Re: [Rats] CWT and JWT are good enough?
Giridhar Mandyam <mandyam@qti.qualcomm.com> Mon, 16 September 2019 18:29 UTC
Return-Path: <mandyam@qti.qualcomm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC71B12008B for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 11:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KoqN9fHagFn1 for <rats@ietfa.amsl.com>; Mon, 16 Sep 2019 11:28:57 -0700 (PDT)
Received: from alexa-out-sd-02.qualcomm.com (alexa-out-sd-02.qualcomm.com [199.106.114.39]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1843C12004C for <rats@ietf.org>; Mon, 16 Sep 2019 11:28:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1568658537; x=1600194537; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=o+Bei+dJismNKALN0QIDAEUjolbXYN8+BN3zd1XuV+c=; b=aVGon95ijTFj9em4jxMxtG3RU1s68pzEbZjBtuxw3P6TOuETmzYafFMT bipL6zN9/a1fiVn3aBflN7/0Qzcbj7JiVNgUfxYb1w0NebhN35/3j3STR WiD9GJag2+ivtHtBRHD18mhMw6issrzLbo2pIjec4PiWfshzA1loinLzn 4=;
Received: from unknown (HELO ironmsg05-sd.qualcomm.com) ([10.53.140.145]) by alexa-out-sd-02.qualcomm.com with ESMTP; 16 Sep 2019 11:28:56 -0700
Received: from nasanexm01e.na.qualcomm.com ([10.85.0.31]) by ironmsg05-sd.qualcomm.com with ESMTP/TLS/AES256-SHA; 16 Sep 2019 11:28:55 -0700
Received: from NASANEXM01C.na.qualcomm.com (10.85.0.83) by NASANEXM01E.na.qualcomm.com (10.85.0.31) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 16 Sep 2019 11:28:55 -0700
Received: from NASANEXM01C.na.qualcomm.com ([10.85.0.83]) by NASANEXM01C.na.qualcomm.com ([10.85.0.83]) with mapi id 15.00.1473.005; Mon, 16 Sep 2019 11:28:55 -0700
From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Laurence Lundblade <lgl@island-resort.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] CWT and JWT are good enough?
Thread-Index: AQHVbKO9WVlXU/Nw/0WRxSa4jqdsW6cu5/2AgAALyoCAAAHGAIAAEAaA//+K59CAAICpAP//jTeA
Date: Mon, 16 Sep 2019 18:28:54 +0000
Message-ID: <c659df8d688144029e3a027609d405f4@NASANEXM01C.na.qualcomm.com>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <b599af98-1d11-cc86-0942-4185135d5c85@gmail.com> <4D0DEE05-C66C-4BCF-B1BA-67203779F35D@island-resort.com> <5945e80b-91b0-95d7-d45e-4393ff9894d9@gmail.com> <163c0d07-aae6-2ae6-98e9-1f8830b3c690@gmail.com> <15afd05323c4465582e4a3b296f73030@NASANEXM01C.na.qualcomm.com> <926e31d3-b7e5-4537-4e8d-4addb0965b6b@gmail.com>
In-Reply-To: <926e31d3-b7e5-4537-4e8d-4addb0965b6b@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.80.80.8]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/imMrBeGWHXJQOYz6BQM5kZ_4330>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 18:29:04 -0000
> I would not base a major design decision on a single and rather unusual solution which BTW already is defined. I understand the sentiment, and we have had this discussion on the mailing list before (e.g. https://mailarchive.ietf.org/arch/msg/rats/T1OmyXyprQ5ItvBm_9PxZ7LRrmA). But I don't agree that CBOR should be our sole focus. I think if we have the opportunity to define interoperable attestation formats for CBOR and JSON, it would be a mistake not to take it. If solutions such as the SafetyNet Attestation follow our lead and evolve to supporting EAT then I think that would be a positive. -Giri -----Original Message----- From: Anders Rundgren <anders.rundgren.net@gmail.com> Sent: Monday, September 16, 2019 11:14 AM To: Giridhar Mandyam <mandyam@qti.qualcomm.com>; Laurence Lundblade <lgl@island-resort.com> Cc: rats@ietf.org Subject: Re: [Rats] CWT and JWT are good enough? ------------------------------------------------------------------------- CAUTION: This email originated from outside of the organization. ------------------------------------------------------------------------- On 2019-09-16 19:42, Giridhar Mandyam wrote: > Yes, but that does not mean that JSON support is not required by Webauthn. > > Webauthn allows for the Android SafetyNet attestation format - see https://www.w3.org/TR/webauthn/#android-safetynet-attestation. And SafetyNet comes in the form of a JSON object: https://developer.android.com/training/safetynet/attestation#compat-check-response. I would not base a major design decision on a single and rather unusual solution which BTW already is defined. Anders > > In other words, a Webauthn RP cannot just support CBOR and hope to cover all of the deployed implementations. > > -Giri Mandyam > > -----Original Message----- > From: RATS <rats-bounces@ietf.org> On Behalf Of Anders Rundgren > Sent: Monday, September 16, 2019 10:33 AM > To: Laurence Lundblade <lgl@island-resort.com> > Cc: rats@ietf.org > Subject: Re: [Rats] CWT and JWT are good enough? > > ------------------------------------------------------------------------- > CAUTION: This email originated from outside of the organization. > ------------------------------------------------------------------------- > > The W3C apparently came to another conclusion although they target the most JSON-friendly place there is, the Web: > https://www.w3.org/TR/webauthn/#sctn-extension-request-parameters > That is, WebAuthn requires CBOR. > > > On 2019-09-16 18:35, Anders Rundgren wrote: >> On 2019-09-16 18:29, Laurence Lundblade wrote: >>> >>> >>>> On Sep 16, 2019, at 8:46 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >>>> >>>> On 2019-09-16 17:30, Laurence Lundblade wrote: >>>>> I’ve been trying to take the position to avoid even minor divergences from CWT and JWT in EAT. I wish there wasn’t inconsistency between the two, particularly in how the claims registry is handled. That inconsistency has already consumed many hours, even days, of this WG. There’s been some really long email threads about it. >>>>> Fixing it only for EAT seems half-baked. Fixing it for all of CWT and JWT would have to go through those WGs. Seems like a lot of work. We have enough to do, so I’m inclined to live with it. >>>> >>>> Since everything crypto-wise in the JOSE stack anyway is covered in Base64Url, I don't see why one would bother with JWTs (or JSON at all for that matter) in EAT. >>> >>> Pretty sure lots of people want to be able to express claims in JSON. It is far more prevalent (so I understand) on the server side than CBOR. >> >> Yes, but EAT is (IMO) not comparable to "normal" applications. >> >>> I think there is consensus in this WG that we will support JSON and CBOR (and thus COSE and JOSE) for claims. >> >> Right and it will effectively force server-side software vendors creating TWO versions of everything. >> That's the hallmark of design by committee :-) >> >> Anders >> >>> >>> LL >>> >> > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats >
- [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Kathleen Moriarty
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Giridhar Mandyam
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Laurence Lundblade
- Re: [Rats] CWT and JWT are good enough? Anders Rundgren
- Re: [Rats] CWT and JWT are good enough? Mike Jones
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Salz, Rich
- Re: [Rats] CWT and JWT are good enough? Michael Richardson
- Re: [Rats] CWT and JWT are good enough? Hannes Tschofenig
- Re: [Rats] CWT and JWT are good enough? Eric Voit (evoit)