[Rats] Public Key Claims in JWT / CWT
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 19 November 2019 08:28 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 099AF12009C for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 00:28:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=bKNmAiCa; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=7H6KXFGw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1_sbHGLSDT6 for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 00:28:12 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10052.outbound.protection.outlook.com [40.107.1.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E149512026E for <rats@ietf.org>; Tue, 19 Nov 2019 00:28:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4yz5HDM40BNb1mxQWZfCtGHDt8TIoerzmYlC+8oOrRM=; b=bKNmAiCaQuiSE5UQdAnAyCuyF08dtjp41UFznbL8hgnQg0JIDu4Lg2ypGYB6/sv8QLMgxXrZBN0BcqcPiECCedwL0uFiqTewalBkwHrisLuESR4gGF4IL+0djt4UiYANaAqAN9E+89PBfR4LqnJ8/962L5WToj0LHULemuxp2SM=
Received: from VI1PR0802CA0022.eurprd08.prod.outlook.com (2603:10a6:800:aa::32) by AM5PR0802MB2388.eurprd08.prod.outlook.com (2603:10a6:203:9f::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.30; Tue, 19 Nov 2019 08:28:09 +0000
Received: from AM5EUR03FT052.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::207) by VI1PR0802CA0022.outlook.office365.com (2603:10a6:800:aa::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23 via Frontend Transport; Tue, 19 Nov 2019 08:28:09 +0000
Authentication-Results: spf=fail (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: Fail (protection.outlook.com: domain of arm.com does not designate 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT052.mail.protection.outlook.com (10.152.17.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23 via Frontend Transport; Tue, 19 Nov 2019 08:28:08 +0000
Received: ("Tessian outbound 0cf06bf5c60e:v33"); Tue, 19 Nov 2019 08:28:08 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 4af103f2826d528c
X-CR-MTA-TID: 64aa7808
Received: from 0f41af51f99b.1 (cr-mta-lb-1.cr-mta-net [104.47.5.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id E8687A01-2DB1-4A3C-9931-69505D7BE20A.1; Tue, 19 Nov 2019 08:28:03 +0000
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02lp2056.outbound.protection.outlook.com [104.47.5.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 0f41af51f99b.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 19 Nov 2019 08:28:02 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T74+XE8EWDV0kw1sky8o5bJdfMTcS3mFWi8glYgawyGT+ZeV3R4tEAG0lLrKgDrp8CDWkNLTE9wWoMO753HuvkUqoKXnH/cE0gJDT2Ff6qoXHLo9WtWyysgb9IubVg1/gwacs4beQ+vUJUNy8oBUVJfoN5UJfqm43ScbfaLlDhEkclXjtQT8+pi5G5Jzcrxwz0Z88RDJ418QnMLkWZFOjWNBoPJog6s19FtCoureOqgGr8IPgfAV5rzi7i6OayZ/Q4ZfIeNFooJLVJc2OzNsSiihKR2JoQbr6TygIeO48YwUE+td1e8//ygWYK1/12vR8B8mSQhau0+E2jv9PZok4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5n9Ppno2c0/RaoZeUNJpcQ2JHlX7rhc2Q3PrfERTTZY=; b=f74keOyCeorz/JHdX5o7XSFhIuxCz7bv6nbz/oJUmosqzbAy9tiPf+3U/PlJT06Zh0/A+oycGn/dLzqmt12HtMP9fB9X7RkHneNCUCuVC7mDZe5w4HLtARUbCC8Vo3kT0iLWs1rUg1iiyXJfRJDI1J+9bqSt98ulmRt/2p5f10D3oIYESu1LncUTHpFi2qhVV3xQODYpKlfVCU2PMd5kh37jYqVCkAnFNKN1VA5hFvKc1l7P6//HlqbWJfk8wG6aOCaVOX/O3MIc/oWCU0d7A/+0JOxLPzwgvmrztZjmoj7v8UMIEStDCpbnDGQysIhLlJp7D5D7tBkrLyV/kn7jfw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5n9Ppno2c0/RaoZeUNJpcQ2JHlX7rhc2Q3PrfERTTZY=; b=7H6KXFGw1liYXO6z9LZ1geSZyVFZtjTId8wGiAJYtM5mGdUYQDDZuaYg/6Ub0Pm8ZcQM2zzrn1eaws0pDrQXW7w61fgMbusgsPx4Vn5YlpQbXHAMgq1pk4If33k0q3Fi6bNRlOygn+Yx9PO7c33DpUDfRPGdS6uv8A9+/5VLgkU=
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com (52.133.245.74) by VI1PR08MB3582.eurprd08.prod.outlook.com (20.177.62.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.26; Tue, 19 Nov 2019 08:28:01 +0000
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::4044:55a8:a969:fd1d]) by VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::4044:55a8:a969:fd1d%7]) with mapi id 15.20.2451.031; Tue, 19 Nov 2019 08:28:01 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Public Key Claims in JWT / CWT
Thread-Index: AdWesrZcQRS0paB2QjWLhI91hn0Sgw==
Date: Tue, 19 Nov 2019 08:28:01 +0000
Message-ID: <VI1PR08MB5360C0CFC1DFF09B020468B5FA4C0@VI1PR08MB5360.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 0505bdf4-d055-4310-b0b7-41ff6082a70f.0
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [31.133.155.170]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 91ed92b9-c5b6-41a9-28a7-08d76cca689d
X-MS-TrafficTypeDiagnostic: VI1PR08MB3582:|AM5PR0802MB2388:
X-Microsoft-Antispam-PRVS: <AM5PR0802MB2388ACDFC4D877890690F8A9FA4C0@AM5PR0802MB2388.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:7219;OLM:7219;
x-forefront-prvs: 022649CC2C
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(979002)(4636009)(376002)(136003)(346002)(396003)(39860400002)(366004)(199004)(189003)(53754006)(52536014)(486006)(476003)(2351001)(14454004)(54896002)(5640700003)(25786009)(6436002)(9686003)(66946007)(66476007)(26005)(6916009)(71190400001)(6506007)(66066001)(966005)(33656002)(76116006)(478600001)(790700001)(6116002)(3846002)(186003)(86362001)(71200400001)(6306002)(74316002)(66556008)(66446008)(102836004)(256004)(64756008)(2501003)(7736002)(55016002)(81166006)(81156014)(7696005)(8936002)(5660300002)(99286004)(316002)(1730700003)(2906002)(8676002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3582; H:VI1PR08MB5360.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 0N+UuKMzmhYqbLZE4xY/RkVFEGrDjcjx0xZBRNg1RoEEDDVL9p24fy2W4XlfiYEQj0iFIx+gPExx57TSrvqFyi1Rc7uX+29heQ2z1TdORYpDyDc2tGnrfbHY0UQIt5ebMP43GI5J2DQBx0jIQoNg7TRIbb53Dd7t3bu5wVyAK2Mxs5V+I0PwXlMjiOgI2hFwn6QzwzGBsJ3nov0QZnjpPhRTJL4XWmHW5iXe1G3+erbTmf7gPMGE4Gpu9zz3nf+FWW4VdfvxNgWtEtEWOIyAi+OBpJVwno97Rhrl/SfGMkIXzq63ucl8/8ov9mf7w2+1yQNh+M26cGaVs4QMpYZcf9hAjeB0VlwO1aCIOJiOHM6h/bGNez76czOZbZBtPIlGt0UOeOvqboTO8c6HUVh7cHDihvvvEpN5vYcbi0VQzu4hZEzQO1zMUBC8Ow9M+nK4
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR08MB5360C0CFC1DFF09B020468B5FA4C0VI1PR08MB5360eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3582
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT052.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(979002)(4636009)(39860400002)(346002)(376002)(396003)(136003)(1110001)(339900001)(53754006)(189003)(199004)(40434004)(2501003)(86362001)(33656002)(5660300002)(336012)(22756006)(54896002)(5640700003)(9686003)(2351001)(6306002)(16586007)(66066001)(55016002)(3846002)(6116002)(790700001)(36906005)(316002)(5024004)(14444005)(70586007)(70206006)(25786009)(26826003)(478600001)(2906002)(7736002)(126002)(81156014)(6506007)(26005)(52536014)(966005)(8936002)(71190400001)(76130400001)(8676002)(356004)(486006)(1730700003)(476003)(81166006)(6916009)(14454004)(186003)(74316002)(7696005)(105606002)(102836004)(99286004)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5PR0802MB2388; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Fail; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: d34d7add-23b7-4572-12d6-08d76cca63e5
X-MS-Exchange-PUrlCount: 3
X-Forefront-PRVS: 022649CC2C
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Hko979+Owodiv4s8bj4wlgWOLCtQI0l2OY9m47Fn1PkR3pfnkkyr+mmz3zNNxSgELkIVeGT+fqs55AHZOriGPPkth/isPt5RonVUP0fP8cI3u7SmMoSIdcw7jlpofxFPr8dfkpIRcXgOaAhAM1D2HzH88WNyHPaOhy2k/iG1LnZDnXvuMNMm9VjLb3d1fHyWnYTbFK0SlSEQp5WFuA3wsKsYcqM3VNP1iyKotNScUDV2rcq8FMZ+45UMGsXsQbQaVfN946YMcW5EVmbsNqT33VozHtt0JpbXHBgL6x7v9bWaXKcGDjMS4l/z6ZgHgoHgbWUqoHypw5q2gG5WkeyHYFgP5DWbrqsSIHEVKL69OQf4DEehR5cVSKR/Sg/Vd0gkf7ydDuMuR1l5hxqj31nsjlOUzaz0fOrKE1vg4XD+SPGGHswlK+J7WqydmYUV0kN2gi5p7YLNTok2NK5k2q3Yt/+12fUkOTHczoRlVYDNAy0=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Nov 2019 08:28:08.9987 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 91ed92b9-c5b6-41a9-28a7-08d76cca689d
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0802MB2388
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/8mExKtFLYNDiTuT4Wa1e1vwIJKU>
Subject: [Rats] Public Key Claims in JWT / CWT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 08:28:17 -0000
Hi all, Here is some background info to the discussions today in the RATS WG meeting. With RFC 7800 we added the "cnf" claim to the JWT to contain members used to identify the proof-of-possession key. It re-uses the work done for JSON Web Key, including key ids, JWK Thumbprints, symmetric as well as asymmetric keys. This claim has been registered with IANA at https://www.iana.org/assignments/jwt/jwt.xhtml Later, after working on CWT we created the corresponding functionality for https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-11. It aims to provide functionality equivalent to RFC 7800. The spec re-uses the "COSE_Key" and "Encrypted_COSE_Key" structures defined in RFC 8392. draft-ietf-ace-cwt-proof-of-possession-11 is in the RFC Editor Queue and the IANA registry value for cnf is already available in https://www.iana.org/assignments/cwt/cwt.xhtml These specs are implemented and deployed. I would be surprised if you cannot reuse this functionality in the EAT token for offering proof-of-possession functionality. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Rats] Public Key Claims in JWT / CWT Hannes Tschofenig
- Re: [Rats] Public Key Claims in JWT / CWT Giridhar Mandyam
- Re: [Rats] Public Key Claims in JWT / CWT Laurence Lundblade