IETF Logo Mail Archive

Re: [Rats] Vetting claim definitions

Mike Jones <Michael.Jones@microsoft.com> Wed, 05 June 2019 17:31 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C54E12011B for <rats@ietfa.amsl.com>; Wed, 5 Jun 2019 10:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0iTBZ4BXF9zy for <rats@ietfa.amsl.com>; Wed, 5 Jun 2019 10:31:01 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650101.outbound.protection.outlook.com [40.107.65.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7567712006E for <rats@ietf.org>; Wed, 5 Jun 2019 10:31:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=qvDTD4qwvPLBAB7L958vGjPlg/F8WX+FkyZR3PzSttlQByVspDI9UD6IKHctSUVnxjowcd4kl9uxpCDn04P+WhbXaCrjwiRhq83zovP0UA0FTrP0lRVVhqMRuTLbWorW+RevlHdq3JBZO68hVq1wdoaWkRTEqQS3hetGpb/GQBw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K1I3DVk7QNSZmW6128Mr48Kupr+AfU3iHlCU5BLAvaE=; b=LC8x/smzNjdawpfAxBYW6nYfTYWTAygqWQ/h/ApRJEUfQskReDfYZCmU0/426yWix8NL+ce9h57rE4m3Oz6XzlgJ6jUUk9FTrgbUxiCFNzUywoRKLNiaIHg5ot3EwStvgDY9pW5/X1z6NUqEwykjvyvEYN8SZTm5pAH9JBUDogU=
ARC-Authentication-Results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K1I3DVk7QNSZmW6128Mr48Kupr+AfU3iHlCU5BLAvaE=; b=l96FS86IJSniNRFqd4v3Ug+GIIyJoHR2cx0ATYnnknwiOzvUypm+uk64YlY1YdwDVr0zWj396MAytRstYixMVYyyGravLIyAS8I2dp3Gf+0uUfNOXSiPfLPcBLrS2yFZPBwxRsf+wp5OgtlXLKgVJLVcgk7CvVMGzmShtT8GOLM=
Received: from BL0PR00MB0292.namprd00.prod.outlook.com (52.132.19.158) by BL0PR00MB0385.namprd00.prod.outlook.com (52.132.20.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2004.0; Wed, 5 Jun 2019 17:30:59 +0000
Received: from BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::c8e1:6022:9bc3:5b73]) by BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::c8e1:6022:9bc3:5b73%5]) with mapi id 15.20.2005.000; Wed, 5 Jun 2019 17:30:59 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Vetting claim definitions
Thread-Index: AQHVG7XVbraN3V8Gs0WRMkd4jETRWqaNUNhQ
Date: Wed, 05 Jun 2019 17:30:58 +0000
Message-ID: <BL0PR00MB029274A33B44A0B8CE310C0BF5160@BL0PR00MB0292.namprd00.prod.outlook.com>
References: <BC6D5D3A-BD2F-496E-AA68-D2A758A33843@island-resort.com> <12913.1559739926@localhost> <30754CD8-98AB-4080-952E-880BC630EC69@island-resort.com>
In-Reply-To: <30754CD8-98AB-4080-952E-880BC630EC69@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=b1ecc555-a57b-4de2-ba4c-0000e243b876; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-06-05T17:28:48-0800; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.93.218]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ab6889cf-c142-4a18-e0aa-08d6e9db92d4
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:BL0PR00MB0385;
x-ms-traffictypediagnostic: BL0PR00MB0385:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BL0PR00MB03853FB2E4871438EAE83236F5160@BL0PR00MB0385.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 00594E8DBA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(366004)(136003)(39860400002)(124014002)(199004)(189003)(476003)(73956011)(66476007)(66446008)(64756008)(71190400001)(71200400001)(22452003)(66946007)(76116006)(33656002)(6436002)(316002)(8676002)(99286004)(10090500001)(8990500004)(8936002)(486006)(6506007)(81156014)(102836004)(9686003)(81166006)(236005)(53546011)(76176011)(606006)(6246003)(7696005)(256004)(66066001)(7736002)(25786009)(86362001)(68736007)(4326008)(790700001)(14454004)(6306002)(54896002)(55016002)(66556008)(72206003)(53936002)(2906002)(5660300002)(11346002)(110136005)(26005)(446003)(74316002)(52536014)(10290500003)(478600001)(966005)(229853002)(186003)(3846002)(6116002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR00MB0385; H:BL0PR00MB0292.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: bKp1DkKcSS8MY+AzLI6JdPpRmmmGvop8qS1MJd4Rxcxtj5NSiiC6GqDzDY27N37GyWEwZl00chpPrCxxnbodJBVDyw1rBor8mzI65YiRsZI2e1cfh25k217MW16iXwO/TReStcYHSmoT3hgZawlBLgHUFcmZTqBNN1doYucQlc7j+bqrhNMZ2Ar9BpW6C3nl0TYWTyZVvMaIo3uop1R1eR6sUlOsAv0fWAm7CqBIIQB5XQTDi2lPaFsLQ4sl8Rqzwvkg3iG4v6tKXy/bDguN0NFBSAMxot8e+7K/7WkFSXK+AftC1Rgu42ZERkh4lVCZkNZmwnR/lKORdxCotBH/dURRFD5tZNO/RzZELID0EwvYKNsey2SEWnQce/eVISBU8jqMldLYoA6ht++IbO6uzYIM5Ga6XPp14zkqT7Dy00w=
Content-Type: multipart/alternative; boundary="_000_BL0PR00MB029274A33B44A0B8CE310C0BF5160BL0PR00MB0292namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ab6889cf-c142-4a18-e0aa-08d6e9db92d4
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jun 2019 17:30:58.8139 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mbj@microsoft.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0385
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/aF6Zh1XPvwmux1v1mF7q371W9-c>
Subject: Re: [Rats] Vetting claim definitions
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2019 17:31:04 -0000

Actually, normal (non-collision-resistant) JWT claims *are* allocated on a specification required basis with expert review.  See this text at https://tools.ietf.org/html/rfc7519#section-10.1:

   Values are registered on a Specification Required [RFC5226<https://tools.ietf.org/html/rfc5226>] basis
   after a three-week review period on the jwt-reg-review@ietf.org
   mailing list, on the advice of one or more Designated Experts.
   However, to allow for the allocation of values prior to publication,
   the Designated Experts may approve registration once they are
   satisfied that such a specification will be published.

So a specification can easily register both JWT and CWT claims.

                                                       -- Mike

From: Laurence Lundblade <lgl@island-resort.com>
Sent: Wednesday, June 5, 2019 8:46 AM
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: rats@ietf.org; Mike Jones <Michael.Jones@microsoft.com>
Subject: Re: [Rats] Vetting claim definitions

Below…
+ Mike Jones, co-author of CWT


On Jun 5, 2019, at 6:05 AM, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:


Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:

— Today CWT allocates millions of slots for expert review. No
specification is required, but some information should be provided.


JWT doesn’t seem to have this, which is maybe why it is messier. It
kind of seems bad and wrong that it doesn’t to me.

JWT doesn't have this because the claims are "unlimited" length strings, so
one can always make up a unique string in lieu of registration.
 org.island-resort.lgl.whateverstringyouwant

is probably completely yours :-)
Of course, if you want to interoperate you need to agree about how, so there
are some advantages of a forcing function that demands you write things down
first :-)

Unlimited length string claim names are fully part of CWT. Also, COSE allows them for headers, algorithm names and such too. So from a syntax view CWT and COSE are the same as JWT in allowing long string names.

However, COSE and CWT are different in the management of the string name space:

Strings of length 1            Standards Action
Strings of length 2            Specification Required
Strings of length greater than 2    Expert Review

These, along with the integer names space rules, then imply:

Integer values less than -65536 are the only ones free for use with no review or processing by IANA and experts.

JWT also has this notion of Collision-Resistant Name based on OIDs or UUIDs, which is essentially some rules to make up names that don’t go into an IANA registry and are still unique and won’t collide.

JWT could have done what CWT does. Seems to me that CWT has taken a radically more managed approach to the super-open JWT approach. Maybe the CWT folks realized the JWT design was poor.


At any rate, there seems to be some consensus here that the CWT approach is what we want for attestation. It is also the more recent and thus maybe more advanced thinking.

I’m hoping we can find our way to just accept the CWT claim naming management scheme as is for attestation. If other CWT-based efforts did the same (draft-birkholz-core-coid) did the same then the world would be much simpler.

However that still leaves open some issue with JWT namespace management. (We do want JSON based attestation to be JWT’s, right? Just the same as CBOR-based attestation are CWT’s).

LL

v2.23.0 | Report a Bug | By Email