Re: [Rats] CWT and JWT are good enough?
Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 16 September 2019 16:35 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 766081200B9 for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 09:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPVUCD9QNG3q for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 09:35:31 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41E721201A3 for <rats@ietf.org>; Mon, 16 Sep 2019 09:35:31 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id r5so77563wrm.12 for <rats@ietf.org>; Mon, 16 Sep 2019 09:35:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=BpY6idXPMiKd5WdyKDfOrYpEJ5InaREeAO0L90McBRM=; b=p2cWgYKrqJl6RTZxgba87NF+4Jxga7UM7uMpJVNRYaEdZm+e/msaE67pfmwN8a+dHT idDELs3G3jp/PG3+EXXtHkSlZlQ8j3zupkrfFo0zN+251cAr/O40vDaRhbfsvYwbBNHg Z2c+Om0t70t3I7BbzJPzCW9KHFxFmYMhTxOSve7wkiHwQw45mIaBlShVndC6mwEJABX/ 1/gu96R7Zx/+h/qaBu15hCgcIxkl3h+cY8oHwNDh51s9KV76KwK5yOc4/4l5/PLuGAL2 BkCxmzugf3E/ZYpgqPVCcuygnpb58K/QrUQlcs+JeWfGRZSysE/5K29e9KpvNekbfdGe w/bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=BpY6idXPMiKd5WdyKDfOrYpEJ5InaREeAO0L90McBRM=; b=JygaeAo05aEITz5vgryCkhRWFCRIPBVTtrrdmmyiEnN3Y1+3rvO8r6MPLgcy/y46WG Pqk5TZLj7QEPL6du651/fNpA2NIe2a/LmYFxjTyX+57QVsq6K9HZ1lG8CfHJvH4FHeGu oi0jGsjEoJs9lWA7mR/jr2XG0K5J0PDpXzz4PzXrAzTlxvTI30x0Xy+W8UcCWhw68Y3H mNWjFz1DN4Nm7vM53glOhm3y+JpnXTQGNZ9tEm1q2Ud0v2Hlfj2eyLxZnpUj7SQmrLEe LBbUKCkC6aLo7ZMWOJs72eFt7AVs2LyE5LUqhIFQbPmdf4KclHYuM1aJ2k9cnczRjkFP pJ6g==
X-Gm-Message-State: APjAAAWrOU10z+suyOvSJcaR39O+6z8zu3Pa3VfOS7PVK2lXXAur/M3b FU6zD6ZABXNcptU6m5QFBJfjanp+
X-Google-Smtp-Source: APXvYqxTzOMoxYgo9jrTr+04rlqGA1vET9/0OcN7VUycQ4H0Kbz0Jpsl9FEL5beyOEzAHb6i9b/AyA==
X-Received: by 2002:adf:f081:: with SMTP id n1mr530058wro.273.1568651729387; Mon, 16 Sep 2019 09:35:29 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id d9sm64112062wrc.44.2019.09.16.09.35.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Sep 2019 09:35:28 -0700 (PDT)
To: Laurence Lundblade <lgl@island-resort.com>
Cc: rats@ietf.org
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <b599af98-1d11-cc86-0942-4185135d5c85@gmail.com> <4D0DEE05-C66C-4BCF-B1BA-67203779F35D@island-resort.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <5945e80b-91b0-95d7-d45e-4393ff9894d9@gmail.com>
Date: Mon, 16 Sep 2019 18:35:26 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <4D0DEE05-C66C-4BCF-B1BA-67203779F35D@island-resort.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/_cqYhJ2Mracj2WDOHJPFuthwi0w>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 16:35:35 -0000
On 2019-09-16 18:29, Laurence Lundblade wrote: > > >> On Sep 16, 2019, at 8:46 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >> >> On 2019-09-16 17:30, Laurence Lundblade wrote: >>> I’ve been trying to take the position to avoid even minor divergences from CWT and JWT in EAT. I wish there wasn’t inconsistency between the two, particularly in how the claims registry is handled. That inconsistency has already consumed many hours, even days, of this WG. There’s been some really long email threads about it. >>> Fixing it only for EAT seems half-baked. Fixing it for all of CWT and JWT would have to go through those WGs. Seems like a lot of work. We have enough to do, so I’m inclined to live with it. >> >> Since everything crypto-wise in the JOSE stack anyway is covered in Base64Url, I don't see why one would bother with JWTs (or JSON at all for that matter) in EAT. > > Pretty sure lots of people want to be able to express claims in JSON. It is far more prevalent (so I understand) on the server side than CBOR. Yes, but EAT is (IMO) not comparable to "normal" applications. > I think there is consensus in this WG that we will support JSON and CBOR (and thus COSE and JOSE) for claims. Right and it will effectively force server-side software vendors creating TWO versions of everything. That's the hallmark of design by committee :-) Anders > > LL >
- [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Kathleen Moriarty
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Mike Jones
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Salz, Rich
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Eric Voit (evoit)