IETF Logo Mail Archive

Re: [Rats] CWT and JWT are good enough?

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 16 September 2019 18:14 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40E8D12012E for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 11:14:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNONa_awLXs6 for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 11:14:16 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87AA120142 for <rats@ietf.org>; Mon, 16 Sep 2019 11:14:15 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id p7so360361wmp.4 for <rats@ietf.org>; Mon, 16 Sep 2019 11:14:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=TVjpBBeJS/Q0SI7KNZtv9Nj9jk9pbDCOTDn/DmsHTBU=; b=OgK7Ymw4wi/RW7dhg7VBwqhmBSv552NqqJ/XVtKeK69u3EnyAvXTYE5lLWwkPCZ/b9 TR+wBBdiHJYSjyquZ81Do9JTqvMHRCcImeE0IhQ4eUKCHpVL9Gmf6ZXIXBrIYEBHB3cd bzZp5SmRZVHoh5rZhutcyYTkj/28oTCZxdXNelKZDfPE8vUaHTrDCc3h5SbCFw/HwYlh 9PNoYKlSB2+MjBB0kXS0xWuHhCi9n40EM6LT67Jlmco7W6BIafKGw+zSFh2bRxLNzLXh 2IR17M+ey7u6d2KlRiCrefNp6awbn1Xb9hxCS0t6nlMcx9bBMN1urwtUCodtdw7E+ZEm nGJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TVjpBBeJS/Q0SI7KNZtv9Nj9jk9pbDCOTDn/DmsHTBU=; b=jgtO46ipPQY+zXAWUtSJdplaW2FAONeHWXAzUzA6PV+Ijb0Q3MCZWQknC8+bzq6mOS hnkOUTGUnZ5QQOp2hq7k45+FJHwRGwoQfoKDM511/M0H/LDL7A11/gVNeWfP1fcG+LBD OtZFwDRYCEP5vYgiWsVdF8A8nGtb9dPlmAEDCoRafSRO16AgRn+zAlq3HRvaXACJcUkc ZXc+EmemThF086URXDcTN2bYkxjzt/HBsTUR4obeIeFv8w7vFxadRNzM8iCFBXvGsDJG xdiErYcSPZe8hGvB8SJKIJy+U9qDLDQs1cHRsJ8nFUkgbsvSaV+pVAEOl5wUYX0gGnQU YX5g==
X-Gm-Message-State: APjAAAU8R/YJAaK0yW0+FapSAAYuXeVlMUdAXmKz9bGHOjv6WTjX4L/3 4aOiIIXfEU0gQLHR369d9dK/ZsBP
X-Google-Smtp-Source: APXvYqwvR2ze+e6xCVjsI7QUrK2lkYu3DBuIyZO/t2lMrdBoL8zb/rB+959kQoRqRP+9g81zuy30Sw==
X-Received: by 2002:a05:600c:24cf:: with SMTP id 15mr361176wmu.112.1568657653740; Mon, 16 Sep 2019 11:14:13 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id d12sm402000wme.33.2019.09.16.11.14.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Sep 2019 11:14:12 -0700 (PDT)
To: Giridhar Mandyam <mandyam@qti.qualcomm.com>, Laurence Lundblade <lgl@island-resort.com>
Cc: "rats@ietf.org" <rats@ietf.org>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <b599af98-1d11-cc86-0942-4185135d5c85@gmail.com> <4D0DEE05-C66C-4BCF-B1BA-67203779F35D@island-resort.com> <5945e80b-91b0-95d7-d45e-4393ff9894d9@gmail.com> <163c0d07-aae6-2ae6-98e9-1f8830b3c690@gmail.com> <15afd05323c4465582e4a3b296f73030@NASANEXM01C.na.qualcomm.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <926e31d3-b7e5-4537-4e8d-4addb0965b6b@gmail.com>
Date: Mon, 16 Sep 2019 20:14:10 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <15afd05323c4465582e4a3b296f73030@NASANEXM01C.na.qualcomm.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/QoyaivX6JFrTAwlgcRl-ZWqES8s>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 18:14:23 -0000

On 2019-09-16 19:42, Giridhar Mandyam wrote:
> Yes, but that does not mean that JSON support is not required by Webauthn.
> 
> Webauthn allows for the Android SafetyNet attestation format - see https://www.w3.org/TR/webauthn/#android-safetynet-attestation.  And SafetyNet comes in the form of a JSON object:  https://developer.android.com/training/safetynet/attestation#compat-check-response.

I would not base a major design decision on a single and rather unusual solution which BTW already is defined.

Anders

> 
> In other words, a Webauthn RP cannot just support CBOR and hope to cover all of the deployed implementations.
> 
> -Giri Mandyam
> 
> -----Original Message-----
> From: RATS <rats-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Monday, September 16, 2019 10:33 AM
> To: Laurence Lundblade <lgl@island-resort.com>
> Cc: rats@ietf.org
> Subject: Re: [Rats] CWT and JWT are good enough?
> 
> -------------------------------------------------------------------------
> CAUTION: This email originated from outside of the organization.
> -------------------------------------------------------------------------
> 
> The W3C apparently came to another conclusion although they target the most JSON-friendly place there is, the Web:
> https://www.w3.org/TR/webauthn/#sctn-extension-request-parameters
> That is, WebAuthn requires CBOR.
> 
> 
> On 2019-09-16 18:35, Anders Rundgren wrote:
>> On 2019-09-16 18:29, Laurence Lundblade wrote:
>>>
>>>
>>>> On Sep 16, 2019, at 8:46 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>>>
>>>> On 2019-09-16 17:30, Laurence Lundblade wrote:
>>>>> I’ve been trying to take the position to avoid even minor divergences from CWT and JWT in EAT. I wish there wasn’t inconsistency between the two, particularly in how the claims registry is handled. That inconsistency has already consumed many hours, even days, of this WG. There’s been some really long email threads about it.
>>>>> Fixing it only for EAT seems half-baked. Fixing it for all of CWT and JWT would have to go through those WGs. Seems like a lot of work. We have enough to do, so I’m inclined to live with it.
>>>>
>>>> Since everything crypto-wise in the JOSE stack anyway is covered in Base64Url, I don't see why one would bother with JWTs (or JSON at all for that matter) in EAT.
>>>
>>> Pretty sure lots of people want to be able to express claims in JSON. It is far more prevalent (so I understand) on the server side than CBOR.
>>
>> Yes, but EAT is (IMO) not comparable to "normal" applications.
>>
>>> I think there is consensus in this WG that we will support JSON and CBOR (and thus COSE and JOSE) for claims.
>>
>> Right and it will effectively force server-side software vendors creating TWO versions of everything.
>> That's the hallmark of design by committee :-)
>>
>> Anders
>>
>>>
>>> LL
>>>
>>
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>

v2.23.0 | Report a Bug | By Email