IETF Logo Mail Archive

Re: [Rats] [EXTERNAL] Re: EAT IANA registry

Laurence Lundblade <lgl@island-resort.com> Thu, 28 November 2019 06:12 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13FA51201EF for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 22:12:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkeMTMveElz4 for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 22:12:35 -0800 (PST)
Received: from p3plsmtpa11-09.prod.phx3.secureserver.net (p3plsmtpa11-09.prod.phx3.secureserver.net [68.178.252.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E36AF12006D for <rats@ietf.org>; Wed, 27 Nov 2019 22:12:34 -0800 (PST)
Received: from [10.86.0.58] ([45.56.150.43]) by :SMTPAUTH: with ESMTPA id aD2XiuDDhXX5FaD2YiI9J5; Wed, 27 Nov 2019 23:12:34 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <7997E9C5-AC5E-4092-B556-0002DAD2B274@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6A9849C8-E2EB-4E25-8D7C-07BA21136569"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 27 Nov 2019 22:12:33 -0800
In-Reply-To: <28117100-32D0-40D2-81B8-89D1345B34FF@gmail.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, Benjamin Kaduk <kaduk@mit.edu>, "rats@ietf.org" <rats@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <D2CF9D31-057E-4B47-A3D0-08BBBF997F47@gmail.com> <VI1PR08MB53605A2A2E61E6EAE2609FECFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <09C4F36B-C9CE-44DF-9DF8-F3365A7E3053@gmail.com> <53C13986-A523-4349-BDC3-F8ACC2BCFD29@island-resort.com> <DM6PR00MB05697456BC04AC34B156850DF54B0@DM6PR00MB0569.namprd00.prod.outlook.com> <20191127031910.GF32847@mit.edu> <CFF55BD3-66F8-485A-9AF5-1DD38B5F444C@island-resort.com> <ECA98A18-0E4B-4C51-AFE4-FB84E61AC809@gmail.com> <MN2PR00MB057424C20F7549E74C4590B8F5440@MN2PR00MB0574.namprd00.prod.outlook.com> <28117100-32D0-40D2-81B8-89D1345B34FF@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfFvSJq52nUwJcy0V4RsaQosHsLTWLZ4KkZzGjBdwnnMjbTK9zunCv8RTzOVhahOim5B08Itau+PgPfhL2J6V4Mk5m0CNdyZcaaBCXG6DzcpP/FrmFrGF aMdK3ypgctgahCgZHgkem3YmcrBb09T0U/97yzY7PgkBuZi5aLFPozhJJNom3T1K1bnwDPsgZs3ZvYGWfgnRozN2iHWClE1bZZk2HNtXg6U/u3fKbeou8eVf sv2qrnDBiiznVi7iGV4gDuqZMRnLfqqQpYKj2WPaPfUgxSvf57WbaArCOG4nZs91
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/mzj_i9b5Mgrf1POqanRT8k0gkLI>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 06:12:37 -0000

A separate EAT registry doesn’t seem like it will solve the issues being brought up.

You’re still going to have the problem of people registering all sorts of things like they have for JWT unless you put in place some more stringent rules about expert review and such. JWT already the most stringent qualification common in the IETF for a new claim short of standards action. (CWT seems not to be widely used yet so it has less than 10 claims, most of which overlap with EAT.)

You’re still going to have very specific things like the foobar-transaction that are not general purpose. A separate EAT registry doesn’t solve that.

Some sort of profile / context seems highly likely to be necessary to narrow EAT when applied to specific use cases. That seems to be the place to address these concerns. Here’s some profiles I can imagine.
   - FIDO Alliance defines how EAT is integrated into FIDO with a FIDO-specific document, probably published outside the IETF
   - Android keystore documentation says how EAT fields apply to Android attestation
   - ARM and Qualcomm have already published their PSA attestation as IETF drafts
   - I hear rumors that Global Platform might have their TEE-related set

LL


> On Nov 27, 2019, at 1:27 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
> 
> Hi Mike,
>  
> To me this is a perfect counter-example: it is so generic as to be non-reusable. When used in an attestation, the verifier will want to have well defined syntax and semantics for what is attested, in this case a certain transaction. Here we don’t know what kind of a transaction this is (semantics) and how to interpret the transaction identifier (syntax).
>  
> If some particular environment wants to define claims for a particular, private kind of transaction, let’s make it easy for them to define their own, very specific foobar-transaction.
>  
> Thanks,
>                 Yaron
>  
> From: Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
> Date: Wednesday, November 27, 2019 at 23:04
> To: Yaron Sheffer <yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com>>, Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>>, Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>>
> Cc: "rats@ietf.org <mailto:rats@ietf.org>" <rats@ietf.org <mailto:rats@ietf.org>>, Hannes Tschofenig <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>>
> Subject: RE: [Rats] [EXTERNAL] Re: EAT IANA registry
>  
> The point of having a common JWT Claims registry is to enable future specifications to benefit from reusing applicable claims registered by past specifications.  For instance, the Security Event Token [RFC 8417 <https://tools.ietf.org/html/rfc8417>] specification recently registered this general-purpose claim:
>    o  Claim Name: "txn"
>    o  Claim Description: Transaction Identifier
>    o  Change Controller: IESG
>    o  Specification Document(s): Section 2.2 of [RFC8417] <https://tools.ietf.org/html/rfc8417#section-2.2>
>  
> That made it available to EAT and other future specifications using JWTs.  If it had instead put it into its own registry, the potential for reuse would have been lost.
>  
> Let’s likewise let future specs benefit from EAT-defined claims by putting them in the normal IANA JWT Claims registry.
>  
>                                                        -- Mike
>  
> From: Yaron Sheffer <yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com>> 
> Sent: Wednesday, November 27, 2019 7:54 AM
> To: Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>>; Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>>
> Cc: Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>; rats@ietf.org <mailto:rats@ietf.org>; Hannes Tschofenig <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>>
> Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
>  
> To put it into perspective, there are already 57 claims registered [1]. So even if 7 claims overlap, this is a relatively *small* number. IMO there is high value in a separate namespace for EAT claims, and the standard way to create such a namespace in JSON is exactly as Ben is proposing.
>  
> Thanks,
>                 Yaron
>  
> [1] https://www.iana.org/assignments/jwt/jwt.xhtml <https://www.iana.org/assignments/jwt/jwt.xhtml>
>  
> From: Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>>
> Date: Wednesday, November 27, 2019 at 06:39
> To: Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>>
> Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org <mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>>, Yaron Sheffer <yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com>>, "rats@ietf.org <mailto:rats@ietf.org>" <rats@ietf.org <mailto:rats@ietf.org>>, Hannes Tschofenig <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>>
> Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
>  
>  
>> On Nov 26, 2019, at 7:19 PM, Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>> wrote:
>>  
>> ...but I'm not sure that "avoiding duplicates"
>> would apply to a proposal that makes a single JWT/CWT claim for "EAT data"
>> and puts the attestation claims in a map as the value for that "EAT data"
>> claim.  What existing JWT/CWT claims would duplicate the potential contents
>> of the EAT data fields?
> 
>  
> That is an interesting thought — put all of EAT into one JWT/CWT claim that is a map. Other’s have mentioned it to me. It would let EAT re use the most compact integer CBOR integer labels.
>  
> Right now we re use the following claims from JWT or CWT by normative reference:
> - nonce
> - Token ID cti/jti
> - Time stamp (iat)
>  
> Also these JWT or CWT seem either likely or possible use in EAT:
> - cnf (proof of possession of key)
> - iss Issuer
> - expiration
> - not before
>  
> That’s a fairly large overlap which makes me disinclined to putting all of EAT into one map that is one JWT/CWT claim, separating EAT claims from CWT/JWT claims.
>  
> I’m no OAuth expert, but I wonder if some of the EAT claims might be useful for other than EAT tokens, another reason not to keep them separate.
>  
> I suspect we’re going to find at least one more use for a signed map of label-value pairs in the next few years that would be able to re use at least some of these claims — another reason to keep them in the same space.
>  
> LL
>  
>  
>  
>  
>  
>  
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>

v2.23.0 | Report a Bug | By Email