IETF Logo Mail Archive

Re: [Rats] CWT and JWT are good enough?

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 17 September 2019 14:37 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9992A1200E0 for <rats@ietfa.amsl.com>; Tue, 17 Sep 2019 07:37:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=Bvpyidfv; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=AZ0dshSV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hqE5_3pBj0aY for <rats@ietfa.amsl.com>; Tue, 17 Sep 2019 07:37:41 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60052.outbound.protection.outlook.com [40.107.6.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5090A120059 for <rats@ietf.org>; Tue, 17 Sep 2019 07:37:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PuDVvOjCY//WaRUYPmgbTtSrBF0hTRl4CFebE3ekkIU=; b=Bvpyidfv5TtkXCq87T/skpaxswg94MhEY4+qHj69oyCouQ5UwVTs0dYVe24mr/mmeNeTyqx5HQ/Ia8JTnbTpTJ4PEZaHLhlxF0g0xi51YBE6M8e2/XVgoZ1NTjm1dFaysz42hYThYeWz46CwH9GMTl9CZHXRabaSCoD5lyUQB0A=
Received: from VI1PR0802CA0003.eurprd08.prod.outlook.com (2603:10a6:800:aa::13) by VI1PR08MB3503.eurprd08.prod.outlook.com (2603:10a6:803:84::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17; Tue, 17 Sep 2019 14:37:37 +0000
Received: from VE1EUR03FT025.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::209) by VI1PR0802CA0003.outlook.office365.com (2603:10a6:800:aa::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.15 via Frontend Transport; Tue, 17 Sep 2019 14:37:37 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT025.mail.protection.outlook.com (10.152.18.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.14 via Frontend Transport; Tue, 17 Sep 2019 14:37:36 +0000
Received: ("Tessian outbound 55d20e99e8e2:v31"); Tue, 17 Sep 2019 14:37:36 +0000
X-CR-MTA-TID: 64aa7808
Received: from b8e3e3ccb3eb.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.12.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 370B4D46-91B3-4A33-95BE-9C3F16A22BC2.1; Tue, 17 Sep 2019 14:37:31 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04lp2052.outbound.protection.outlook.com [104.47.12.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id b8e3e3ccb3eb.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 17 Sep 2019 14:37:31 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XiuO5M+Y7lA9VH5Ej9p2AAULlE3u3TyGUhzy6r/P5iwHddSiVdOsPRqSFuGd+oizYanA8eNBYs/lRuqRVul7TGIESsct7P5LSRm0266cwKjbTPCCKyBt4S1g4nv2vO08fQyys0AXT3/S/FxToOFRW9WLphXHQ0prQTMu+CLO7k3wCUxIoYS9TxhjbEP+Bm992FfKVWeYuNWmRDUMElS6z1V01Gc2zmIfzKk/iCibQ0DPTjh6BJ5xCBSsKI9BU7/f7DLiTDOvrm0yVPEk6JWn/pGJsks32UVM4IIIU75uNpDvMlQDVOdR8cQxky9WdLONhDTRGawGbNDadpk1kbuOMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oYEy9nZqCHgHJ4cDshKWNmxmyDZtNS6qBacPm+GkhqU=; b=iW7yTofFGWKDgWYJOBP/6ofBZhpH8km6Ue35wlxO2XTxrg9jl3p4nrG/IzX9qrRnOh5GU6zaMWETM7LlS4GnlKo0VSDs5fftCtupna8NE4TMckqFIGR5DLfwEaEreOvwlgBEhWeRzPhXDOIXQx42QLWDCms64t+z0E5CVnkJM2yzSktkq40Nz5I1AizTHlytYVWkb37RoIEl1rvkpKZYWkxy+ib8Tk/HlvAyKyqAA2fpOau8lDs6jlqBTWmPf4olZQkWqtZKg9o0OO8IQ0p1kp243L3+4JUHuns4XQbp2U8yin1cHvFZ7foebBR3zB/BqzQsx25hAVet6Q1DoFReUQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oYEy9nZqCHgHJ4cDshKWNmxmyDZtNS6qBacPm+GkhqU=; b=AZ0dshSVdWOIE9jOCkU8N+ELSBcrJgiXFfphDYpa9eaWuYwdBt39H5mKDX8bpMddpv4IXUe/vJh/e+RVQnwT8nDKK/PtYsuHYOT74yGntCZ0xBaboREcmoa+tVBM0eUviT73YDgchlGfIxiF156ZFNcidTSS1lhs+WCLfZRGDq0=
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com (52.133.245.74) by VI1PR08MB3408.eurprd08.prod.outlook.com (20.177.59.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.24; Tue, 17 Sep 2019 14:37:29 +0000
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::dc42:eaa6:936f:4724]) by VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::dc42:eaa6:936f:4724%2]) with mapi id 15.20.2263.023; Tue, 17 Sep 2019 14:37:29 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] CWT and JWT are good enough?
Thread-Index: AQHVbKO+20AYCjwJr0SUZxdnUKOApKcucguAgAALeQCAABUfAIAAFS3QgAEk1gCAACSeQA==
Date: Tue, 17 Sep 2019 14:37:29 +0000
Message-ID: <VI1PR08MB53608AC7C82ABE07E5D0D07DFA8F0@VI1PR08MB5360.eurprd08.prod.outlook.com>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <CAHbuEH4fisaDTKOzEY2ZEfxiVyfZ4wYibdRzQUYxq4i8a8G_WQ@mail.gmail.com> <7EA14733-B470-4365-B4FA-FF2B63695464@island-resort.com> <30242.1568655684@localhost> <VI1PR08MB5360F2D6930190A12F754B6AFA8C0@VI1PR08MB5360.eurprd08.prod.outlook.com> <8854.1568723118@localhost>
In-Reply-To: <8854.1568723118@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 21134eac-efde-454c-8ffa-6f3de52c7f0c.1
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.158]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 85fc3791-8339-4ea6-6d59-08d73b7c9556
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:VI1PR08MB3408;
X-MS-TrafficTypeDiagnostic: VI1PR08MB3408:|VI1PR08MB3503:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Antispam-PRVS: <VI1PR08MB35033BED332E8AF7B18F7EFDFA8F0@VI1PR08MB3503.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:8882;
x-forefront-prvs: 01630974C0
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(39860400002)(366004)(346002)(396003)(13464003)(199004)(189003)(9686003)(186003)(229853002)(14454004)(55016002)(71190400001)(8936002)(25786009)(6436002)(110136005)(76116006)(33656002)(478600001)(81166006)(81156014)(8676002)(76176011)(6506007)(966005)(446003)(2906002)(6306002)(476003)(256004)(6246003)(5660300002)(102836004)(53546011)(26005)(7696005)(99286004)(6116002)(86362001)(66946007)(11346002)(3846002)(52536014)(74316002)(71200400001)(66066001)(64756008)(66446008)(316002)(66476007)(66556008)(2501003)(7736002)(305945005)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3408; H:VI1PR08MB5360.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: gj7sPykHqyUiPbDEWVDeatQRPAciCSEF1Aj72QdmULaveyRV/a0I4iNY/35W55m4UltSnXiBKz46WJFjkmsGPsUGctDb4MiYRaSG4d2pZb5S+0TLTIRMUjTKzIgFc+ubN1IGZt9iK6QUhGcdGUs1QiqOh72hHrq7prXMP721cpTK0n0lyrzvc3KUsMCzpx0A/FuLUe4t0Pu42Pl0pKYbTJAqs+c+ss0DA8ssVVi1Q2ohLhjszVXEez8TD8v9UZ7XY2Rerqw5JJijr5aFuFThaxJQUouVc+YS8NkwA4AUTEofHSHZKDID03NULrWnAddIYJAhG3tMovtFtMed822qTeTt9D3o7NpVdxF/y+evIpXmyvCArgwVuFsUGtPAwxTmrwG+rBYY1vJ/b4n+fBu7VPOcefMXZZFOdV7p8WlHR80=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3408
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT025.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(39860400002)(346002)(376002)(13464003)(199004)(40434004)(189003)(11346002)(229853002)(336012)(50466002)(126002)(486006)(76176011)(74316002)(2906002)(6116002)(8746002)(97756001)(2501003)(3846002)(8676002)(81166006)(102836004)(6506007)(81156014)(26005)(9686003)(99286004)(356004)(6306002)(47776003)(22756006)(46406003)(186003)(23726003)(7736002)(55016002)(5024004)(63350400001)(76130400001)(70206006)(36906005)(476003)(316002)(33656002)(70586007)(305945005)(6246003)(8936002)(7696005)(5660300002)(86362001)(53546011)(14444005)(446003)(66066001)(25786009)(26826003)(966005)(478600001)(14454004)(110136005)(52536014); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3503; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 40aa00f6-6218-4de9-4846-08d73b7c9173
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(710020)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:VI1PR08MB3503;
X-Forefront-PRVS: 01630974C0
X-Microsoft-Antispam-Message-Info: Y5+gn2E8eRgFc2cToQskyxtMOiDQIUaJCNr0ja8Tn2r2fGom1IuKw9nwbbwEdzrf6U5U+Rk/zcxl09p7FwSH2jPB341QZ8BvjF5da5qPnSvTDARREsjVFt5KsKvRO8zZiIVjnhB2vGqYlv5SWLuysMJcg0HLXqfv4bjwG341MBmPMz1zspTRfYWO79rnA5TGclOYiigk6e1Rc0SV8DEfaV6L2PzCYJ/EYdOlvnVEgkkCH5gxBd9q1oJluTKuhyQFrJOVUF067dbIvJCeTJGRejAQrggEMO1buFj+RvR1eNdKN7DFTz0zY8kTc9QkCPjuwdmer/GCRnFX6UQu9OTW8yIqyJAxz83f+HtleCxw99L2Cf4BHRfxIXJ7MpwghF82VwCYsZdwYuGdeLmTa6WCWtbwbhiDoZDCtr0J5EW+qjQ=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Sep 2019 14:37:36.2606 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 85fc3791-8339-4ea6-6d59-08d73b7c9556
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3503
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/TLKXbyA_NEdk0qKAuQLAXYoF3GE>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 14:37:44 -0000

Hi Michael,

As mentioned in a follow-up email, I misread the mail from Laurence. Everything is cool.

Ciao
Hannes

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca>
Sent: Dienstag, 17. September 2019 14:25
To: rats@ietf.org
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Subject: Re: [Rats] CWT and JWT are good enough?


Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
    >>> - All EAT claims are Specification Required. No EAT claims and be just
    >>> Expert Review.

    >> I can live with that.


    > I am not OK with that. For JWTs we have been using an expert review
    > approach and that served the committee well.

I think we are not discussing the same things!
EAT claims that are standards need to be Specification Required, because that's the "bigger" of the JWT (Specification Required) and CWT requirements.

    > We would like to register vendor-specific claims for use within EAT
    > tokens and I can hardly see why anyone should have problems with it.

Please distinguish between vendor-proprietary claims (private-use) ones from standards!  You are not talking about the same thing now.

rfc7519 section 4.2 allows for claims based upon Public Names, which means using a Collision-Resistant Name:

  Collision-Resistant Name
        A name in a namespace that enables names to be allocated in a
        manner such that they are highly unlikely to collide with other
        names.  Examples of collision-resistant namespaces include: Domain
        Names, Object Identifiers (OIDs) as defined in the ITU-T X.660
        and X.670 Recommendation series, and Universally Unique IDentifiers
        (UUIDs) [RFC4122].  When using an administratively
        delegated namespace, the definer of a name needs to take reasonable
        precautions to ensure they are in control of the portion of the
        namespace they use to define the name.

So any vendor-specific claim can be created by any vendor possessing a domain name, a PEN, or who can run "uuidgen" (on a development system)

RFC8392 provides for: Integer values less than -65536 are marked as Private Use.
But,  Integer values greater than 65535 and strings of length
      greater than 2 are designated as Expert Review.

So it shouldn't be hard for a vendor-specific claim to get a number for CWT.
And within the space of "strings of length greater than 2" would be the identical string used for JWT, if you like.  Yes, shorter is better.

The point of this thread was that for Standards Track *RATS* WG claims, that we will have to go with Specification Required, because that's the minimum common process for CWT and JWT.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [



--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email