Re: [Rats] CWT and JWT are good enough?
Laurence Lundblade <lgl@island-resort.com> Mon, 16 September 2019 19:24 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91737120131 for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 12:24:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1qchCQgSP_t for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 12:24:36 -0700 (PDT)
Received: from p3plsmtpa11-06.prod.phx3.secureserver.net (p3plsmtpa11-06.prod.phx3.secureserver.net [68.178.252.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47BF412010C for <rats@ietf.org>; Mon, 16 Sep 2019 12:24:28 -0700 (PDT)
Received: from [192.168.1.76] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id 9wbriqkTrr3HR9wbri3Eli; Mon, 16 Sep 2019 12:24:27 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <VI1PR08MB5360F2D6930190A12F754B6AFA8C0@VI1PR08MB5360.eurprd08.prod.outlook.com>
Date: Mon, 16 Sep 2019 12:24:26 -0700
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D41D72B8-7580-4599-982D-FC9EE00DC8DA@island-resort.com>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <CAHbuEH4fisaDTKOzEY2ZEfxiVyfZ4wYibdRzQUYxq4i8a8G_WQ@mail.gmail.com> <7EA14733-B470-4365-B4FA-FF2B63695464@island-resort.com> <30242.1568655684@localhost> <VI1PR08MB5360F2D6930190A12F754B6AFA8C0@VI1PR08MB5360.eurprd08.prod.outlook.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfNci2esCH5wR5Ph+1oodC/z/MAZYzzR80E0psN1mmbLBkL2rNBHkJi9t55m308MyjyEw1qOwgq46bOgGoL0O08Tp2g6ItETcmM/ZZY+XxOQ7oWvsQna/ dQjWw69l2tHguE08k0MHdxUGcpDiobCJx8d6uuKSjkED34pLWcEpQA0PeMxcPslnbyDB+RVIn2BZOeTxRm5u7bryzQCgGlbC/3suUu8ee4tDU0KAF7nBHeES T96j/as4DWDHzXMJpQMbzKGXVck4bzSno0VSZ+QeFDTR8ItTRW0a5bl7VTElmD38
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/dfErh8GO7Ns4oQi3hXcXRSdV1p0>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 19:24:43 -0000
> On Sep 16, 2019, at 11:59 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > >>> - All EAT claims are Specification Required. No EAT claims and be just >>> Expert Review. > >> I can live with that. > > > I am not OK with that. For JWTs we have been using an expert review approach and that served the committee well. > We would like to register vendor-specific claims for use within EAT tokens and I can hardly see why anyone should have problems with it. > Furthermore, attestation is such a special field that there is no reason to be worried about companies flooding IANA with requests. JWT doesn’t allow Expert Review. It only allows Specification Required. Even with that there’s plenty of stuff in the JWT registry. Some have even called it questionable. Also, the reason I say all EAT claims must be Specification Required is to avoid the divergence between CWT and JWT. I want to avoid “well, if you were using CWT then you could use that claim, but since you are using JWT, you can’t because it is not defined” and vice versa. Unless we go out of our way anyone can register a CWT claim under Expert Review only. They just can’t register it under JWT until publish a Specification so they can get to the Specification Required level. LL
- [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Kathleen Moriarty
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Mike Jones
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Salz, Rich
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Eric Voit (evoit)