Re: [Rats] CWT and JWT are good enough?

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 16 September 2019 17:32 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F52812004C for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 10:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gkC_wkLAwejB for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 10:32:52 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 975E0120047 for <rats@ietf.org>; Mon, 16 Sep 2019 10:32:52 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id o18so254437wrv.13 for <rats@ietf.org>; Mon, 16 Sep 2019 10:32:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WEk1P8ySgRyAbctQF1CwgiNR3FC3+tiNupG7inas4ws=; b=MvRPlweOjA4RD4KmrrRpyfMPsE5D5412vN38R5oUvTG53LGcMcafivHCTH19dIcxBT OWo8Eo/mHfsuVk962DoUI0d9DL2M69L652sBt5oDjt96iEoh89RyY9HqOwZzvTO/TLtW dCyBikDkTUT8xicfOEojq+7/mOQr7rUiUFpk4eeTyg5d/lTWb2e3EOlN90iTHRK2cC+7 Yvn6i4vR0isJCudBePCHKZJfz0SYq5IaIq4iN4JoVnNNx+1UY/21JFdB9+syq7v/1HdA qzJESEtOS+PR7/MGiiPN6L24eZsEWvoYkb5/kV5YsuX5GBO+CqwKwtSao5mBQ2NMTg6k TyeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WEk1P8ySgRyAbctQF1CwgiNR3FC3+tiNupG7inas4ws=; b=KZ401ybFZmonMC+UEYwWbrSNp+db/HV/xj1crSsFlINyHuPfo1CdsGfFh/CGNTGQm2 zb1ao0gbZD0wrofskArNv7uyutAoCRiz3PiQPSt7bVRWHq4NaU8UwjW3964gd9pEpMtO 1cal4wUnAz8avUF5eOTuRYhJAmtDJc+uXuLZBLxEhV1yzri0RgugHN9z507TsHpjeNWr Epk3RLfdfZcocwN4Yuo5T9O387BVG/eWhsiL1jYW/VSlv1p8ybsXTLQCVAXwwmMrBiZs 5d8nJlDA07XJ+op5cKRzlil+rihC82qFoiHbwD4zAIaLpTjXuGksROLnryHxasE8nmCb sLIg==
X-Gm-Message-State: APjAAAXeTRGPiDNm6X2Onscin+RoHuqnhc3nJf27kExxmXSi4FllisMQ LiJV+2XSXg94tUtXtKoYwot9KBdN
X-Google-Smtp-Source: APXvYqyqF72o3me9xP8QMro0K1aJb2mPU2lBgrAOFoYdhaBCliMZm/Iahtyi5VtoquQdCJZZRp6UvA==
X-Received: by 2002:adf:e7cc:: with SMTP id e12mr704108wrn.299.1568655170689; Mon, 16 Sep 2019 10:32:50 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id c132sm162553wme.27.2019.09.16.10.32.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Sep 2019 10:32:49 -0700 (PDT)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>
Cc: rats@ietf.org
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <b599af98-1d11-cc86-0942-4185135d5c85@gmail.com> <4D0DEE05-C66C-4BCF-B1BA-67203779F35D@island-resort.com> <5945e80b-91b0-95d7-d45e-4393ff9894d9@gmail.com>
Message-ID: <163c0d07-aae6-2ae6-98e9-1f8830b3c690@gmail.com>
Date: Mon, 16 Sep 2019 19:32:47 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <5945e80b-91b0-95d7-d45e-4393ff9894d9@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Af46eJOGZij1Umem0VLU0Chq_k8>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 17:32:56 -0000

The W3C apparently came to another conclusion although they target the most JSON-friendly place there is, the Web:
https://www.w3.org/TR/webauthn/#sctn-extension-request-parameters
That is, WebAuthn requires CBOR.


On 2019-09-16 18:35, Anders Rundgren wrote:
> On 2019-09-16 18:29, Laurence Lundblade wrote:
>>
>>
>>> On Sep 16, 2019, at 8:46 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>>
>>> On 2019-09-16 17:30, Laurence Lundblade wrote:
>>>> I’ve been trying to take the position to avoid even minor divergences from CWT and JWT in EAT. I wish there wasn’t inconsistency between the two, particularly in how the claims registry is handled. That inconsistency has already consumed many hours, even days, of this WG. There’s been some really long email threads about it.
>>>> Fixing it only for EAT seems half-baked. Fixing it for all of CWT and JWT would have to go through those WGs. Seems like a lot of work. We have enough to do, so I’m inclined to live with it.
>>>
>>> Since everything crypto-wise in the JOSE stack anyway is covered in Base64Url, I don't see why one would bother with JWTs (or JSON at all for that matter) in EAT.
>>
>> Pretty sure lots of people want to be able to express claims in JSON. It is far more prevalent (so I understand) on the server side than CBOR.
> 
> Yes, but EAT is (IMO) not comparable to "normal" applications.
> 
>> I think there is consensus in this WG that we will support JSON and CBOR (and thus COSE and JOSE) for claims.
> 
> Right and it will effectively force server-side software vendors creating TWO versions of everything.
> That's the hallmark of design by committee :-)
> 
> Anders
> 
>>
>> LL
>>
>