Re: [Rats] CWT and JWT are good enough?
Mike Jones <Michael.Jones@microsoft.com> Tue, 17 September 2019 05:12 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53197120145 for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 22:12:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (bad RSA signature)" header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Unc_h5QjMySA for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 22:12:35 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650138.outbound.protection.outlook.com [40.107.65.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D1A1120143 for <rats@ietf.org>; Mon, 16 Sep 2019 22:12:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CxfcTVj9ZhyUf49zJEKQGszeWh6ImlUOSAmXK+clU9xG/0rJ3Z9e55ZNzuL6Cee/1BX3WvXCcA5M1mYh9ntxOoRECVagBDZHPXT1Bpa70+DXdsKuNhT9t3YOd/8TOL08LyX1j7MHA8IfKQK++MiM6b7yE4WzvzPjV/SlQmlXrlImJw/vTE2MdulyEob7rYC0jeCc3GkjXd4HQjBvqvxX6wCX2gDakIzhFgLPtXpzfVzorYQlEwnY0tZbPUSD+HAuef+GQzfJ5hlG4TrUZ8U0mUhJIsoGGysahlkM79UQN2eXZ5pg1Z16NItrSBoFGULF6aYjrXA6d5NOjQTGD5PkQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q1p0lnauUdEr7OiH4FprITClDmJH32cdSsNDcJnrpJ0=; b=eF0wQ9XC4X8ZfhwQG5U3jwkG7sXqQNiATNIGCRmSNIif7e0Fr2ZwrUNb8hqp1eX0W/asLzfz2o2JlOAkCmoCjTb01lz6XvWF1GqB+n3Kgao1Xzz3AepoI3NGNwrIYdPmffiwmRSijl+L3EPoWM9RIpsptdOkfZgf+EDEnbvSDs1Qz1ViI3PM+pDn/xGSSVhpnyo4BddMjJa4cY1yFhM90Vwp0ctbndU/yiLbFeBAp+dwI7iH2OSPe+jeROgPyPTUS9B6heGWzx/9ogc2ERqGy506+l9x6OuSwCrEDRCXezKlsqpVqydURe06gaKTeS/7YXDj5/VMcd+mdHxOoe7cbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q1p0lnauUdEr7OiH4FprITClDmJH32cdSsNDcJnrpJ0=; b=Bgwi4cjCCcd/229fKjm+IXnW66V7hHMnfF30sXgV5ZdY/b4IolxHXuBDq5FADzXqeQO35oYS95XvhIiGj/0Jc7MqXbLfeHaP5hZjIjI9qgtz/u0jN2cIZbw+SujazWrfgR7Yl1B0aqYAi7ucgx/O1rjidE0wDJdzp9JGsl5CVjM=
Received: from MN2PR00MB0576.namprd00.prod.outlook.com (20.178.255.149) by MN2PR00MB0480.namprd00.prod.outlook.com (20.178.241.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2320.0; Tue, 17 Sep 2019 05:12:33 +0000
Received: from MN2PR00MB0576.namprd00.prod.outlook.com ([fe80::bd42:477:f12f:bf51]) by MN2PR00MB0576.namprd00.prod.outlook.com ([fe80::bd42:477:f12f:bf51%6]) with mapi id 15.20.2320.000; Tue, 17 Sep 2019 05:12:33 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] CWT and JWT are good enough?
Thread-Index: AQHVbKPM+Oa5alYz8E2Hq/tir62y3acucguAgAALeACAABUgAIAAFdAAgAAG+QCAAKQ8oA==
Date: Tue, 17 Sep 2019 05:12:32 +0000
Message-ID: <MN2PR00MB057612F252470B616DBE3D66F58F0@MN2PR00MB0576.namprd00.prod.outlook.com>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <CAHbuEH4fisaDTKOzEY2ZEfxiVyfZ4wYibdRzQUYxq4i8a8G_WQ@mail.gmail.com> <7EA14733-B470-4365-B4FA-FF2B63695464@island-resort.com> <30242.1568655684@localhost> <VI1PR08MB5360F2D6930190A12F754B6AFA8C0@VI1PR08MB5360.eurprd08.prod.outlook.com> <D41D72B8-7580-4599-982D-FC9EE00DC8DA@island-resort.com>
In-Reply-To: <D41D72B8-7580-4599-982D-FC9EE00DC8DA@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=9e4bbb54-18e9-408d-9db0-000045652edc; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-09-17T05:12:15Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2401:4640:111:100:e139:dca0:a8b0:3930]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f4cce5c3-cab9-4739-836a-08d73b2da587
x-ms-office365-filtering-ht: Tenant
x-ms-traffictypediagnostic: MN2PR00MB0480:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <MN2PR00MB048016007D92BED21137473EF58F0@MN2PR00MB0480.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-forefront-prvs: 01630974C0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(346002)(396003)(136003)(39860400002)(366004)(376002)(13464003)(199004)(189003)(66946007)(64756008)(66446008)(66556008)(66476007)(4326008)(305945005)(76116006)(8936002)(81156014)(74316002)(7736002)(486006)(6306002)(11346002)(476003)(55016002)(9686003)(86362001)(6506007)(102836004)(256004)(53546011)(46003)(71200400001)(81166006)(76176011)(71190400001)(10090500001)(186003)(25786009)(10290500003)(14454004)(966005)(33656002)(7696005)(99286004)(446003)(8676002)(8990500004)(6436002)(6116002)(22452003)(316002)(229853002)(6246003)(110136005)(54906003)(5660300002)(2906002)(478600001)(52536014); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR00MB0480; H:MN2PR00MB0576.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sSAxMuYyPbKWtUPQWGXLPZZY13/t1EZpHrCLZT2oSUTHt8aRPyLyHCPMhSAO+9NLWohNrhzz4dtlXvUvevSRwxT3UB0TCwGkB/iyszaKb/n3s/Y4ppdP1ZwhHTYYDfkFtkLWzTOtMieazR+5HHuAx7TPMHdKBwu9vqYe+CXlpuf93FxR6AC0TNaHtI3+8HLjh9Nz0ojoL6gNpuGJd0X5t6RSf/U5tkw7hjQR9k8jcID242ixetkhiBO0evtLUq3eUbIyj+1NyQJKsYHnypYfCwU+WxleE94wnsoODAY9YfKq4zwDsBPtWw9apIVIFAJVA1G5un3o5l4pVwwTZ8brNEtUjJEQPz0hKTAZHynlqD6tgxNTbcnldqYNbUFoCC9l/58UwVh3CKwfDHjZGgWoOFO1FpjrBbdaMe5usTZZa20=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f4cce5c3-cab9-4739-836a-08d73b2da587
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2019 05:12:33.1064 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5clOKiuZUGQ2j176LetCDPKpcHeFlpVHAs30922Q9+c6vxmUgFqxFavhHSJjfCmqlIV8bgvynfGbCQxNJYebaw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0480
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/OzGMk3FrXZFWY5CD3oPUpkQumgo>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 05:12:37 -0000
+1 for EAT claims being Specification Required. -- Mike -----Original Message----- From: RATS <rats-bounces@ietf.org> On Behalf Of Laurence Lundblade Sent: Monday, September 16, 2019 12:24 PM To: Hannes Tschofenig <Hannes.Tschofenig@arm.com> Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; rats@ietf.org Subject: Re: [Rats] CWT and JWT are good enough? > On Sep 16, 2019, at 11:59 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > >>> - All EAT claims are Specification Required. No EAT claims and be >>> just Expert Review. > >> I can live with that. > > > I am not OK with that. For JWTs we have been using an expert review approach and that served the committee well. > We would like to register vendor-specific claims for use within EAT tokens and I can hardly see why anyone should have problems with it. > Furthermore, attestation is such a special field that there is no reason to be worried about companies flooding IANA with requests. JWT doesn’t allow Expert Review. It only allows Specification Required. Even with that there’s plenty of stuff in the JWT registry. Some have even called it questionable. Also, the reason I say all EAT claims must be Specification Required is to avoid the divergence between CWT and JWT. I want to avoid “well, if you were using CWT then you could use that claim, but since you are using JWT, you can’t because it is not defined” and vice versa. Unless we go out of our way anyone can register a CWT claim under Expert Review only. They just can’t register it under JWT until publish a Specification so they can get to the Specification Required level. LL _______________________________________________ RATS mailing list RATS@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Frats&data=02%7C01%7CMichael.Jones%40microsoft.com%7C19c938fee6ba4c35b37908d73adb89b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C637042586892636843&sdata=uAXguU1iobLt%2B1QNsUjzQtgFvHHHfsVR%2FO6pZC9vtjA%3D&reserved=0
- [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Kathleen Moriarty
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Mike Jones
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Salz, Rich
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Eric Voit (evoit)