Re: [Rats] Call for Adoption: EAT draft

[Simon Frost <Simon.Frost@arm.com>]

> Also, if you haven’t looked at the register JWT claims, it’s worth checking out: https://www.iana.org/assignments/jwt/jwt.xhtml. Am also curious what people think of bringing them into CWT and especially how we avoid conflicting duplication between CWT and JWT.

When I look at the JWT registry, it looks like an opportunity lost. It’s a mix of claims that could be generalised for reuse, e.g. there are multiple claims iat / auth_time and maybe also toe for time-something-happened, while other claims will always be specific to a single use case. One of the great appeals of EAT is that it offers a standard set of claims while everything else is custom to a use case. As several discussions have indicated, there are several information sets that lend themselves to new standard claims. For example, a chunk of the JWT OpenID claims would make a very useful ‘Person’ standard set. I know not all cases can be captured in standard sets but not having them encourages duplication without reuse.

If the registry included the information for a specific use case to register a custom claim key range and a reference / authority URL where those definitions can be tracked, that might encourage implementations to use both the standard & specific claim sets.

Thanks
Simon

From: Laurence Lundblade <lgl@island-resort.com>
Sent: 02 June 2019 11:33
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Eric Voit (evoit) <evoit@cisco.com>; rats@ietf.org; Giridhar Mandyam <mandyam@qti.qualcomm.com>
Subject: Re: [Rats] Call for Adoption: EAT draft

I think it makes sense to separate into two:

1) New rules and advice for registering CWT/JWT claims
2) A basic set of attestation-related claims this WG will define

To go on about 1), it seems we are expanding CWT/JWT from just being auth tokens to also being attestation tokens and also identity certs (draft-birkholz-core-coid-01) and maybe X.509 replacements. This seems like mostly a good idea to me. It will be super cool that code can be shared by all of these for example. Lots of claims will overlap which is good too.

So I don’t think it makes sense to talk about "expert review of EAT claims". Rather we should talk about "expert review of CWT/JWT claims" and how it should be different than it is now.

Also, if you haven’t looked at the register JWT claims, it’s worth checking out: https://www.iana.org/assignments/jwt/jwt.xhtml. Am also curious what people think of bringing them into CWT and especially how we avoid conflicting duplication between CWT and JWT.


To say more about 2), it seems we should really work to come up with a nice, well-thought-out, medium-sized, coherent set of claims for attestation and put them in an RFC. This is roughly what the EAT draft is.

LL


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.