IETF Logo Mail Archive

Re: [Rats] UJCS standardization (relates to UCCS WG last call)

"Smith, Ned" <ned.smith@intel.com> Wed, 13 September 2023 18:41 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F73CC1522CB for <rats@ietfa.amsl.com>; Wed, 13 Sep 2023 11:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Level:
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tj8Xt17-1MU9 for <rats@ietfa.amsl.com>; Wed, 13 Sep 2023 11:41:39 -0700 (PDT)
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C35C1516E2 for <rats@ietf.org>; Wed, 13 Sep 2023 11:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1694630499; x=1726166499; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=5/djAkDOXSV2bVSuzmE+fpEOmM8IJ1PW+nHcA5BhsoI=; b=D3yXkJorKhgBuY5qOcCU4q/slzes4nJ44FSK/UWBAycmjmCxDK9I19Pj RDinGljq53q9pvE1jljF/YcJSrFdLP1tHsWPFl1XmIO94Ner+TALQXshO icDD+u5eLp4c6zT3UOLr7YRDwHkxr3DeKuRSHTBNhBejcAKv+NqEJ0UEV JsKz4ESd25d/xCOHmQmEupp1yDYjw/T3glzy5/48oeqSbfW3JuBfzwKfl COuR5OpEbBthl+Boe2Q72aS+ROcoVGE1JQw4uPB7CuLFpqpTwd0kOw4ee YS8E77zVcCYEmQQnGyjhcfkFGXAbcsiidnO18yU+EVdIUmeG/Pob0Dn6J g==;
X-IronPort-AV: E=McAfee;i="6600,9927,10832"; a="382565531"
X-IronPort-AV: E=Sophos;i="6.02,143,1688454000"; d="scan'208";a="382565531"
Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Sep 2023 11:41:30 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10832"; a="737627020"
X-IronPort-AV: E=Sophos;i="6.02,143,1688454000"; d="scan'208";a="737627020"
Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by orsmga007.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 13 Sep 2023 11:41:10 -0700
Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32; Wed, 13 Sep 2023 11:41:09 -0700
Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32 via Frontend Transport; Wed, 13 Sep 2023 11:41:09 -0700
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.170) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.32; Wed, 13 Sep 2023 11:41:09 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jHzWvDmjEgmpLicbh88O+4LKjs2RLBHBk5YTXcQogGmBF4hcyw4GO2lOr8AcJfk+Jw42aW9REJff2Ydm08531kec2JYhcXRAA510ETCshUo1Wdpa4nuHrQWPVv7Ir6Dbd3YGV7GMyub+H3cWIs3XGBIuhPvcYL4J1hHAx34hex1a6kIaf/aJtPXHbLG1HZEI/Nh2e8qm7LCm4Tx+SHDiomvp7DYF8JdnuUAE+RQ3PiQ4R3EvUDSxlcslNdDKw9jLbaNyHvxoZGC2FiZuRHw3hWzA7+Dpb5KVQOarT4m+uE03Fn+rMafaZDsq/yyKbvi7RNncU8rCl9+Iy8mtXyIEqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5/djAkDOXSV2bVSuzmE+fpEOmM8IJ1PW+nHcA5BhsoI=; b=BhzFmvjGFLjqe08CLqgo9Vwf2dVbcHtcwHDqfuOidyMF43aSWvPQ24yn3uKEWy9F9mpbhRHiVmCKcMK+01fvVce1+eCq0YDfLug/PlhcbnqFsfWPdVT01bEg0gd9pri9wqNNZPGqmEkNyHKyEwXXjDxy9iJDn4CyUhKdir0fjrrVM+Mc+wYH1dAhoV0/FD+AxunhDZLk/1ACH2ICl4JddvepY50dTmF1gr2z2utYzmnxTOG0MhBcMS9oSfFk0lvy90Dzz9ufJ0VVgRGh7gZ/gLGXo0Zyc7nYB+uj12N2gIO025Nfch/kwcti1pf5ZKv3ziuRRMILcLX00+wD9OWFkA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by SN7PR11MB7491.namprd11.prod.outlook.com (2603:10b6:806:349::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.38; Wed, 13 Sep 2023 18:41:07 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5fb6:7200:97a4:b7e9]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::5fb6:7200:97a4:b7e9%7]) with mapi id 15.20.6792.019; Wed, 13 Sep 2023 18:41:07 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: "lgl island-resort.com" <lgl@island-resort.com>, rats <rats@ietf.org>
CC: Roman Danyliw <rdd@cert.org>
Thread-Topic: [Rats] UJCS standardization (relates to UCCS WG last call)
Thread-Index: AQHZ5nHbxOx1dK64ok2bPf07tcoBGA==
Date: Wed, 13 Sep 2023 18:41:07 +0000
Message-ID: <1E84D504-0FA7-4947-A8C0-42F094C15CA2@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.77.23091003
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|SN7PR11MB7491:EE_
x-ms-office365-filtering-correlation-id: 538bd00f-7ea5-4a77-817b-08dbb488fdf4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yDMJEHSEaKq4Y4KCs0EBwtSa2zd8PR+gQHUvW/BPZruU+jASryZr2DyBGMls73tydcerBxL5XM89YvrXdlCRHIkB3T20Pg/hJNdkdtHZjM5T8vejeQYiKAp7aH8dgNzRQJf2MZ64UFSzoBKMtKCn3OBfLW74PHLi4FB0UBrGQdpmuzkZh0yHsJHi1wDU+V3nyBe9ZHkVMTz5Ql9qmnZUBp1pOJBRn62INegT0Plm9s6PLF7eqRrNrqDXjYPE0/jg3JoRpGy9YHmuWKyM0GD63YlBXazSC0fqBUwD5roNWH84we6dC0hzed7GEHOYGacE+0YraIgbImUxZMTcK2HCH3yl8pJFMwluh5f7sSv5gF6I+gltt9Gtg530orA75dIdxU+gdNyCy7dqWUP6q+UmFgJjj8lQZlgPXf876QxTCBracWmxsOxbU87buvEPf+DhaTpFNW+wUkBZxOHZgYrTRq3NVqTOwu6XTQRbKYTp3xmRhfQ1K4wI84WAT+w5GwqsOwH2hzycuCvPH7lhASKAxS+sdLE9UN1y4YITbBmPZL4ZCZNFk5zPQzEZ0J/F+xrf+mh7LV8JE/8DiU5AwWefAJB1Nuz6/c9I86n0jL91lz5sD5w4A/eW02l7FBQQz3Op5Y/9D8WVkKAqTWBhWY55Dw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(396003)(366004)(376002)(39860400002)(346002)(1800799009)(451199024)(186009)(82960400001)(76116006)(6486002)(66446008)(966005)(6506007)(6512007)(110136005)(66556008)(478600001)(66946007)(66476007)(64756008)(38100700002)(36756003)(38070700005)(122000001)(33656002)(86362001)(71200400001)(26005)(83380400001)(2616005)(8936002)(8676002)(5660300002)(4326008)(41300700001)(316002)(2906002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Eg+HPUpqBXI/F/BDUP3Dey4b27blw3ubXaSffJkoMM+FUPdAQpdopwgPD8Q9SDfKgdd+Ecu54urHM1odirwxIOqJJmbdGwCfT61Q3vX07bBc4Botbjn4LL7Y4tw4LrIy7h5V882jwSdmsWBJVpo9OQm140B6wzgrPzE4eHc0xbwao9Luj0mF/koM64GSsE4IGAGDFBlLwAHOJe7EvfubcNmoBNDu11Sg1zd+tjwx8OgDgHlms9ZYyQDkYm4nKEhnKxppqlrAUl8YS3Xo1lBjM9uGqHbgkM0M6wMEcQdko9Q+9Y5F6im0Bgqyq9LkYuHVPSCyE2SgHL7gLmFR03fUsz4XcrahoxhpMsLwfIbFb66Wxc0bWvMmMub/dJX/vI66sI3UiI09qQZx/Obk4IZ37qsltvbgW+lsIwmsuM11aaYzJqKQ2BcVrjAbi908/xOddvyaFlFZTLxnuziDR++WfNmrwCcB8LTnaASVXfcEg1V6z7qy5+oZPw5PpGGx+yS+lSjahFaRaqqnjKWkV9wlvvbs6Ph6WNRWpmZRg7SbQkh5xkB3XZqwaRdNInYAuh8vFdjg8DXc4licjbi64at6AetQ2tht3rXT16iwqGxknFzjemkmFzOG5UGDsxWaD4T4OGqOC7KGmLkTB1Mb38j+2LuOhqtzHIggplknfmujn52GrRL574G6qHMflO0w9Djf4AN2kCN5dek0n3a3GdpjQLiW6Rd645fHhXk9h87Nx1+m3n4pONlZI8KI02+ccz/hX/oXGU3f4OBWnNgs1/zLM7ubwhl7U9/Xxx4DfTeRT3reSmEFUOY+q6HhFX089XRDiintcfhTp3hKsXBS5CmDcT2zI27PtSIUHxXy5o5XDw66YarGirrYhsjsiCsatRn4rTbkBOD0o+1b0k6GKuRl6pcPTj3todVNE71rISmXXR+R2HQ9uztigxddrLP579hkgtPiy/1UctsxNd+9LS2qPMqSmt/Sfh1qzOOdvzbHDh9gUMv2rzHUb3HozC1XXrjnpFDV/nxi65ynPcWDa+HAnaD2gWarXx/23E8LmYG71RBA810WdRyWunABhNva4XS6YarwR87Jijsvm9EI1b/lNfudnl1CZm2rl/nVlU0JI+0JWteZA3AKRJTle5YPxfPd/3h7f7pogR2lzioQ6bxTN8RdI5mTvSaheb/mYRpTwIUFu/cBakz26+n7HQ4XxZ4S9//uS06jpJjht7LHL1dGCTpDSe7yVroeoHh7O+zEEchMmnCXXCgtAbRptpIfSjgKX9xXoJCG5K6sWVsQn6AltyVSEjOr/UEEr7dcVGqK0U9vTUQbt64vd9RhBixg4XeOm19foi9WwC2FkkelAfBMzeRo4Oj08w5etkZ3ziP84MjFLieCE8c/YvKix2Be3dBUKa4X0LARuhvkBUen+w1QxteJSCJZuunz4O+UuDl3WJsesqpmE1DRA5F3oTexFOs/64lorHvQDwZNLsxJ7Ga59zHhTz37BiM7t7/LvBMryJdVe/7hdG5OrjweS7NMlZKYXO108denuQDqlvmIbdRcNsBsmtB/A4QxhZfR4CDFmPHg+snPv8oVsw4ZxNNVjX86imuQTQDVFOIPeLRLHUecOQ==
Content-Type: text/plain; charset="utf-8"
Content-ID: <1D440B8A1EDA1248AEAE07FABC1BE495@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 538bd00f-7ea5-4a77-817b-08dbb488fdf4
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Sep 2023 18:41:07.1795 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wvsc739Yz3LmFfeGSdox9oQ+8p6+WrgadoFB3yD3bObB7pJw0Jp7vc+o683NOP7gdVPsvRekr4sj2M0zl9L2VQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR11MB7491
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/WFG1ZS_JLn0HEucRlw4cEGspKm0>
Subject: Re: [Rats] UJCS standardization (relates to UCCS WG last call)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2023 18:41:44 -0000

Note also that draft-ietf-rats-eat-media-type mentions "UJCS" but doesn't reference the spec that defines it. 

Additionally, RFC8392 requires the contents of a CWT to contain CBOR. I don't think UCCS (which defines both CBOR and JSON) clearly explains whether it modifies the RFC8392 content requirements. In other words, is a UCCS (not UJCS) the same as a CWT minus the signature?

RFC7519 places similar constraints on the JWT payload (that it contains JSON). Does a UJCS expect to preserve the JWT content requirements minus the signature?

If draft-ietf-rats-uccs is intended to define "UJCS" then it probably is not named properly.

-Ned

On 9/13/23, 11:03 AM, "RATS on behalf of lgl island-resort.com" <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> on behalf of lgl@island-resort.com <mailto:lgl@island-resort.com>> wrote:


It was noticed during WG last call that UCCS does standardize an unsigned claims set in JSON format, only CBOR (even though it provides a CDDL definition for JSON).


Here’s a few comments/reasons for standardizing UJCS:


- EATs carrying attestation results are often B2B/server-server interactions where JSON+TLS is very common and the JWT signing overhead would be redundant.


- Lack of UJCS standard sticks out a a missing piece in the document set of EAT, UCCS and EAT media types. It’s like we painted all the doors and windows of a house a pretty color except one. It’s a gap in the set of EAT, EAT Nesting, EAT Bundles and EAT collections.


- It’s true that the original motivating use cases were only for UCCS, but EAT grew up and filled in to support JSON.


- Beyond attestation, sending JSON claim sets secured with TLS seems like it would get a lot of use. Not my area, but I suspect lots are doing it in some form now and there might be some broader benefit.


- JWT does have the NULL-cipher option, but its use is awkward, discouraged, a bit complex and wasteful.




Here’s the document options I can see for UJCS:
- Add it to UCCS now.
- A new RATS standards track document. It will be a small document, but it will have to go through the whole process.


I haven’t heard anyone opposing UJCS, just a preference that we get UCCS done soon. If we don’t put it in the UCCS draft, I will probably write up new document myself and push it through RATS. I feel like EAT is not done without it.


I feel for the reader of the complicated document set of JWT, CWT, EAT, EAT media types and UCCS (plus COSE and CBOR). One more document adds to this.


I did look at what it would take to add it to the UCCS raft and it doesn’t seem too difficult. The biggest disruption is seems like the name change. The CDDL is already there. I will try to help with the authorship in UCCS.


Also, sorry I didn’t notice until now. I had years.


LL


_______________________________________________
RATS mailing list
RATS@ietf.org <mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email