Re: [Rats] CWT and JWT are good enough?
Laurence Lundblade <lgl@island-resort.com> Mon, 16 September 2019 16:25 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0273012004F for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 09:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJO2SZvZsn1d for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 09:25:50 -0700 (PDT)
Received: from p3plsmtpa09-05.prod.phx3.secureserver.net (p3plsmtpa09-05.prod.phx3.secureserver.net [173.201.193.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E122120026 for <rats@ietf.org>; Mon, 16 Sep 2019 09:25:50 -0700 (PDT)
Received: from [192.168.1.76] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id 9toyit8yXi0ve9toyiDZOF; Mon, 16 Sep 2019 09:25:49 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <7EA14733-B470-4365-B4FA-FF2B63695464@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E034185F-35FE-49EA-A9B4-8957F9B0F02F"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 16 Sep 2019 09:25:48 -0700
In-Reply-To: <CAHbuEH4fisaDTKOzEY2ZEfxiVyfZ4wYibdRzQUYxq4i8a8G_WQ@mail.gmail.com>
Cc: rats@ietf.org
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <CAHbuEH4fisaDTKOzEY2ZEfxiVyfZ4wYibdRzQUYxq4i8a8G_WQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfJ/9T2oVxDscA0YRBDkCsuvYNoG/wVe2JEZ8iWiE+5GjZsmdDzSYEdehQ2wqytFfwy4232Fmbo2UfG7qvgROIPCbsxlkSLiMPfSFBX1ZMNdyLqnU9xpH wwCmzgYIlF2dJi1X5R349le6vNxxtgUvPJp02AL3nsslayjL9ktn+W7YYOVMOcPUfYmF671cJnFrjeorBz6K4O7S4WMPYW9StRY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/23v-ehO3kRGf99bppMkkPcIU2kU>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 16:25:52 -0000
Hi Kathleen > On Sep 16, 2019, at 8:44 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: > > > > On Mon, Sep 16, 2019 at 11:30 AM Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>> wrote: > I’ve been trying to take the position to avoid even minor divergences from CWT and JWT in EAT. I wish there wasn’t inconsistency between the two, particularly in how the claims registry is handled. That inconsistency has already consumed many hours, even days, of this WG. There’s been some really long email threads about it. > > Fixing it only for EAT seems half-baked. Fixing it for all of CWT and JWT would have to go through those WGs. Seems like a lot of work. We have enough to do, so I’m inclined to live with it. > > The COSE WG is the one the decided to diverge from lessons learned. The divergence I’m referring to is for the claims registry. That is definitely a CWT / JWT thing. COSE doesn’t have claims. > That WG is open again, so if you'd like to pose this problem somewhere, that would be the place to do it. I'm guessing people thought one or the other would be used, but not both resulting in this issue of inconsistency we are seeing. My personal chosen path is NOT to raise the issue and live with the issue. Particularly: - The way to do vendor specific non-registered claims is different between CWT and JWT - All EAT claims are Specification Required. No EAT claims and be just Expert Review. LL
- [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Kathleen Moriarty
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Mike Jones
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Salz, Rich
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Eric Voit (evoit)