IETF Logo Mail Archive

Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken

Benjamin Kaduk <kaduk@mit.edu> Thu, 01 November 2018 23:29 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939C412958B for <jwt-reg-review@ietfa.amsl.com>; Thu, 1 Nov 2018 16:29:25 -0700 (PDT)
X-Quarantine-ID: <wJbMJwn9ezu6>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char 9C hex): Received: ...s kaduk@ATHENA.MIT.EDU)\n\t\234by outgoing.mit[...]
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJbMJwn9ezu6 for <jwt-reg-review@ietfa.amsl.com>; Thu, 1 Nov 2018 16:29:22 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21D8A1271FF for <jwt-reg-review@ietf.org>; Thu, 1 Nov 2018 16:29:21 -0700 (PDT)
X-AuditID: 1209190c-66fff70000005ab4-71-5bdb8c5064e1
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id E9.FA.23220.05C8BDB5; Thu, 1 Nov 2018 19:29:20 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.14.7/8.9.2) with ESMTP id wA1NTJw9016910; Thu, 1 Nov 2018 19:29:19 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) �by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id wA1NTFsj015561 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 1 Nov 2018 19:29:17 -0400
Date: Thu, 01 Nov 2018 18:29:14 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: jwt-reg-review@ietf.org
Message-ID: <20181101232914.GN45914@kduck.kaduk.org>
References: <20181101170618.GC45914@kduck.kaduk.org> <CA+k3eCSgLihY==1mQ-sKJdtuKSuVN0PjNisgvhrt1PiUZQ-5FA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CA+k3eCSgLihY==1mQ-sKJdtuKSuVN0PjNisgvhrt1PiUZQ-5FA@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjleLIzCtJLcpLzFFi42IR4hRV1g3ouR1tsH2NpsXq/zcZLc69bmBy YPJYsuQnk8fdoxdZApiiuGxSUnMyy1KL9O0SuDJmzLnJXPBHseL1rrUsDYwbpbsYOTkkBEwk tj0/x97FyMUhJLCGSWLJnjeMIAkhgQ2MEg39nhCJO0wSP9/tZQdJsAioSLyZ3QtWxAZkN3Rf ZgaxRQT0JW4/nQNWwywgLdF24xdYjbBAusS743eYQGxeoG0Pzu9ng1hQLTF14hNGiLigxMmZ T1ggenUkdm69A1TDATZn+T8OiLC8RPPW2WCrOAUCJVb1fWEFsUUFlCX29h1in8AoOAvJpFlI Js1CmDQLyaQFjCyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdA31cjNL9FJTSjcxgoNakmcH45k3 XocYBTgYlXh4I1RvRwuxJpYVV+YeYpTkYFIS5VUwAQrxJeWnVGYkFmfEF5XmpBYfYpTgYFYS 4b2cDZTjTUmsrEotyodJSXOwKInzTmhZHC0kkJ5YkpqdmlqQWgSTleHgUJLg1ewGahQsSk1P rUjLzClBSDNxcIIM5wEaHg1Sw1tckJhbnJkOkT/FqMvxZu6PGcxCLHn5ealS4rzcIEUCIEUZ pXlwc0DJSCJ7f80rRnGgt4R51UGqeICJDG7SK6AlTEBLuNhvgCwpSURISTUwilSHvavdb7hl xt81ZlPfyz7JOrb3woEqRvec6dpvl75z3Rad943leVC4ZOTlVzys2U/11zxesvJT5qefnu98 k0/dPnw880LFfFnX35l3QmY+c799QLD+xEX1n6u9cjr+b3RojZ8kPvPd0ic7hNfZeZzc6bmt Y9KjI7LvJuQKxFptnGWjPn1CJ5cSS3FGoqEWc1FxIgBPV+h+IQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/KgCVuVKzbhyc7JS--2PuRMAh-Is>
Subject: Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 23:29:26 -0000

On Thu, Nov 01, 2018 at 01:56:42PM -0600, Brian Campbell wrote:
> That's a good question, Ben.
> 
> I don't think we've necessarily established normal in that regard and have
> maybe been somewhat inconsistent about it. In practice, registration is
> really the only option for a spec that wants to have a short claim name
> while also having some protection against name collision - even for things
> that are application specific and aren't wildly applicable. As such, I
> support registration of claim names even when they are defined in or for an
> application specific context. However, I'd prefer to see such names not

Yup, I'd also prefer registrations, even generic-sounding ones, over
unregistered usage.

> being generic but rather to have some indicator of their specificity. These

(and that, too)

> claims from draft-ietf-stir-passport-shaken do seem to fall into that
> category and I'd be happier if they were "shkn-att" and "shkn-ogid" or
> something along those lines. But like I said, we've been been rather
> inconsistent about that kind of thing historically as you can see with the
> current registrations https://www.iana.org/assignments/jwt/jwt.xhtml and so
> I'm somewhat hesitant to rock the boat by pushing back on these kinds of
> registration requests now. Especially because it's typically a PITA for the

I appreciate that there are many, sometimes competing, factors that you
must consider as an Expert.  (And to be clear: you are the Experts, and I
am deferring to your expertise here.)

> WG or whoever is making the request to make changes to their spec by the
> time they've gotten to the point of making a JWT claim registration
> request. And the downside is only that a generic looking name gets taken
> for a more specific context. There's nothing in the registry or
> registration process or guidelines that would allow for or account for
> usage in alternative contexts. So registration is effectively all or
> nothing.

I'm not sure if I'll be able to attend an OAuth session in Bangkok, but
perhaps the general topic of claim reuse in disjoint settings could be
raised.  (In that a potential solution for future requests of this type
would be to allow them but also allow for the claim name to be reused
elsewhere with different semantics.  Emphasis on "potential".)

> I'm not sure that really answers your question. But that's the best answer
> I've got.

I am happy to have it :)

> I'm also not sure where that leaves us with this particular request.

There is a line of "likely to be of general applicability or whether it is
useful only for a single application" in the guidance to the experts, but
that doesn't actually say much about whether one or the other are grounds
to push back on or refuse a registration.  That said, I think it's
appropriate to have a culture where the experts are comfortable pushing
back on requests, when the experts are uncomfortable with the requests in
question.

-Ben

> On Thu, Nov 1, 2018 at 11:06 AM Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> > The requested registrations include:
> >
> > "attest", "Attestation level as defined in SHAKEN framework"
> > "origid", "Originating Identifier as defined in SHAKEN"
> >
> > It seems unlikely to me that SHAKEN is the only group that will ever want
> > an attestation level, and probably not the only one for an originating
> > identifier either (though I did not read the draft yet and am going just by
> > the name).  What are the normal considerations that the Experts are
> > applying about generic names and whether additional references could be
> > added for the claim indicating its usage in alternative contexts?
> >
> > -Ben
> >
> > _______________________________________________
> > Jwt-reg-review mailing list
> > Jwt-reg-review@ietf.org
> > https://www.ietf.org/mailman/listinfo/jwt-reg-review
> >
> 
> -- 
> _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
> material for the sole use of the intended recipient(s). Any review, use, 
> distribution or disclosure by others is strictly prohibited.  If you have 
> received this communication in error, please notify the sender immediately 
> by e-mail and delete the message and any file attachments from your 
> computer. Thank you._

v2.23.0 | Report a Bug | By Email