Re: [Jwt-reg-review] Review requested: draft-ietf-sipcore-rejected

Eric Burger <eburger@standardstrack.com> Wed, 12 June 2019 02:21 UTC

Return-Path: <eburger@standardstrack.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC6531200B8; Tue, 11 Jun 2019 19:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HwOzhbLb1nXY; Tue, 11 Jun 2019 19:21:42 -0700 (PDT)
Received: from biz221.inmotionhosting.com (biz221.inmotionhosting.com [198.46.93.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AE3D12007A; Tue, 11 Jun 2019 19:21:42 -0700 (PDT)
Received: from [68.100.196.217] (port=50734 helo=[192.168.10.20]) by biz221.inmotionhosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <eburger@standardstrack.com>) id 1hastP-00FSYQ-HC; Tue, 11 Jun 2019 19:21:41 -0700
From: Eric Burger <eburger@standardstrack.com>
Message-Id: <DA386F16-E32C-49E2-8EE0-B7D37D542BB1@standardstrack.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_C5D37E6A-97B6-40C0-A5D6-C636F3390B22"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 11 Jun 2019 22:21:37 -0400
In-Reply-To: <CA+k3eCQJ7cD90htTx-XpMA9bMFRXtvgjY01NfpPThGQw_xbALQ@mail.gmail.com>
Cc: "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, Nagda Bhavik V <bnagda@mit.edu>
To: Brian Campbell <bcampbell@pingidentity.com>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
References: <f918480f-afe7-b695-9132-35afc63d77b3@nostrum.com> <MW2PR00MB029815694580C2D9FB14C2F1F5770@MW2PR00MB0298.namprd00.prod.outlook.com> <CA+k3eCRYZj7NKSVWLV29rqiMLXrFvGvc+ZvRreX0Pphj=nbHfw@mail.gmail.com> <CA+k3eCQJ7cD90htTx-XpMA9bMFRXtvgjY01NfpPThGQw_xbALQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - biz221.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Get-Message-Sender-Via: biz221.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: biz221.inmotionhosting.com: eburger@standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/uLD-AGh-Gk3Ab7x6FdyqekVs0Rs>
Subject: Re: [Jwt-reg-review] Review requested: draft-ietf-sipcore-rejected
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 02:21:45 -0000

Thanks! We knew the JWS wasn’t quite right, which we were going to fix once we got this round of comments.

The reason for putting the jCard into a JWS is we (external to the IETF) have a mechanism of using the root CA of a signing certificate to ensure the integrity and identity of the entity signing the jCard. For example, one could have a policy that only an entity with the X.509 Subject of the jCard ‘Name’ can sign the jCard. Anyone else signing the card means the card is not valid. We don’t go into too many details as that sort of decision making could be seen as outside the scope of the IETF.

> On Jun 11, 2019, at 11:30 AM, Brian Campbell <bcampbell@pingidentity.com>; wrote:
> 
> Looking again at this and the more recent revision of the draft, I do think the jcard claim registration is okay in general.
> 
> However, the IANA Considerations registration request at https://tools.ietf.org/html/draft-ietf-sipcore-rejected-08#section-5.3 <https://tools.ietf.org/html/draft-ietf-sipcore-rejected-08#section-5.3> points to https://tools.ietf.org/html/draft-ietf-sipcore-rejected-08#section-3.2.2 <https://tools.ietf.org/html/draft-ietf-sipcore-rejected-08#section-3.2.2>;, which I think could do a little better job of describing what the value of the jcard claim will be - particularly for folks like myself who are unfamiliar with jCard. The link back to section-5.3 is just circular and isn't particularly helpful. So I went looking to the examples to see a jcard claim to help me understand and I noticed the JWS header in https://tools.ietf.org/html/draft-ietf-sipcore-rejected-08#section-4.1 <https://tools.ietf.org/html/draft-ietf-sipcore-rejected-08#section-4.1> isn't valid JOSE/JWS, which should probably be fixed. The 'alg', 'typ', and 'x5u' header parameters should all be top level members of the JSON rather than wrapped in extra {}'s. See https://tools.ietf.org/html/rfc7515#appendix-A.1.1 <https://tools.ietf.org/html/rfc7515#appendix-A.1.1> for example.
> 
> On Sat, Mar 2, 2019 at 6:48 AM Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
> also approve
> 
> On Sat, Mar 2, 2019 at 5:44 AM Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org <mailto:40microsoft.com@dmarc.ietf.org>> wrote:
> In my role as a Designated Expert, I approve this registration request.
> 
>                                 -- Mike
> 
> -----Original Message-----
> From: Jwt-reg-review <jwt-reg-review-bounces@ietf.org <mailto:jwt-reg-review-bounces@ietf.org>> On Behalf Of A. Jean Mahoney
> Sent: Thursday, February 28, 2019 2:11 PM
> To: jwt-reg-review@ietf.org <mailto:jwt-reg-review@ietf.org>
> Cc: draft-ietf-sipcore-rejected@ietf.org <mailto:draft-ietf-sipcore-rejected@ietf.org>; sipcore-chairs@ietf.org <mailto:sipcore-chairs@ietf.org>
> Subject: [Jwt-reg-review] Review requested: draft-ietf-sipcore-rejected
> 
> Hi JWT Registration Review Team,
> 
> Please review the JWT claim registration request found in Section 5.3 of draft-ietf-sipcore-rejected [1]. The draft has just finished WGLC.
> 
> Thanks!
> 
> Jean, as Doc Shepherd
> 
> [1] https://tools.ietf.org/html/draft-ietf-sipcore-rejected-03#section-5.3 <https://tools.ietf.org/html/draft-ietf-sipcore-rejected-03#section-5.3>
> 
> ------------------
> 
>  From the draft:
> 
> 
> 5.3.  JSON Web Token Claim
> 
>     This document defines the new JSON Web Token claim in the "JSON Web
>     Token Claims" sub-registry created by [RFC7519].  Section 3.2.2
>     defines the syntax.  The required information is:
> 
>     Claim Name:  jcard
> 
>     Claim Description:  jCard data
> 
>     Change Controller:  IESG
> 
>     Reference:  [RFCXXXX], [RFC7095]
> 
> _______________________________________________
> Jwt-reg-review mailing list
> Jwt-reg-review@ietf.org <mailto:Jwt-reg-review@ietf.org>
> https://www.ietf.org/mailman/listinfo/jwt-reg-review <https://www.ietf.org/mailman/listinfo/jwt-reg-review>
> 
> _______________________________________________
> Jwt-reg-review mailing list
> Jwt-reg-review@ietf.org <mailto:Jwt-reg-review@ietf.org>
> https://www.ietf.org/mailman/listinfo/jwt-reg-review <https://www.ietf.org/mailman/listinfo/jwt-reg-review>
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.