Re: [Rats] CWT and JWT are good enough?
Giridhar Mandyam <mandyam@qti.qualcomm.com> Mon, 16 September 2019 17:42 UTC
Return-Path: <mandyam@qti.qualcomm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C5FD12083D for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 10:42:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zIMWzp2QnbOm for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 10:42:16 -0700 (PDT)
Received: from alexa-out-sd-02.qualcomm.com (alexa-out-sd-02.qualcomm.com [199.106.114.39]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D087C1201E0 for <rats@ietf.org>; Mon, 16 Sep 2019 10:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1568655736; x=1600191736; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=u8Xe3AFGhi+nh8dZw5nDjnIIrOC4n6TVMdd11YiCI1A=; b=ddbOeW4p03cvjfg9wBMmgGwQJe12NckQCIwtDT5DwDRuq8rCysyTYcJK Yt2W5JiIpoKUfcJZk4HglSbQWrHHLKo1QsN9epajucZ/aDgSM3qLOxFdU CkKsvxCghggcO8CFDb9q/29ocPZv0CpQKcICnM9ARZ4NmjJc0louOW5bA Q=;
Received: from unknown (HELO ironmsg-SD-alpha.qualcomm.com) ([10.53.140.30]) by alexa-out-sd-02.qualcomm.com with ESMTP; 16 Sep 2019 10:42:16 -0700
Received: from nasanexm01g.na.qualcomm.com ([10.85.0.33]) by ironmsg-SD-alpha.qualcomm.com with ESMTP/TLS/AES256-SHA; 16 Sep 2019 10:42:16 -0700
Received: from NASANEXM01C.na.qualcomm.com (10.85.0.83) by NASANEXM01G.na.qualcomm.com (10.85.0.33) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 16 Sep 2019 10:42:15 -0700
Received: from NASANEXM01C.na.qualcomm.com ([10.85.0.83]) by NASANEXM01C.na.qualcomm.com ([10.85.0.83]) with mapi id 15.00.1473.005; Mon, 16 Sep 2019 10:42:15 -0700
From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Laurence Lundblade <lgl@island-resort.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] CWT and JWT are good enough?
Thread-Index: AQHVbKO9WVlXU/Nw/0WRxSa4jqdsW6cu5/2AgAALyoCAAAHGAIAAEAaA//+K59A=
Date: Mon, 16 Sep 2019 17:42:14 +0000
Message-ID: <15afd05323c4465582e4a3b296f73030@NASANEXM01C.na.qualcomm.com>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <b599af98-1d11-cc86-0942-4185135d5c85@gmail.com> <4D0DEE05-C66C-4BCF-B1BA-67203779F35D@island-resort.com> <5945e80b-91b0-95d7-d45e-4393ff9894d9@gmail.com> <163c0d07-aae6-2ae6-98e9-1f8830b3c690@gmail.com>
In-Reply-To: <163c0d07-aae6-2ae6-98e9-1f8830b3c690@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.80.80.8]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/VKZOTiELQ9FWbA1bhO3eXWWSmM4>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 17:42:20 -0000
Yes, but that does not mean that JSON support is not required by Webauthn. Webauthn allows for the Android SafetyNet attestation format - see https://www.w3.org/TR/webauthn/#android-safetynet-attestation. And SafetyNet comes in the form of a JSON object: https://developer.android.com/training/safetynet/attestation#compat-check-response. In other words, a Webauthn RP cannot just support CBOR and hope to cover all of the deployed implementations. -Giri Mandyam -----Original Message----- From: RATS <rats-bounces@ietf.org> On Behalf Of Anders Rundgren Sent: Monday, September 16, 2019 10:33 AM To: Laurence Lundblade <lgl@island-resort.com> Cc: rats@ietf.org Subject: Re: [Rats] CWT and JWT are good enough? ------------------------------------------------------------------------- CAUTION: This email originated from outside of the organization. ------------------------------------------------------------------------- The W3C apparently came to another conclusion although they target the most JSON-friendly place there is, the Web: https://www.w3.org/TR/webauthn/#sctn-extension-request-parameters That is, WebAuthn requires CBOR. On 2019-09-16 18:35, Anders Rundgren wrote: > On 2019-09-16 18:29, Laurence Lundblade wrote: >> >> >>> On Sep 16, 2019, at 8:46 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >>> >>> On 2019-09-16 17:30, Laurence Lundblade wrote: >>>> I’ve been trying to take the position to avoid even minor divergences from CWT and JWT in EAT. I wish there wasn’t inconsistency between the two, particularly in how the claims registry is handled. That inconsistency has already consumed many hours, even days, of this WG. There’s been some really long email threads about it. >>>> Fixing it only for EAT seems half-baked. Fixing it for all of CWT and JWT would have to go through those WGs. Seems like a lot of work. We have enough to do, so I’m inclined to live with it. >>> >>> Since everything crypto-wise in the JOSE stack anyway is covered in Base64Url, I don't see why one would bother with JWTs (or JSON at all for that matter) in EAT. >> >> Pretty sure lots of people want to be able to express claims in JSON. It is far more prevalent (so I understand) on the server side than CBOR. > > Yes, but EAT is (IMO) not comparable to "normal" applications. > >> I think there is consensus in this WG that we will support JSON and CBOR (and thus COSE and JOSE) for claims. > > Right and it will effectively force server-side software vendors creating TWO versions of everything. > That's the hallmark of design by committee :-) > > Anders > >> >> LL >> > _______________________________________________ RATS mailing list RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats
- [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Kathleen Moriarty
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Mike Jones
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Salz, Rich
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Eric Voit (evoit)