Re: [Rats] [EXTERNAL] Re: EAT IANA registry
Mike Jones <Michael.Jones@microsoft.com> Wed, 27 November 2019 22:22 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E370120ACB for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 14:22:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 697Qb2AAY3hN for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 14:22:51 -0800 (PST)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650136.outbound.protection.outlook.com [40.107.65.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1EAC1200E3 for <rats@ietf.org>; Wed, 27 Nov 2019 14:22:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fWlG1vrjsfXN1+0DuE+IG1ANxjttBfO1ZDoXDAO9qUqeT9xVvZ8SypyielKLD8ZSD+8Mrim7mtbCqYgVEXa4CfvxvKT1VYDIORS1ao3Egk8r9vReMVsmacjxvg1KzsdA2jEPzQhpxNTkIEHxeJHTkEFXrIov4QfjLJA7gTZGKeIhg9Nb+6WOfAIBvDQAYRivda8SD2xBsbhvh03J+EBI083ZpUvRVV2Ai+cun7Ms5+Mx2Iz7i2zP3u7jT6pN9WMPQegFLYnB0peh8zT/tmxbQSRBwYvkNLnU46nPQoOQPmYOewyxRm4FvCxeNbqPf5GO1syqK/K+L14RCFoM7WNobQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u/hPI7sT/cU/nygyhyjG89s13nfpxBV8sQ55qqR2faI=; b=IP3uGsPNrk+lHNSL8RK8ufvuGiuSoCQ847BlFMAkbgKnR0+4qrEtpHYl1XHCKHsAlKGoojiUPNONtWmT8mNGOHr32JFMcPFElNIyWLW93KKYY6A69M5jlFL2Y3bF1XMZyAQsWwa61J7jUKktuP6KtYaPy/c0k3iFkdsJLaCVe44qLcZYwVq384T815DLRR95i62D+Gyh7oMTfWI5OwSdxNbDIDLyaEZBmV7/ZRczKaaH5wYWdWZrg2yOjjdSrELpGWH/7pR8+qcI8Q4hLMwIdvXACQG4ABCJOREbxJHwsD/BstioLgkZZvhocXmUs/EtONT+BOgrCiJMxSDPJm5wpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u/hPI7sT/cU/nygyhyjG89s13nfpxBV8sQ55qqR2faI=; b=c4vuGidiAMCXAleBCw77NjJ01QfgrRjuvvteNoQqsJynmUEA1jBJjH0lzp2zYL8zVgN7PzWxkNhUWmBb5G4HB5cWe7DJevaV2z0WfJMVfuTxnYAF1IrV2e9OwJfxXZlqQZ012Sn4RBJzSHMkejvhKPGhkxVsBa2jpDF7Nu+JcQU=
Received: from MN2PR00MB0574.namprd00.prod.outlook.com (20.178.255.147) by MN2PR00MB0719.namprd00.prod.outlook.com (52.135.48.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2528.0; Wed, 27 Nov 2019 22:22:46 +0000
Received: from MN2PR00MB0574.namprd00.prod.outlook.com ([fe80::9d3d:62e9:e933:bb70]) by MN2PR00MB0574.namprd00.prod.outlook.com ([fe80::9d3d:62e9:e933:bb70%9]) with mapi id 15.20.2536.000; Wed, 27 Nov 2019 22:22:46 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Laurence Lundblade <lgl@island-resort.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "rats@ietf.org" <rats@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Thread-Topic: [Rats] [EXTERNAL] Re: EAT IANA registry
Thread-Index: AQHVpNF3tjUEO7PdBkKzZ6PhH0P0Q6eeb6WAgAC8WwCAAFVuwIAAB9MAgAAOonA=
Date: Wed, 27 Nov 2019 22:22:46 +0000
Message-ID: <MN2PR00MB057409B95526972BD49DDDA9F5440@MN2PR00MB0574.namprd00.prod.outlook.com>
References: <D2CF9D31-057E-4B47-A3D0-08BBBF997F47@gmail.com> <VI1PR08MB53605A2A2E61E6EAE2609FECFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <09C4F36B-C9CE-44DF-9DF8-F3365A7E3053@gmail.com> <53C13986-A523-4349-BDC3-F8ACC2BCFD29@island-resort.com> <DM6PR00MB05697456BC04AC34B156850DF54B0@DM6PR00MB0569.namprd00.prod.outlook.com> <20191127031910.GF32847@mit.edu> <CFF55BD3-66F8-485A-9AF5-1DD38B5F444C@island-resort.com> <ECA98A18-0E4B-4C51-AFE4-FB84E61AC809@gmail.com> <MN2PR00MB057424C20F7549E74C4590B8F5440@MN2PR00MB0574.namprd00.prod.outlook.com> <28117100-32D0-40D2-81B8-89D1345B34FF@gmail.com>
In-Reply-To: <28117100-32D0-40D2-81B8-89D1345B34FF@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=4629ea18-166e-4df5-b648-0000b5f86457; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-27T22:19:41Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.84.162]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: f621063f-1252-49b8-deeb-08d773885484
x-ms-traffictypediagnostic: MN2PR00MB0719:
x-microsoft-antispam-prvs: <MN2PR00MB07195F543BA4609B2174ADF2F5440@MN2PR00MB0719.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(54094003)(189003)(199004)(66446008)(54896002)(66556008)(8990500004)(81156014)(76116006)(66476007)(3846002)(6116002)(7696005)(561944003)(606006)(54906003)(229853002)(8936002)(790700001)(8676002)(64756008)(110136005)(6436002)(102836004)(2906002)(186003)(498600001)(256004)(14454004)(81166006)(53546011)(6506007)(11346002)(76176011)(10290500003)(14444005)(71190400001)(446003)(99286004)(71200400001)(6246003)(26005)(25786009)(33656002)(966005)(9686003)(55016002)(6306002)(2171002)(4326008)(74316002)(52536014)(86362001)(7736002)(10090500001)(236005)(66066001)(5660300002)(22452003)(66946007); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR00MB0719; H:MN2PR00MB0574.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: i/f3n8qb6f/KDEwwGaJlLnTwGXR1MAp5BShwJA4Il+5fsn9gOZgIlBgdtevTL/dEnxkGuavbZPIbw8+4qKrvHZkZ6cau1iHc/NLtmYMNfb4upnfvEi9e5RX4/EYXyMCKEbiYa+jkdgWLJNuSMUEQopOOyXtvkMnyauH74Z6dwBQBwbLsmjpOLCuJLAmqXeiQkKhLkXlgIfmnRBxmthEStpdDZVOv2uPnJDN0uX5kxLJkH+tf3oo3PEXPmoMy2GG2iT4JKZVq2IwxUrHvOGtJUl+bgVJF36wMqYWN4BbikTsc9RkuEAaiC+vSmvKKQnsV02f2kBTJh60Oq/IjhU85yrr5YPwK1Qw2x6SgT5v+XtP4QsnYxYQG7OPCY3aIO5U3OP1+fRWDuPMIwZ8uIvvdr3NW3Xy3XR+VC72pWEqlMrkYZNx4/cri9ELdJG2DWQLKnBglXodUvKsRwYR+NrSw1PVI+0jWdZE1/2MGGQppvaw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB057409B95526972BD49DDDA9F5440MN2PR00MB0574namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f621063f-1252-49b8-deeb-08d773885484
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 22:22:46.5046 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ogM9RI9yM4mOUnDtoJraZA6j0gJ4tiOHis28mbppjtNNspyqgmY7qcE0eSALBfmRcYcrxkcSS0HvtU5Tkb8nNg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0719
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/saBcmLHTajOs6Pk7C0UVer0SdQU>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 22:22:54 -0000
I disagree. If EAT JWTs needed a transaction ID, it would be logical and helpful to simply reuse the “txn” claim that already exists, rather defining its own. (I don’t know whether it needs one or not, but the example is still valid.) That’s possible because it’s in the registry.
This is just like EAT can reuse the “iat” (issued at) claim, because it’s in the IANA JWT Claims registry. If it weren’t, EAT would have to reinvent the wheel for all such claims, which defeats the purpose of having registries.
-- Mike
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Sent: Wednesday, November 27, 2019 1:27 PM
To: Mike Jones <Michael.Jones@microsoft.com>; Laurence Lundblade <lgl@island-resort.com>; Benjamin Kaduk <kaduk@mit.edu>
Cc: rats@ietf.org; Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
Hi Mike,
To me this is a perfect counter-example: it is so generic as to be non-reusable. When used in an attestation, the verifier will want to have well defined syntax and semantics for what is attested, in this case a certain transaction. Here we don’t know what kind of a transaction this is (semantics) and how to interpret the transaction identifier (syntax).
If some particular environment wants to define claims for a particular, private kind of transaction, let’s make it easy for them to define their own, very specific foobar-transaction.
Thanks,
Yaron
From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Date: Wednesday, November 27, 2019 at 23:04
To: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>, Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>
Cc: "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Subject: RE: [Rats] [EXTERNAL] Re: EAT IANA registry
The point of having a common JWT Claims registry is to enable future specifications to benefit from reusing applicable claims registered by past specifications. For instance, the Security Event Token [RFC 8417<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8417&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cad833cc0c2de4a4a335b08d7738096cc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637104868433384141&sdata=ZAF0fffpQ0SsCPZjhvBqGYFzuPO7Y7gQ8DfiUV4pPv4%3D&reserved=0>] specification recently registered this general-purpose claim:
o Claim Name: "txn"
o Claim Description: Transaction Identifier
o Change Controller: IESG
o Specification Document(s): Section 2.2 of [RFC8417]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8417%23section-2.2&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cad833cc0c2de4a4a335b08d7738096cc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637104868433394096&sdata=LukA4fT9skshqZX%2BqA%2FSwAUvNxazBKGdY0x9hqUKjwE%3D&reserved=0>
That made it available to EAT and other future specifications using JWTs. If it had instead put it into its own registry, the potential for reuse would have been lost.
Let’s likewise let future specs benefit from EAT-defined claims by putting them in the normal IANA JWT Claims registry.
-- Mike
From: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>
Sent: Wednesday, November 27, 2019 7:54 AM
To: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>; Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>
Cc: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; rats@ietf.org<mailto:rats@ietf.org>; Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
To put it into perspective, there are already 57 claims registered [1]. So even if 7 claims overlap, this is a relatively *small* number. IMO there is high value in a separate namespace for EAT claims, and the standard way to create such a namespace in JSON is exactly as Ben is proposing.
Thanks,
Yaron
[1] https://www.iana.org/assignments/jwt/jwt.xhtml<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fjwt%2Fjwt.xhtml&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cad833cc0c2de4a4a335b08d7738096cc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637104868433394096&sdata=2zmM6v47%2BRg%2FHd%2FZYlTzUGtLzuqEFl%2FHz%2FwuKt3T8w4%3D&reserved=0>
From: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>
Date: Wednesday, November 27, 2019 at 06:39
To: Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>>, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Subject: Re: [Rats] [EXTERNAL] Re: EAT IANA registry
On Nov 26, 2019, at 7:19 PM, Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>> wrote:
...but I'm not sure that "avoiding duplicates"
would apply to a proposal that makes a single JWT/CWT claim for "EAT data"
and puts the attestation claims in a map as the value for that "EAT data"
claim. What existing JWT/CWT claims would duplicate the potential contents
of the EAT data fields?
That is an interesting thought — put all of EAT into one JWT/CWT claim that is a map. Other’s have mentioned it to me. It would let EAT re use the most compact integer CBOR integer labels.
Right now we re use the following claims from JWT or CWT by normative reference:
- nonce
- Token ID cti/jti
- Time stamp (iat)
Also these JWT or CWT seem either likely or possible use in EAT:
- cnf (proof of possession of key)
- iss Issuer
- expiration
- not before
That’s a fairly large overlap which makes me disinclined to putting all of EAT into one map that is one JWT/CWT claim, separating EAT claims from CWT/JWT claims.
I’m no OAuth expert, but I wonder if some of the EAT claims might be useful for other than EAT tokens, another reason not to keep them separate.
I suspect we’re going to find at least one more use for a signed map of label-value pairs in the next few years that would be able to re use at least some of these claims — another reason to keep them in the same space.
LL
- [Rats] EAT IANA registry Yaron Sheffer
- Re: [Rats] EAT IANA registry Hannes Tschofenig
- Re: [Rats] EAT IANA registry Yaron Sheffer
- Re: [Rats] EAT IANA registry Laurence Lundblade
- Re: [Rats] EAT IANA registry Yaron Sheffer
- Re: [Rats] EAT IANA registry Laurence Lundblade
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Mike Jones
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Benjamin Kaduk
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Laurence Lundblade
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Kathleen Moriarty
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Yaron Sheffer
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Mike Jones
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Yaron Sheffer
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Mike Jones
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Laurence Lundblade
- Re: [Rats] [EXTERNAL] Re: EAT IANA registry Jeremy O'Donoghue