Re: [Rats] EAT as a JWT/CWT
Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 27 May 2019 16:50 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E99E120169 for <rats@ietfa.amsl.com>; Mon, 27 May 2019 09:50:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qogQWE4noNxa for <rats@ietfa.amsl.com>; Mon, 27 May 2019 09:50:23 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 653FF12015A for <rats@ietf.org>; Mon, 27 May 2019 09:50:23 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id f10so111042wmb.1 for <rats@ietf.org>; Mon, 27 May 2019 09:50:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=uEytM00XXurCSGYv3id6XysFcKZV5MSuQyAXdNLnPnw=; b=D2c2oxa8hYtT+j+kIaIYSPOYI310n3eGkx+QjlsMdvSeNGcK+gorQfEoszOO0v+3EH 83tNmYtZ3HPNJKrug7el+FvNsKHDsLgY/HPKgFbDaIe8Pp/7rpa/waNL+xq/T5koqJ9B Fazuob/9nXxuVKIn+/p/HpXz/f88/8RBXFPD+LtAn8CMKpNEQA3R/na1NZ4DXn35C5DN vYIo/f5LdwhO6d1U9pxHfqoC40GkEGZN9gQwXYnA9jjefsfL+DRlQc4ue2fB8Q9zM8tz MWR0ka3BmcScUXtFkFotN7SQZtynN04YXGL60xftGRYuZW3KmX3rVAgZPWqsYnDjmpoS jNHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=uEytM00XXurCSGYv3id6XysFcKZV5MSuQyAXdNLnPnw=; b=IzHVcef9byjznIFc06G9p59GM2isGzNx2Aw1AKibOSBTmi9YWg0ZaomuV5z1+bePMU eC8eZCdxIRx0TUBv9nEv3C9BWqZWH+QIursvh4l9oYQ8EovrfXmgrqByIKHagDgk+8kX fmA4wusbbfTjygmbHd2bDgkjJga5iXtL32HIW1icnFB5UDU2l33VhDc5sjw+BVN2OPmN nqJsd/r1fNpLqTpUVtw9Dw/WROQYHMbIn2IjxiyeRA8+r3OJAnOckzFB1myE0yNbsl5u wGFD6varMj+ayedUQtzIghTr1X8UsBY0InlCzKTQPCRQKf8eemD5zxbANCPYUR37SRbq wMMw==
X-Gm-Message-State: APjAAAUNQ/3XOAiD3JlHs8RezeAIAC9C3o1ovZKZH+xwUDfoWQm2UWIM mnDeKVXGt+9z/IAOUS1O+uST1xCq/Rs=
X-Google-Smtp-Source: APXvYqzKu5J7D1yip7txa9JUxdTtkhYRYZSGgoZSTgcsELaO3PI0B9JLJVV0TZhVZstB+wWKD8IHyQ==
X-Received: by 2002:a7b:c301:: with SMTP id k1mr5982wmj.43.1558975821324; Mon, 27 May 2019 09:50:21 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id a128sm20466wmc.13.2019.05.27.09.50.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 May 2019 09:50:20 -0700 (PDT)
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Giridhar Mandyam <mandyam@qti.qualcomm.com>, "rats@ietf.org" <rats@ietf.org>
References: <52FF65B5-EF11-4F10-BBB0-922F32D950BB@island-resort.com> <42e4a9b3-0bd9-89c1-1b3b-21fc0636aa9c@gmail.com> <777a2b270bff40f9becd2dffcf3934fb@NASANEXM01C.na.qualcomm.com> <28EEA398-9C90-4DE0-B43F-841436C444DD@tzi.org> <c60de414d5ec43aa9734bfa331a5fa8c@NASANEXM01C.na.qualcomm.com> <aa0612bf-5bdb-d621-33ee-2e6f834c0d4c@sit.fraunhofer.de>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <f3cd699e-1d92-3529-0525-3f73688d94b1@gmail.com>
Date: Mon, 27 May 2019 18:50:17 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <aa0612bf-5bdb-d621-33ee-2e6f834c0d4c@sit.fraunhofer.de>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/T1OmyXyprQ5ItvBm_9PxZ7LRrmA>
Subject: Re: [Rats] EAT as a JWT/CWT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 16:50:26 -0000
On 2019-05-27 18:37, Henk Birkholz wrote: > Hi Giri, > > as the JCS effort (that still might have to prove itself) > >> https://datatracker.ietf.org/doc/draft-rundgren-json-canonicalization-scheme/ > > shows, the question on how to serialize JSON in a manner that renders > signing and validation a simple task is still an open one. JCS actually works great :) Everything is though not completely transparent. However, converting a 64-bit integer in CBOR to JSON doesn't have a clear definition. The EAT authors are therefore essentially on their own if this is what is required. I would personally abstain from such endeavors. Anders JSON serialization guru. > > Jumping from that to an "agreed-upon methodology for casting a CWT (EAT) > to a JWT" might be a quite big jump (maybe omitting some carefully > considered steps in between). I am not trying to say that it is > impossible or unfeasible, just that there are quite some factors to take > into account here. > > Viele Grüße, > > Henk > > > On 5/27/19 6:07 PM, Giridhar Mandyam wrote: >>>>> AFAIK the FIDO do not use JWT, neither does Android. >>> >>>> FIDO 2 allows for the Android SafetyNet Attestation, which is generally considered to return its response as a JWT: https://medium.com/@herrjemand/verifying-fido2-safetynet-attestation-bd261ce1978d. The actual SafetyNet attestation documentation lists the returned object as a JWS: https://developer.android.com/training/safetynet/attestation. >> >>> Yes. But why would you want to do this for new stuff? >> >> That was not really what I was intending to address. There was an inaccurate comment on the mailing list, and I was putting out a clarification. >> >> But since you asked, in general with CBOR/COSE/CWT specifications, there is not (IMO) sufficient consideration with respect to interoperability with legacy systems. What I personally would like to see is a general methodology for casting CWT's to JWT's and vice versa, and x.509's to CBOR certs. Granted, contributions such as https://tools.ietf.org/html/draft-raza-ace-cbor-certificates-01 seem to begin to address this topic, but such efforts are nascent and it is unclear whether they will achieve widespread adoption. >> >> In the absence of a agreed-upon methodology for casting a CWT (EAT) to a JWT, then we cannot really guarantee that EAT -> JWT transcoding will achieve the intended result. We could of course insist that all implementors just accept EAT as the future and not worry about legacy interop, but (based on my experience) this is a tough sell to service providers who have invested a lot in their existing authentication systems. >> >> Note that I have not performed an extensive survey on CBOR/JSON interoperability. If there is some emerging methodology that will address these issues, then I would say that we wouldn't need to worry about how EAT is cast to a JWT. We could just point to such a methodology and call it a day. >> >> -Giri >> >> -----Original Message----- >> From: Carsten Bormann <cabo@tzi.org> >> Sent: Monday, May 27, 2019 8:29 AM >> To: Giridhar Mandyam <mandyam@qti.qualcomm.com> >> Cc: rats@ietf.org >> Subject: Re: [Rats] EAT as a JWT/CWT >> >> On May 27, 2019, at 17:01, Giridhar Mandyam <mandyam@qti.qualcomm.com> wrote: >>> >>>> AFAIK the FIDO do not use JWT, neither does Android. >>> >>> FIDO 2 allows for the Android SafetyNet Attestation, which is generally considered to return its response as a JWT: https://medium.com/@herrjemand/verifying-fido2-safetynet-attestation-bd261ce1978d. The actual SafetyNet attestation documentation lists the returned object as a JWS: https://developer.android.com/training/safetynet/attestation. >> >> Yes. But why would you want to do this for new stuff? >> >> Of course, you may need to ship around legacy data. X.509 certificates, some JWS, etc. >> But the new EAT tokens? Why create diversity that virtually doubles specification, implementation, and validation effort? >> >> Grüße, Carsten >> >> _______________________________________________ >> RATS mailing list >> RATS@ietf.org >> https://www.ietf.org/mailman/listinfo/rats >> > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats >
- [Rats] EAT as a JWT/CWT Laurence Lundblade
- Re: [Rats] EAT as a JWT/CWT Anders Rundgren
- Re: [Rats] EAT as a JWT/CWT Laurence Lundblade
- Re: [Rats] EAT as a JWT/CWT Anders Rundgren
- Re: [Rats] EAT as a JWT/CWT Giridhar Mandyam
- Re: [Rats] EAT as a JWT/CWT Carsten Bormann
- Re: [Rats] EAT as a JWT/CWT Giridhar Mandyam
- Re: [Rats] EAT as a JWT/CWT Henk Birkholz
- Re: [Rats] EAT as a JWT/CWT Anders Rundgren
- Re: [Rats] EAT as a JWT/CWT Michael Richardson
- Re: [Rats] EAT as a JWT/CWT Laurence Lundblade
- Re: [Rats] EAT as a JWT/CWT Michael Richardson
- Re: [Rats] EAT as a JWT/CWT Laurence Lundblade