpYVV+YeYpTkYFIS5VUwAQrxJeWnVGYkFmfEF5XmpBYfYpTgYFYS 4b2cDZTjTUmsrEotyodJSXOwKInzTmhZHC0kkJ5YkpqdmlqQWgSTleHgUJLg1ewGahQsSk1P rUjLzClBSDNxcIIM5wEaHg1Sw1tckJhbnJkOkT/FqMvxZu6PGcxCLHn5ealS4rzcIEUCIEUZ pXlwc0DJSCJ7f80rRnGgt4R51UGqeICJDG7SK6AlTEBLuNhvgCwpSURISTUwilSHvavdb7hl xt81ZlPfyz7JOrb3woEqRvec6dpvl75z3Rad943leVC4ZOTlVzys2U/11zxesvJT5qefnu98 k0/dPnw880LFfFnX35l3QmY+c799QLD+xEX1n6u9cjr+b3RojZ8kPvPd0ic7hNfZeZzc6bmt Y9KjI7LvJuQKxFptnGWjPn1CJ5cSS3FGoqEWc1FxIgBPV+h+IQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/KgCVuVKzbhyc7JS--2PuRMAh-Is>
Subject: Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 23:29:26 -0000
On Thu, Nov 01, 2018 at 01:56:42PM -0600, Brian Campbell wrote: > That's a good question, Ben. > > I don't think we've necessarily established normal in that regard and have > maybe been somewhat inconsistent about it. In practice, registration is > really the only option for a spec that wants to have a short claim name > while also having some protection against name collision - even for things > that are application specific and aren't wildly applicable. As such, I > support registration of claim names even when they are defined in or for an > application specific context. However, I'd prefer to see such names not Yup, I'd also prefer registrations, even generic-sounding ones, over unregistered usage. > being generic but rather to have some indicator of their specificity. These (and that, too) > claims from draft-ietf-stir-passport-shaken do seem to fall into that > category and I'd be happier if they were "shkn-att" and "shkn-ogid" or > something along those lines. But like I said, we've been been rather > inconsistent about that kind of thing historically as you can see with the > current registrations https://www.iana.org/assignments/jwt/jwt.xhtml and so > I'm somewhat hesitant to rock the boat by pushing back on these kinds of > registration requests now. Especially because it's typically a PITA for the I appreciate that there are many, sometimes competing, factors that you must consider as an Expert. (And to be clear: you are the Experts, and I am deferring to your expertise here.) > WG or whoever is making the request to make changes to their spec by the > time they've gotten to the point of making a JWT claim registration > request. And the downside is only that a generic looking name gets taken > for a more specific context. There's nothing in the registry or > registration process or guidelines that would allow for or account for > usage in alternative contexts. So registration is effectively all or > nothing. I'm not sure if I'll be able to attend an OAuth session in Bangkok, but perhaps the general topic of claim reuse in disjoint settings could be raised. (In that a potential solution for future requests of this type would be to allow them but also allow for the claim name to be reused elsewhere with different semantics. Emphasis on "potential".) > I'm not sure that really answers your question. But that's the best answer > I've got. I am happy to have it :) > I'm also not sure where that leaves us with this particular request. There is a line of "likely to be of general applicability or whether it is useful only for a single application" in the guidance to the experts, but that doesn't actually say much about whether one or the other are grounds to push back on or refuse a registration. That said, I think it's appropriate to have a culture where the experts are comfortable pushing back on requests, when the experts are uncomfortable with the requests in question. -Ben > On Thu, Nov 1, 2018 at 11:06 AM Benjamin Kaduk <kaduk@mit.edu> wrote: > > > The requested registrations include: > > > > "attest", "Attestation level as defined in SHAKEN framework" > > "origid", "Originating Identifier as defined in SHAKEN" > > > > It seems unlikely to me that SHAKEN is the only group that will ever want > > an attestation level, and probably not the only one for an originating > > identifier either (though I did not read the draft yet and am going just by > > the name). What are the normal considerations that the Experts are > > applying about generic names and whether additional references could be > > added for the claim indicating its usage in alternative contexts? > > > > -Ben > > > > _______________________________________________ > > Jwt-reg-review mailing list > > Jwt-reg-review@ietf.org > > https://www.ietf.org/mailman/listinfo/jwt-reg-review > > > > -- > _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately > by e-mail and delete the message and any file attachments from your > computer. Thank you._
- [Jwt-reg-review] JWT claim registration review re… Robert Sparks
- Re: [Jwt-reg-review] JWT claim registration revie… Benjamin Kaduk
- Re: [Jwt-reg-review] JWT claim registration revie… Brian Campbell
- Re: [Jwt-reg-review] JWT claim registration revie… Benjamin Kaduk
- Re: [Jwt-reg-review] JWT claim registration revie… Mike Jones
- Re: [Jwt-reg-review] JWT claim registration revie… Benjamin Kaduk
- Re: [Jwt-reg-review] JWT claim registration revie… Brian Campbell
- Re: [Jwt-reg-review] JWT claim registration revie… Benjamin Kaduk