IETF Logo Mail Archive

Re: [Rats] CWT and JWT are good enough?

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 17 September 2019 04:25 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92D561200E7 for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 21:25:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TVenyM1Yw7fS for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 21:25:04 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CE641200D7 for <rats@ietf.org>; Mon, 16 Sep 2019 21:25:04 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id 7so1509039wme.1 for <rats@ietf.org>; Mon, 16 Sep 2019 21:25:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=HAZap0//EZTyjTqcgYFeqS0VJwFXXeC+0+5Q7A7WvR0=; b=gTGygoMQ8lvS3mCy93iMIiZJfTqmqn43+zDsSV2zSHe9Ol3OTv6w7mwojWGSPQogK0 2z1vQTMNGibkLBBqtZ6+sP5WvetI48gma58V/9rxQNX9GC9eBreXLZFosHwIjk6KBoJp QMP1CZFFkmk+2zERCcyyDww26KTVt0eKzkXIv3CFcgv+LGkUKBTLf4/79+gC0uLUb9/y GHA5nbqRkNfc+PKHgGSM1RYcugEqYfPuuFEs8he+BBJryfmlRtNrn9BLm3aXZAZ+OtFX EEJMOmyIo1cbIoafie/5z4m4Dzk9ZRLBBOKUUAoSnaUgba13Gb3BD3+uVKe2zrf/6Yy+ G9PQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=HAZap0//EZTyjTqcgYFeqS0VJwFXXeC+0+5Q7A7WvR0=; b=W1jW5Xi4veG0QAF1LCb4QbuXikO4QNFfaokmA62/j8sH+gJQzAyo/QTTCV9AAYVb8s YFY05wcp18iY5UWhFguItCs/lmh2S/R9bDZfZWvy+5Hj6knauQN9oqcmMucRpPIpbw3O 8KQfP9LU7vwV3BtD6NFeI59hbR4a9WNAfqt5IK12K09u8uR4CoY10V9w/cYE5KZ8g1T5 FRCAdr0sv5NWFsJNggQLbhMgCMi7Z6f7l8Vs1JY139LLrQTMlHXdIZ3HdMOTRqrwU8ED 68Q7vaLZ0zO9UZMM5LkTBuABpeVGA4HJpda7bc2pGzFJG/TpLlm/JgIMwWgtFcShFEcF 1Otw==
X-Gm-Message-State: APjAAAWzf+YPqnQ2nsjD61UMYl6GzPlHA/1O+UvC0oqeE2cg3N57mYm8 qqdwLCX7BLlDDRsm2BrcQCBvdmcQ
X-Google-Smtp-Source: APXvYqxYkSbCrdVSmPUWCV5xdFcDtbHfalKxVazHlRNexxnhphTIMCZMQjXOMA0WP9aJAQWgV3VJrg==
X-Received: by 2002:a05:600c:141:: with SMTP id w1mr1600191wmm.75.1568694302303; Mon, 16 Sep 2019 21:25:02 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id k9sm1561091wrd.7.2019.09.16.21.25.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Sep 2019 21:25:01 -0700 (PDT)
To: Giridhar Mandyam <mandyam@qti.qualcomm.com>, Laurence Lundblade <lgl@island-resort.com>
Cc: "rats@ietf.org" <rats@ietf.org>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <b599af98-1d11-cc86-0942-4185135d5c85@gmail.com> <4D0DEE05-C66C-4BCF-B1BA-67203779F35D@island-resort.com> <5945e80b-91b0-95d7-d45e-4393ff9894d9@gmail.com> <163c0d07-aae6-2ae6-98e9-1f8830b3c690@gmail.com> <15afd05323c4465582e4a3b296f73030@NASANEXM01C.na.qualcomm.com> <926e31d3-b7e5-4537-4e8d-4addb0965b6b@gmail.com> <c659df8d688144029e3a027609d405f4@NASANEXM01C.na.qualcomm.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <0401d996-fe9f-946f-e211-24671cb04665@gmail.com>
Date: Tue, 17 Sep 2019 06:25:00 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <c659df8d688144029e3a027609d405f4@NASANEXM01C.na.qualcomm.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/NnBMb13Z91AW64adH4PTrDf4p7M>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 04:25:07 -0000

On 2019-09-16 20:28, Giridhar Mandyam wrote:
>> I would not base a major design decision on a single and rather unusual solution which BTW already is defined.
> 
> I understand the sentiment, and we have had this discussion on the mailing list before (e.g. https://mailarchive.ietf.org/arch/msg/rats/T1OmyXyprQ5ItvBm_9PxZ7LRrmA).  But I don't agree that CBOR should be our sole focus.

I got that.

> I think if we have the opportunity to define interoperable attestation formats for CBOR and JSON,

To solve what problem?  Attestations are not comparable to word processors that typically need to read and write a plethora of document formats.

> it would be a mistake not to take it. 

It is IMO rather a mistake confusing future implementers with technically redundant choices.  Note: for protocols like TEEP it is no big deal using Base64Url encoded attestations either.

> If solutions such as the SafetyNet Attestation follow our lead and evolve to supporting EAT then I think that would be a positive.

Yes, but for application developers, attestations are presumably exposed as APIs and objects making the CBOR/JSON issue limited to implementors.

I leave this thread now and let you continue doing TWO things of everything :-)

Anders


> 
> -Giri
> 
> 
> -----Original Message-----
> From: Anders Rundgren <anders.rundgren.net@gmail.com>
> Sent: Monday, September 16, 2019 11:14 AM
> To: Giridhar Mandyam <mandyam@qti.qualcomm.com>; Laurence Lundblade <lgl@island-resort.com>
> Cc: rats@ietf.org
> Subject: Re: [Rats] CWT and JWT are good enough?
> 
> -------------------------------------------------------------------------
> CAUTION: This email originated from outside of the organization.
> -------------------------------------------------------------------------
> 
> On 2019-09-16 19:42, Giridhar Mandyam wrote:
>> Yes, but that does not mean that JSON support is not required by Webauthn.
>>
>> Webauthn allows for the Android SafetyNet attestation format - see https://www.w3.org/TR/webauthn/#android-safetynet-attestation.  And SafetyNet comes in the form of a JSON object:  https://developer.android.com/training/safetynet/attestation#compat-check-response.
> 
> I would not base a major design decision on a single and rather unusual solution which BTW already is defined.
> 
> Anders
> 
>>
>> In other words, a Webauthn RP cannot just support CBOR and hope to cover all of the deployed implementations.
>>
>> -Giri Mandyam
>>
>> -----Original Message-----
>> From: RATS <rats-bounces@ietf.org> On Behalf Of Anders Rundgren
>> Sent: Monday, September 16, 2019 10:33 AM
>> To: Laurence Lundblade <lgl@island-resort.com>
>> Cc: rats@ietf.org
>> Subject: Re: [Rats] CWT and JWT are good enough?
>>
>> -------------------------------------------------------------------------
>> CAUTION: This email originated from outside of the organization.
>> -------------------------------------------------------------------------
>>
>> The W3C apparently came to another conclusion although they target the most JSON-friendly place there is, the Web:
>> https://www.w3.org/TR/webauthn/#sctn-extension-request-parameters
>> That is, WebAuthn requires CBOR.
>>
>>
>> On 2019-09-16 18:35, Anders Rundgren wrote:
>>> On 2019-09-16 18:29, Laurence Lundblade wrote:
>>>>
>>>>
>>>>> On Sep 16, 2019, at 8:46 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>>>>
>>>>> On 2019-09-16 17:30, Laurence Lundblade wrote:
>>>>>> I’ve been trying to take the position to avoid even minor divergences from CWT and JWT in EAT. I wish there wasn’t inconsistency between the two, particularly in how the claims registry is handled. That inconsistency has already consumed many hours, even days, of this WG. There’s been some really long email threads about it.
>>>>>> Fixing it only for EAT seems half-baked. Fixing it for all of CWT and JWT would have to go through those WGs. Seems like a lot of work. We have enough to do, so I’m inclined to live with it.
>>>>>
>>>>> Since everything crypto-wise in the JOSE stack anyway is covered in Base64Url, I don't see why one would bother with JWTs (or JSON at all for that matter) in EAT.
>>>>
>>>> Pretty sure lots of people want to be able to express claims in JSON. It is far more prevalent (so I understand) on the server side than CBOR.
>>>
>>> Yes, but EAT is (IMO) not comparable to "normal" applications.
>>>
>>>> I think there is consensus in this WG that we will support JSON and CBOR (and thus COSE and JOSE) for claims.
>>>
>>> Right and it will effectively force server-side software vendors creating TWO versions of everything.
>>> That's the hallmark of design by committee :-)
>>>
>>> Anders
>>>
>>>>
>>>> LL
>>>>
>>>
>>
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org
>> https://www.ietf.org/mailman/listinfo/rats
>>
>

v2.23.0 | Report a Bug | By Email