IETF Logo Mail Archive

Re: [Rats] [EXTERNAL] Re: EAT IANA registry

Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 27 November 2019 21:27 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68AD8120ABA for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 13:27:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.642
X-Spam-Level:
X-Spam-Status: No, score=-0.642 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.355, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sj0ksKSDoXEH for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 13:27:22 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 418E0120A79 for <rats@ietf.org>; Wed, 27 Nov 2019 13:27:22 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id s5so28468234wrw.2 for <rats@ietf.org>; Wed, 27 Nov 2019 13:27:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=ihFw0tnkq5dzBtVa7YzpMyP6kOS//M3oBbCYmjqWLos=; b=vSernnFXw6vsYYjufbdA7b0Mo229k9hxNJVGaHBDPves6oHRtp0iwNnkoH2jHhScMJ 6dlIN5BqhRz3KuTNnc4iSqrLEQYeOLehO/qQRbXmNb6dOLLbYMXWlIloIdjtdIXUlE80 AWZexk6bN4S8VVXlUOErCDPu2v9U3vMpyf5euBSRjfRthekqNRAP+yo58Tc47VSfqYTX mTwE9FSZdcJ+UzO7cQKF3Gkg67aWfIZCb9/uuLlRZIe/gYsh9xTASYBE7x8l11u9qZd6 uM2B/inicnKihBXvJN0Etboe9iC/374fi5+xEhLLR3N6lgO3t2LuzL6cX1+99GwdJXdz bAdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=ihFw0tnkq5dzBtVa7YzpMyP6kOS//M3oBbCYmjqWLos=; b=EeX7C2pUnOrI5UrJhx6Hvf5h/xBQrSjibWkCcAId8JBFjLuEM1CDrKIlt0eDGF+SLb ek2dk5fT84Xx0ElRzSUf9+SaXbR2waMvrBn6p3WDiO+iZlF/jjIhne20s+VImiNE9uGz qE40TidzqzufMwyziRes8k2isBClTrcnaFVE3/VNaDhhdYbG4zCUcqxfQF+TPji9GYgP vWN0kwNy6lD6I3NMt3aXsI9gjg8pTc3XlEwNEL6DPzTNVERxCCXjm6q18Us4bZnworsA dGGw2hcx3OL5boXcP2fySJD8+ACiBdJb6003gnxFJfBP+9jazu2d2JduSafY9qYbKKP5 upoA==
X-Gm-Message-State: APjAAAWeSFfgKWtSWfib1r0h47tOSOSy/4CAma1apTLqbvenLZQcaj4W /AAk/syPqRTvThDVinBW4ac=
X-Google-Smtp-Source: APXvYqyKud3iaTzBDipnZJx1ErkEyWb82Crin7U8IGjpA0mPijvwgkEuR1XNpVhsZ0I2ESnZuLqHSQ==
X-Received: by 2002:adf:ed11:: with SMTP id a17mr46011404wro.392.1574890040745; Wed, 27 Nov 2019 13:27:20 -0800 (PST)
Received: from [10.0.0.144] (bzq-79-179-17-120.red.bezeqint.net. [79.179.17.120]) by smtp.gmail.com with ESMTPSA id s8sm7732087wmc.39.2019.11.27.13.27.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Nov 2019 13:27:20 -0800 (PST)
User-Agent: Microsoft-MacOutlook/10.1f.0.191110
Date: Wed, 27 Nov 2019 23:27:18 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Laurence Lundblade <lgl@island-resort.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "rats@ietf.org" <rats@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Message-ID: <28117100-32D0-40D2-81B8-89D1345B34FF@gmail.com>
Thread-Topic: [Rats] [EXTERNAL] Re: EAT IANA registry
References: <D2CF9D31-057E-4B47-A3D0-08BBBF997F47@gmail.com> <VI1PR08MB53605A2A2E61E6EAE2609FECFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <09C4F36B-C9CE-44DF-9DF8-F3365A7E3053@gmail.com> <53C13986-A523-4349-BDC3-F8ACC2BCFD29@island-resort.com> <DM6PR00MB05697456BC04AC34B156850DF54B0@DM6PR00MB0569.namprd00.prod.outlook.com> <20191127031910.GF32847@mit.edu> <CFF55BD3-66F8-485A-9AF5-1DD38B5F444C@island-resort.com> <ECA98A18-0E4B-4C51-AFE4-FB84E61AC809@gmail.com> <MN2PR00MB057424C20F7549E74C4590B8F5440@MN2PR00MB0574.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB057424C20F7549E74C4590B8F5440@MN2PR00MB0574.namprd00.prod.outlook.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3657742039_1079765013"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/83p8vW2gy83xB_ZyFg5A_PUNxio>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 21:27:24 -0000

Hi Mike,

 

To me this is a perfect counter-example: it is so generic as to be non-reusable. When used in an attestation, the verifier will want to have well defined syntax and semantics for what is attested, in this case a certain transaction. Here we don’t know what kind of a transaction this is (semantics) and how to interpret the transaction identifier (syntax).

 

If some particular environment wants to define claims for a particular, private kind of transaction, let’s make it easy for them to define their own, very specific foobar-transaction.

 

Thanks,

                Yaron

 

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Wednesday, November 27, 2019 at 23:04
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Laurence Lundblade <lgl@island-resort.com>, Benjamin Kaduk <kaduk@mit.edu>
Cc: "rats@ietf.org" <rats@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Subject: RE: [Rats] [EXTERNAL] Re: EAT IANA registry

 

The point of having a common JWT Claims registry is to enable future specifications to benefit from reusing applicable claims registered by past specifications.  For instance, the Security Event Token [RFC 8417] specification recently registered this general-purpose claim:

   o  Claim Name: "txn"

   o  Claim Description: Transaction Identifier

   o  Change Controller: IESG

   o  Specification Document(s): Section 2.2 of [RFC8417]

 

That made it available to EAT and other future specifications using JWTs.  If it had instead put it into its own registry, the potential for reuse would have been lost.

 

Let’s likewise let future specs benefit from EAT-defined claims by putting them in the normal IANA JWT Claims registry.

 

                                                       -- Mike

 

From: Yaron Sheffer <yaronf.ietf@gmail.com> 
Sent: Wednesday, November 27, 2019 7:54 AM
To: Laurence Lundblade <lgl@island-resort.com>; Benjamin Kaduk <kaduk@mit.edu>
Cc: Mike Jones <Michael.Jones@microsoft.com>; rats@ietf.org; Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry

 

To put it into perspective, there are already 57 claims registered [1]. So even if 7 claims overlap, this is a relatively *small* number. IMO there is high value in a separate namespace for EAT claims, and the standard way to create such a namespace in JSON is exactly as Ben is proposing.

 

Thanks,

                Yaron

 

[1] https://www.iana.org/assignments/jwt/jwt.xhtml

 

From: Laurence Lundblade <lgl@island-resort.com>
Date: Wednesday, November 27, 2019 at 06:39
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry

 

 

On Nov 26, 2019, at 7:19 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:

 

...but I'm not sure that "avoiding duplicates"
would apply to a proposal that makes a single JWT/CWT claim for "EAT data"
and puts the attestation claims in a map as the value for that "EAT data"
claim.  What existing JWT/CWT claims would duplicate the potential contents
of the EAT data fields?

 

That is an interesting thought — put all of EAT into one JWT/CWT claim that is a map. Other’s have mentioned it to me. It would let EAT re use the most compact integer CBOR integer labels.

 

Right now we re use the following claims from JWT or CWT by normative reference:

- nonce

- Token ID cti/jti

- Time stamp (iat)

 

Also these JWT or CWT seem either likely or possible use in EAT:

- cnf (proof of possession of key)

- iss Issuer

- expiration

- not before

 

That’s a fairly large overlap which makes me disinclined to putting all of EAT into one map that is one JWT/CWT claim, separating EAT claims from CWT/JWT claims.

 

I’m no OAuth expert, but I wonder if some of the EAT claims might be useful for other than EAT tokens, another reason not to keep them separate.

 

I suspect we’re going to find at least one more use for a signed map of label-value pairs in the next few years that would be able to re use at least some of these claims — another reason to keep them in the same space.

 

LL

v2.23.0 | Report a Bug | By Email