IETF Logo Mail Archive

Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken

Mike Jones <Michael.Jones@microsoft.com> Mon, 05 November 2018 02:59 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 843F3127333 for <jwt-reg-review@ietfa.amsl.com>; Sun, 4 Nov 2018 18:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLpqOBtAYEij for <jwt-reg-review@ietfa.amsl.com>; Sun, 4 Nov 2018 18:59:37 -0800 (PST)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-bl2nam06on071e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe55::71e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD9A0126BED for <jwt-reg-review@ietf.org>; Sun, 4 Nov 2018 18:59:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P/ngGcbbWR+zo5+V2majy9dR/AHvlbsDp8BHGVPCj0E=; b=ROHMYrT9BLhPb2VG1xOmR48NmabOQSxH8vmEIO0twUqJaDEqKDjH427PVk4neQuJsBq21RD1qidQqfEoiC5RMP4z/ews/m+EZyc6HZPhuU8jtTXg5X/BRxwJpQWmVepB8m3SbIbol2RIjrsjB4qa5exRTns20gwz6oWywq/l90Y=
Received: from SN6PR00MB0304.namprd00.prod.outlook.com (52.132.117.158) by SN6PR00MB0303.namprd00.prod.outlook.com (52.132.117.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1351.0; Mon, 5 Nov 2018 02:59:30 +0000
Received: from SN6PR00MB0304.namprd00.prod.outlook.com ([fe80::7049:34d6:bb27:76a4]) by SN6PR00MB0304.namprd00.prod.outlook.com ([fe80::7049:34d6:bb27:76a4%4]) with mapi id 15.20.1350.000; Mon, 5 Nov 2018 02:59:30 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Brian Campbell <bcampbell@pingidentity.com>
CC: "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>
Thread-Topic: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken
Thread-Index: AQHUcgVHsdGk81Z/UU2lUGV30ewjg6U7VfoAgAA7YQCABPD04A==
Date: Mon, 05 Nov 2018 02:59:30 +0000
Message-ID: <SN6PR00MB030405D619CAB7F8C33112BEF5CA0@SN6PR00MB0304.namprd00.prod.outlook.com>
References: <20181101170618.GC45914@kduck.kaduk.org> <CA+k3eCSgLihY==1mQ-sKJdtuKSuVN0PjNisgvhrt1PiUZQ-5FA@mail.gmail.com> <20181101232914.GN45914@kduck.kaduk.org>
In-Reply-To: <20181101232914.GN45914@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:67c:370:128:7468:296f:d04d:d89b]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR00MB0303; 6:13IrirMw/ZstZ7Jj0Jeh5guMN7WQwInTHtZseK/kJi8P/a8pchWPpvaW4Dq7JVruppovi+naLiDoOSW4sNW14pdSLkUqyCwjw2Ak/o8MYXb0xlrr0AsalOL1Ld/d3rxvZm9lhE1GR3XQy7IjpFZ24TnxR8iDbJ90z5I1jMWiijzeDFd5ifIstTwxKTHA+GfytmzftI0xEhW1nJs6y1HrT3LstwY+q8WcrhTMizeItMj9Bbd/rKu+aT773qG21GZJUdJgkXLXzpTcQ12Miqd9GxsmrqwqP+61c8rUlxL+s/2ZScUjfWrtly2WwrruyPzWc2RK9mgpFxT5Al+IL0SRh9o5BTuoYddWp/gimvk/X4XhUvel5Vd6xse4EmY/aQf7wSDDksMQmNiFjn+3heTwzuiccl5fzrpxT4PJA6QX45ozoqNe0WiAAx/YkPswnKP2qR/cdm5/y0HlBOVvGjHaTA==; 5:1ZekqMSpl4d7PH2Zgax5N9mmwLuzGGd4/F4AsvseX2IazmzclDiW/WYeBR8b/29QH69AzJsmP+dKMEm/EfjyEUpP4zeUymefcOttXmeZp/P2OxYGSjz5PUyyJfhEy9klMAYZRJnboU9pO4PVD8zzqx5QdjGeeq9dxN7z3oiWUQE=; 7:j02hykABamqS9ieR9Hlt4xElsBRN4Sq5fw4Vwuk78jTtthES0hp/0YgFH4w0pgO/IZTJBjGF/jJA+zL3xABnw8R22S7VKb3meU6yUaiffmSQK905ga4e0wdC7/K/ziLWVeH1Vklmd7m7VjIcNhAkAw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 76145771-e1d4-4b00-0164-08d642cab51d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:SN6PR00MB0303;
x-ms-traffictypediagnostic: SN6PR00MB0303:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-prvs: <SN6PR00MB0303E7BEB9A5F00F6350141DF5CA0@SN6PR00MB0303.namprd00.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(8220035)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(3002001)(93006095)(93001095)(3231382)(944501410)(52105102)(2018427008)(10201501046)(6055026)(148016)(149066)(150057)(6041310)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201708071742011)(7699051)(76991095); SRVR:SN6PR00MB0303; BCL:0; PCL:0; RULEID:; SRVR:SN6PR00MB0303;
x-forefront-prvs: 08476BC6EF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(136003)(376002)(346002)(396003)(39860400002)(13464003)(189003)(199004)(76176011)(6506007)(86362001)(6306002)(9686003)(102836004)(2171002)(53546011)(14444005)(256004)(6436002)(6246003)(33656002)(2906002)(74316002)(6116002)(316002)(71200400001)(71190400001)(2900100001)(86612001)(55016002)(110136005)(305945005)(22452003)(7736002)(97736004)(10090500001)(11346002)(486006)(476003)(186003)(99286004)(25786009)(8936002)(508600001)(14454004)(966005)(72206003)(446003)(7696005)(229853002)(46003)(53936002)(68736007)(105586002)(5660300001)(106356001)(5024004)(10290500003)(81156014)(4326008)(81166006)(8676002)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR00MB0303; H:SN6PR00MB0304.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: OQiSIo/UDaISMi+0vcwk0uSRoCSybTncSYSx8qhKw7Bt4u28PVgTJn0HRYCyA488S4vbEwefE1TaXPvUCl5No+xPQKi4fnmXUMMsY2j5huGijsKun/3KXR4C2YHNmRbOYhEE6CmylnDpnKtB+HEZfFWEvFHBFvBMm6OkOjCjX8rrmv3wM5h6dKRg3i09MVVHLHiGj2isKQRSevLksKSHSvebQ4AaoiFMAcgJykCPRLBqbLDibmpVUZvNfUHNdbRpRXCfmwDZhqY7bWtQ9Snmov1mqbwOzD0obd/5I9sElWe+zw/D5mi4j63f3RHSEIEY7VgmoYHbcKQBVs+YpLC9YoPio6u4+Vt+FUp9jndRWx4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 76145771-e1d4-4b00-0164-08d642cab51d
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2018 02:59:30.6826 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR00MB0303
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/a7vXUR5-gzG40oyl4iOZFct0sSA>
Subject: Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 02:59:41 -0000

We've already established the precedent that we're willing to register generic-sounding claim names for applications that we believe will have broad deployment.  For instance, we registered "orig" and "dest" in https://tools.ietf.org/html/rfc8225#section-11.2.  Therefore, I think it makes sense to also register "attest" and "origid" as specified in https://tools.ietf.org/html/draft-ietf-stir-passport-shaken-04#section-10.1 - also for use in the PASSporT context.

As a designated expert, I approve of these registrations.

				-- Mike

-----Original Message-----
From: Jwt-reg-review <jwt-reg-review-bounces@ietf.org> On Behalf Of Benjamin Kaduk
Sent: Friday, November 2, 2018 6:29 AM
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: jwt-reg-review@ietf.org
Subject: Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken

On Thu, Nov 01, 2018 at 01:56:42PM -0600, Brian Campbell wrote:
> That's a good question, Ben.
> 
> I don't think we've necessarily established normal in that regard and 
> have maybe been somewhat inconsistent about it. In practice, 
> registration is really the only option for a spec that wants to have a 
> short claim name while also having some protection against name 
> collision - even for things that are application specific and aren't 
> wildly applicable. As such, I support registration of claim names even 
> when they are defined in or for an application specific context. 
> However, I'd prefer to see such names not

Yup, I'd also prefer registrations, even generic-sounding ones, over unregistered usage.

> being generic but rather to have some indicator of their specificity. 
> These

(and that, too)

> claims from draft-ietf-stir-passport-shaken do seem to fall into that 
> category and I'd be happier if they were "shkn-att" and "shkn-ogid" or 
> something along those lines. But like I said, we've been been rather 
> inconsistent about that kind of thing historically as you can see with 
> the current registrations 
> https://www.iana.org/assignments/jwt/jwt.xhtml and so I'm somewhat 
> hesitant to rock the boat by pushing back on these kinds of 
> registration requests now. Especially because it's typically a PITA 
> for the

I appreciate that there are many, sometimes competing, factors that you must consider as an Expert.  (And to be clear: you are the Experts, and I am deferring to your expertise here.)

> WG or whoever is making the request to make changes to their spec by 
> the time they've gotten to the point of making a JWT claim 
> registration request. And the downside is only that a generic looking 
> name gets taken for a more specific context. There's nothing in the 
> registry or registration process or guidelines that would allow for or 
> account for usage in alternative contexts. So registration is 
> effectively all or nothing.

I'm not sure if I'll be able to attend an OAuth session in Bangkok, but perhaps the general topic of claim reuse in disjoint settings could be raised.  (In that a potential solution for future requests of this type would be to allow them but also allow for the claim name to be reused elsewhere with different semantics.  Emphasis on "potential".)

> I'm not sure that really answers your question. But that's the best 
> answer I've got.

I am happy to have it :)

> I'm also not sure where that leaves us with this particular request.

There is a line of "likely to be of general applicability or whether it is useful only for a single application" in the guidance to the experts, but that doesn't actually say much about whether one or the other are grounds to push back on or refuse a registration.  That said, I think it's appropriate to have a culture where the experts are comfortable pushing back on requests, when the experts are uncomfortable with the requests in question.

-Ben

> On Thu, Nov 1, 2018 at 11:06 AM Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> > The requested registrations include:
> >
> > "attest", "Attestation level as defined in SHAKEN framework"
> > "origid", "Originating Identifier as defined in SHAKEN"
> >
> > It seems unlikely to me that SHAKEN is the only group that will ever 
> > want an attestation level, and probably not the only one for an 
> > originating identifier either (though I did not read the draft yet 
> > and am going just by the name).  What are the normal considerations 
> > that the Experts are applying about generic names and whether 
> > additional references could be added for the claim indicating its usage in alternative contexts?
> >
> > -Ben
> >
> > _______________________________________________
> > Jwt-reg-review mailing list
> > Jwt-reg-review@ietf.org
> > https://www.ietf.org/mailman/listinfo/jwt-reg-review
> >
> 
> --
> _CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you._

_______________________________________________
Jwt-reg-review mailing list
Jwt-reg-review@ietf.org
https://www.ietf.org/mailman/listinfo/jwt-reg-review

v2.23.0 | Report a Bug | By Email