IETF Logo Mail Archive

Re: [Rats] CWT and JWT are good enough?

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 17 September 2019 08:04 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0BB2120120 for <rats@ietfa.amsl.com>; Tue, 17 Sep 2019 01:04:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=AAEYnS47; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=3cKTZSvg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n16ruEoJRtmD for <rats@ietfa.amsl.com>; Tue, 17 Sep 2019 01:04:14 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60050.outbound.protection.outlook.com [40.107.6.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73160120104 for <rats@ietf.org>; Tue, 17 Sep 2019 01:04:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qgDssgDUtxt13qD0OGxeM1vSDu1e371AHD86zKNolXg=; b=AAEYnS47EjhhO9ssfxSzr0UB2WjhkQWRGfoeMRQv4Er0tOy3jCbrE0JTq31pWvf00YDVgT91gvw1wddUvhII4ppIoqtKdvgMNrLlMjbErxeo4TFZDYEMVXdjCQuxH0gBXad3C6iGUSH63jqqogsp7e+FbjonntGFaSRIPVP3P0k=
Received: from VI1PR08CA0129.eurprd08.prod.outlook.com (2603:10a6:800:d4::31) by HE1PR08MB2812.eurprd08.prod.outlook.com (2603:10a6:7:34::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17; Tue, 17 Sep 2019 08:04:03 +0000
Received: from AM5EUR03FT023.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::203) by VI1PR08CA0129.outlook.office365.com (2603:10a6:800:d4::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17 via Frontend Transport; Tue, 17 Sep 2019 08:04:03 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT023.mail.protection.outlook.com (10.152.16.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.14 via Frontend Transport; Tue, 17 Sep 2019 08:04:01 +0000
Received: ("Tessian outbound 5061e1b5386c:v31"); Tue, 17 Sep 2019 08:03:58 +0000
X-CR-MTA-TID: 64aa7808
Received: from 106ee79637eb.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.4.57]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id DA526A27-5348-4809-B842-C14147AC6864.1; Tue, 17 Sep 2019 08:03:53 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02lp2057.outbound.protection.outlook.com [104.47.4.57]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 106ee79637eb.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 17 Sep 2019 08:03:53 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l9EYzrnnI2jdM+qHnfCCjX/a6Rm4u65WCMtUWIoSoQAamQtSwgdEpDm8vsVGKkFXzovkEyoOhNun2WcSCNVlhh++SFPj2TRLcKd7ylL05STsxl8mRO1pAmtV9Our+zgg06txlpFw9pLhLsUxcLnL7BRHDZ7jRJrN6lCxXiMnAjB6OImZXDE+inmhGQhhViFamvKHtrJ+nEjVrXVeGpSn7vT90RjB3L/ivjNqBW2UViQPVTwtd+ScPZG89PJN904hWiCPVh2cGnZF2iI8xkZ+gEzCuhXWQDSvRGslEdfFXfo0wv+xeSDcV5No1v/gHxGYHTJm7PvYgpjSxB41i67X2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3jMyq9MUAuYFE9pd77f53Of+xXqAPq3/2htqRpYjylM=; b=bLkCedfpKNGp+4nn4UABDy9VKJZVTcVFBYIiQfVfgppSZLRUVHcTCKSIYGSkNPuFfwS6x1Lstu7NARmU8Comw9r5R6iQThQaxQ4D10bw5sssBlJ9MqilzfAUWFENVtnGwXpTCgCgPuogAotC8ghaVRltywx9+FWkR4+A05zOwMCeDwIOQA4rHp9sZV+h6Uoexa/drHYuWGNiin0+cbMI4BC6uSuoYYuNPrG+bc+eT6Tm4okxAgjsP6wK2eiB9lCdqr++6hCXjrAA69W7ZJpitn7Nz8NQkNhb8JnXvEHR5kuos7OdUcIDnYOgN1Y8eG6rrBBkAlUlnvDwT0QzEtnRaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3jMyq9MUAuYFE9pd77f53Of+xXqAPq3/2htqRpYjylM=; b=3cKTZSvgPPZrlOIsDLH8MthuIbVl82qrCihjOjKvMXHzNWqfp4t+zONjHdQaOm1cHJ69r8H78/QE3oY3PGfu6WNmhyvuGtIo/rNj77jcn6MhqA7MAjADbcU7yOO7p53IpDcvUOZ1x2WwoSbIxeuHmV5EvS48ArP9F7mdzfHLBjc=
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com (52.133.245.74) by VI1PR08MB4622.eurprd08.prod.outlook.com (20.178.81.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.21; Tue, 17 Sep 2019 08:03:52 +0000
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::dc42:eaa6:936f:4724]) by VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::dc42:eaa6:936f:4724%2]) with mapi id 15.20.2263.023; Tue, 17 Sep 2019 08:03:52 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: [Rats] CWT and JWT are good enough?
Thread-Index: AQHVbKO+20AYCjwJr0SUZxdnUKOApKcucguAgAALeQCAABUfAIAAFS3QgAAHnACAANNN0A==
Date: Tue, 17 Sep 2019 08:03:52 +0000
Message-ID: <VI1PR08MB5360BE004BE5C6C45B738196FA8F0@VI1PR08MB5360.eurprd08.prod.outlook.com>
References: <CDC992AE-B6DB-4BAE-975F-6E2BF9ED2C97@island-resort.com> <CAHbuEH4fisaDTKOzEY2ZEfxiVyfZ4wYibdRzQUYxq4i8a8G_WQ@mail.gmail.com> <7EA14733-B470-4365-B4FA-FF2B63695464@island-resort.com> <30242.1568655684@localhost> <VI1PR08MB5360F2D6930190A12F754B6AFA8C0@VI1PR08MB5360.eurprd08.prod.outlook.com> <D41D72B8-7580-4599-982D-FC9EE00DC8DA@island-resort.com>
In-Reply-To: <D41D72B8-7580-4599-982D-FC9EE00DC8DA@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 41488813-4696-4b50-973f-e731125efcee.1
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.158]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 8c0b4c2c-7f96-45ed-749e-08d73b4599cc
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:VI1PR08MB4622;
X-MS-TrafficTypeDiagnostic: VI1PR08MB4622:|HE1PR08MB2812:
X-Microsoft-Antispam-PRVS: <HE1PR08MB2812C5FB4477963DD77911DEFA8F0@HE1PR08MB2812.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:5236;OLM:5236;
x-forefront-prvs: 01630974C0
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(376002)(346002)(366004)(39860400002)(199004)(189003)(13464003)(8936002)(102836004)(6916009)(7696005)(53546011)(11346002)(446003)(71190400001)(14454004)(256004)(9686003)(71200400001)(186003)(25786009)(76176011)(2906002)(5660300002)(7736002)(6116002)(478600001)(486006)(4326008)(476003)(99286004)(3846002)(305945005)(26005)(54906003)(86362001)(74316002)(6506007)(6436002)(66446008)(52536014)(64756008)(76116006)(66946007)(229853002)(81156014)(81166006)(8676002)(316002)(66556008)(66066001)(66476007)(6246003)(33656002)(55016002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB4622; H:VI1PR08MB5360.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: x91lorofnuAGbm7JoZhg0DXDjh5gf1eW2IGCojFWyurqfFNELwkdpf7WnOTSwK8eQDtz/Br+LU8ot2P4zstj+DI+sGaNipcr1nQCr8bAR8nqygv8idWQCKkRYdusr1ikZGcax6NwfxXIHuvsGwrPzaK4PmiGl2//hjkyFCcE3Z36xQ1FfH6IctrbMmrNoB0x2cOG/vyQYFCSPNECl32rf+fUFbeWdh7xwPasLmmVIflvDVs+pfq0A+nR+fSkRQ1pN3FsCE902Wt5x1DEZ1MU2BT+qSbRTU0t/eOLHHzagKcs2ISZBXKZy7aHGe2mK+YZfJUTY/BicvdeR+pYeuUZWIkjrgX5yFG+pqgvtCQpjmYkqNGxy+ZNhN092CnYVoLFdJ56syr0UO4VV+x5FQNYKhaJAR6JEoMDZvOs8P7JA+I=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB4622
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT023.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(346002)(136003)(396003)(13464003)(40434004)(199004)(189003)(6246003)(26005)(3846002)(2486003)(7736002)(66066001)(70586007)(47776003)(70206006)(25786009)(23676004)(54906003)(14444005)(11346002)(5660300002)(436003)(5024004)(486006)(63350400001)(446003)(50466002)(22756006)(126002)(476003)(4326008)(356004)(2906002)(336012)(107886003)(55016002)(7696005)(9686003)(99286004)(26826003)(6862004)(6116002)(478600001)(316002)(36906005)(33656002)(14454004)(74316002)(186003)(8936002)(305945005)(6506007)(52536014)(76176011)(86362001)(229853002)(102836004)(8676002)(81166006)(76130400001)(81156014)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR08MB2812; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 190a397a-1a2d-4e17-44f6-08d73b4594af
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(710020)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR08MB2812;
X-Forefront-PRVS: 01630974C0
X-Microsoft-Antispam-Message-Info: PwILXXTT+Wv2u7FRePkpyC0RhV1e4WJwCTAVNjvyGMvzpd2ZQtma3IOm5Wt+lW8Es3UjThLb/Eh7IQEg2bSx0QBFwszDbw+ujeSN+/FVZRi2E5RyqR9ACxHQyh3toauWHVtYCdXXhyMDpTSBg5Vj+PSv5jXF4Ox6+vujqRqlSOisHOaIekBQt6h9AQZ4qVgdPHJo7nnsQTsb92uQs/McsfNYSfdbexNsjUlq3w1knHqgD0ptKd3nbczXl/xlSAryV6mGHsTObXvl/pPrHlkIFGXVf+Z5oI7ej+Ruau1fyy3B66xh6oZFXNONLXUfjPDaMBKKAILyLzmkVfCKQUvc/lGzOfjmZ8aRtE3wk2vZgMxMpLQAxwAW+wj+9hr42I+jWgBuMCEP3cs/AuCZcmDVPdma/Bll6mS8qSrV5s6r5v4=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Sep 2019 08:04:01.4679 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c0b4c2c-7f96-45ed-749e-08d73b4599cc
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR08MB2812
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/rtKZhM7YASNQmPuA_-fdry00ajU>
Subject: Re: [Rats] CWT and JWT are good enough?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 08:04:18 -0000

Hey Laurence,

I misread. Sorry. Specification required is OK for me as well.

While there are entries in the JWT registry that don't make sense to you that does not mean it makes no sense to those who use that specification in a different context. For that reason I want to avoid having the IETF to become a gatekeeper and the DEs to make a judgment about what they consider useful or not.

Ciao
Hannes


-----Original Message-----
From: Laurence Lundblade <lgl@island-resort.com>
Sent: Montag, 16. September 2019 21:24
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; rats@ietf.org; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Subject: Re: [Rats] CWT and JWT are good enough?



> On Sep 16, 2019, at 11:59 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
>
>>> - All EAT claims are Specification Required. No EAT claims and be
>>> just Expert Review.
>
>> I can live with that.
>
>
> I am not OK with that. For JWTs we have been using an expert review approach and that served the committee well.
> We would like to register vendor-specific claims for use within EAT tokens and I can hardly see why anyone should have problems with it.
> Furthermore, attestation is such a special field that there is no reason to be worried about companies flooding IANA with requests.

JWT doesn’t allow Expert Review. It only allows Specification Required.

Even with that there’s plenty of stuff in the JWT registry. Some have even called it questionable.


Also, the reason I say all EAT claims must be Specification Required is to avoid the divergence between CWT and JWT. I want to avoid “well, if you were using CWT then you could use that claim, but since you are using JWT, you can’t because it is not defined” and vice versa.

Unless we go out of our way anyone can register a CWT claim under Expert Review only. They just can’t register it under JWT until publish a Specification so they can get to the Specification Required level.

LL


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email