IETF Logo Mail Archive

Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken

Brian Campbell <bcampbell@pingidentity.com> Mon, 05 November 2018 07:35 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C415E130E96 for <jwt-reg-review@ietfa.amsl.com>; Sun, 4 Nov 2018 23:35:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WWRhTNkFQ3hB for <jwt-reg-review@ietfa.amsl.com>; Sun, 4 Nov 2018 23:35:55 -0800 (PST)
Received: from mail-it1-x133.google.com (mail-it1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB307130E7C for <jwt-reg-review@ietf.org>; Sun, 4 Nov 2018 23:35:54 -0800 (PST)
Received: by mail-it1-x133.google.com with SMTP id r12-v6so8575949ita.3 for <jwt-reg-review@ietf.org>; Sun, 04 Nov 2018 23:35:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eghYo85U8Xcad0LmsPHmxLi1f1tOb/TxYEXl7GZhWok=; b=bPkPrd9lTCG9GpirDJ3MnjEUn4BzQol5kUqFeouSuyCXhU40MENZrJySR/E+5ssm08 AdaZ8gIvA+Onfz4dT69OQ53VvU29/zMlnPAqrupKZN/F4eDLQ4OObSyFpb9+/WIKQt4K lV8t3Zg1FHUn0lwIfny4UcxIMdXDyY6o2IrxA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eghYo85U8Xcad0LmsPHmxLi1f1tOb/TxYEXl7GZhWok=; b=ILUNbZqokLQyLpA/HoOKC4+50f0vdrLS+kVGsgX/BPJdN2LvXcysX/1CiTmjolXUAj mwq9DwzGNcK/bglSWwn4BjDUe2Z0COS3eX9Fyk6mY53rweRBopjUlQreBwbdrn0G9GUW lDyYEFf65qmJTPnfM1NaDlxfw3KaB2+iBhIx2VQfOX89/XLgnzL5ShjlzNYq2WQOcLXX ttHmYdRAksKath7X9zoJaXsQfJwBTKLoWugDZSKBSGEcWtAZA13wJwBirxPZDjpwGcY2 gUAF6ugKmZQxHJbxxGA1IG2rJoQU+DsAi0NiXm4gr2mwjTZ9HZGYACGWPAPQc4+z6AjT FYFQ==
X-Gm-Message-State: AGRZ1gKADH1zeyrUtp6IlAibufYLdVDyJylc6wXO6gBJPSQeIBcuPKYz 6gbHBJxM+9yh+/IbEfGM++bvJVJ7Yxj7LgH2PdUG2CoLJ+F0uckcHTFRQqNa0QMvrM9+tp2hQoJ cIbjFvQc5ZyqxYVxHD2dBCIzr8g==
X-Google-Smtp-Source: AJdET5dIUUWI3S8tiJh/LNDOeOZKHN+G1+7aJSF9MeSjCsjtu0wkExwiGpE+AmPjeQ47NJlXqnCzHKH0IEjQq9tSAQY=
X-Received: by 2002:a02:7113:: with SMTP id n19-v6mr19804119jac.91.1541403353983; Sun, 04 Nov 2018 23:35:53 -0800 (PST)
MIME-Version: 1.0
References: <20181101170618.GC45914@kduck.kaduk.org> <CA+k3eCSgLihY==1mQ-sKJdtuKSuVN0PjNisgvhrt1PiUZQ-5FA@mail.gmail.com> <20181101232914.GN45914@kduck.kaduk.org>
In-Reply-To: <20181101232914.GN45914@kduck.kaduk.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 05 Nov 2018 14:35:27 +0700
Message-ID: <CA+k3eCQBmy6F2PMO8wQ4Eq5a_W2ZPASxAPWOw1H-w4XK2ppLOg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Robert Sparks <rjsparks@nostrum.com>
Cc: jwt-reg-review@ietf.org, chris-ietf@chriswendt.net, mary.ietf.barnes@gmail.com, Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="0000000000005ecac80579e5ef41"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/uv9W9RdQ8U_o9BEuqC32HCAR25U>
Subject: Re: [Jwt-reg-review] JWT claim registration review request : draft-ietf-stir-passport-shaken
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 07:35:59 -0000

[Noticed the recipients of the original message
https://mailarchive.ietf.org/arch/msg/jwt-reg-review/mkGyvI2ZO20EFCPmObIlhl5UuNE
had fallen off the distribution so added them back]

There are two OAuth sessions in Bangkok, however, the agenda already looks
rather full. The idea of somehow allowing for registered claim reuse in
disjoint settings sounds interesting. But even as a so called Designated
Expert I don't think I'm expert enough or smart enough to gauge whether or
not a context of use is truly disjoint and will continue to be disjoint
into the future.

Indeed I've read (and reread) RFC7519's guidance but don't find it
particularly helpful in guiding any decision making in this kind of
situation. I also think it'd be appropriate to have a culture where the
experts are comfortable pushing back on requests. And I have done that on
occasion previously for requests that just didn't make sense at all. But in
this case it's not clear that there really should be push back given
general historical precedent and the situation of having somewhat generic
names for specific usage being 'not that bad'.

I do think it would be useful if RFC7519 had some guidance or suggestions
to would-be registrants about choosing claim names. But I don't know that
from a practical perspective anything can be done in that regard at this
point.



On Thu, Nov 1, 2018 at 5:29 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Thu, Nov 01, 2018 at 01:56:42PM -0600, Brian Campbell wrote:
> > That's a good question, Ben.
> >
> > I don't think we've necessarily established normal in that regard and
> have
> > maybe been somewhat inconsistent about it. In practice, registration is
> > really the only option for a spec that wants to have a short claim name
> > while also having some protection against name collision - even for
> things
> > that are application specific and aren't wildly applicable. As such, I
> > support registration of claim names even when they are defined in or for
> an
> > application specific context. However, I'd prefer to see such names not
>
> Yup, I'd also prefer registrations, even generic-sounding ones, over
> unregistered usage.
>
> > being generic but rather to have some indicator of their specificity.
> These
>
> (and that, too)
>
> > claims from draft-ietf-stir-passport-shaken do seem to fall into that
> > category and I'd be happier if they were "shkn-att" and "shkn-ogid" or
> > something along those lines. But like I said, we've been been rather
> > inconsistent about that kind of thing historically as you can see with
> the
> > current registrations https://www.iana.org/assignments/jwt/jwt.xhtml
> and so
> > I'm somewhat hesitant to rock the boat by pushing back on these kinds of
> > registration requests now. Especially because it's typically a PITA for
> the
>
> I appreciate that there are many, sometimes competing, factors that you
> must consider as an Expert.  (And to be clear: you are the Experts, and I
> am deferring to your expertise here.)
>
> > WG or whoever is making the request to make changes to their spec by the
> > time they've gotten to the point of making a JWT claim registration
> > request. And the downside is only that a generic looking name gets taken
> > for a more specific context. There's nothing in the registry or
> > registration process or guidelines that would allow for or account for
> > usage in alternative contexts. So registration is effectively all or
> > nothing.
>
> I'm not sure if I'll be able to attend an OAuth session in Bangkok, but
> perhaps the general topic of claim reuse in disjoint settings could be
> raised.  (In that a potential solution for future requests of this type
> would be to allow them but also allow for the claim name to be reused
> elsewhere with different semantics.  Emphasis on "potential".)
>
> > I'm not sure that really answers your question. But that's the best
> answer
> > I've got.
>
> I am happy to have it :)
>
> > I'm also not sure where that leaves us with this particular request.
>
> There is a line of "likely to be of general applicability or whether it is
> useful only for a single application" in the guidance to the experts, but
> that doesn't actually say much about whether one or the other are grounds
> to push back on or refuse a registration.  That said, I think it's
> appropriate to have a culture where the experts are comfortable pushing
> back on requests, when the experts are uncomfortable with the requests in
> question.
>
> -Ben
>
> > On Thu, Nov 1, 2018 at 11:06 AM Benjamin Kaduk <kaduk@mit.edu> wrote:
> >
> > > The requested registrations include:
> > >
> > > "attest", "Attestation level as defined in SHAKEN framework"
> > > "origid", "Originating Identifier as defined in SHAKEN"
> > >
> > > It seems unlikely to me that SHAKEN is the only group that will ever
> want
> > > an attestation level, and probably not the only one for an originating
> > > identifier either (though I did not read the draft yet and am going
> just by
> > > the name).  What are the normal considerations that the Experts are
> > > applying about generic names and whether additional references could be
> > > added for the claim indicating its usage in alternative contexts?
> > >
> > > -Ben
> > >
> > > _______________________________________________
> > > Jwt-reg-review mailing list
> > > Jwt-reg-review@ietf.org
> > > https://www.ietf.org/mailman/listinfo/jwt-reg-review
> > >
> >
> > --
> > _CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged
> > material for the sole use of the intended recipient(s). Any review, use,
> > distribution or disclosure by others is strictly prohibited.  If you
> have
> > received this communication in error, please notify the sender
> immediately
> > by e-mail and delete the message and any file attachments from your
> > computer. Thank you._
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email