Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 13 November 2019 11:55 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2768D12086B for <rats@ietfa.amsl.com>; Wed, 13 Nov 2019 03:55:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gtmv3qgUUMlT for <rats@ietfa.amsl.com>; Wed, 13 Nov 2019 03:55:39 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C09AA12029C for <rats@ietf.org>; Wed, 13 Nov 2019 03:55:37 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xADBtYTO019954 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 13 Nov 2019 12:55:35 +0100
Received: from [192.168.16.50] (79.234.112.245) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Wed, 13 Nov 2019 12:55:29 +0100
To: =?UTF-8?B?U2Now7Zud8OkbGRlciwgSsO8cmdlbg==?= <J.Schoenwaelder@jacobs-university.de>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>, Laurence Lundblade <lgl@island-resort.com>
References: <C3AE2645-49C8-4313-BCED-02FEB576B614@cisco.com> <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com> <ba12a686-1b34-21a3-388c-bbe01c01a408@sandelman.ca> <4A83CDF5-D29F-4279-8B03-E9D23299EB53@island-resort.com> <0C6940B0-E93F-4274-9D00-DEC4119B8F69@island-resort.com> <85c7c287-48e3-83e7-900e-8e50ce43eba3@sandelman.ca> <147FEACA-56F0-43A0-8F25-639D0613E4BD@island-resort.com> <22fd43c8-7d6e-2dd8-c29a-aa86ee894ff6@sandelman.ca> <20191113111416.22xikah475zyxdro@anna.jacobs.jacobs-university.de> <b788928f-b95b-9bed-954c-0fc8cfd46119@sit.fraunhofer.de> <20191113114441.76bxnne3d7x3vmut@anna.jacobs.jacobs-university.de>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <e7a56586-0392-8371-32c7-18bbdc07e25f@sit.fraunhofer.de>
Date: Wed, 13 Nov 2019 12:55:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <20191113114441.76bxnne3d7x3vmut@anna.jacobs.jacobs-university.de>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.234.112.245]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/xikglPYjNOmumAQVEl8CkKTnIrA>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 11:55:44 -0000

Please find comments and replies in-line.

On 13.11.19 12:44, Schönwälder, Jürgen wrote:
> On Wed, Nov 13, 2019 at 12:25:21PM +0100, Henk Birkholz wrote:
>> One reason for this - and I tried to express that carefully - is that just
>> using the word "token" could be very confusing. We are using "Claim" as a
>> synonym to "Assertion" at the moment. Outside of the IETF that makes a lot
>> of sense. Inside the IETF, we still have to be a bit careful here, as
>> "Claim" is well defined in Web Tokens - and it is a data model term
>> (basically: a specific key value representation).
> 
> I looked into JWT and I think I roughly know what they mean by claim.
> Now we have "assertion" (also not defined in your architecture draft).
> Hmm.

Yes. I am sorry it is this way. If you have a look at ITU-T 1252 Section 
6.6 (free reference here: 
https://www.itu.int/SG-CP/example_docs/ITU-T-REC/ITU-T-REC_E.pdf) it is 
not that bad. But that is "outside IETF". Not every Attestation 
Evidence, Endorsement or (let's not call it Reference Value to address 
Dave's comment, but) Appraisal Policy? is using "Web Token Claims", they 
all use Assertions. We will add text that highlights that in the scope 
of the architecture these are synonyms and not the Web Token Claims.

>   
>> An EAT is a CWT (or JWT, not the point). So both are Claim sets that compose
>> tokens. The architecture is intended to be representation (I am using this
>> term to dance around the sanity rending serialization/encoding words, and to
>> spare Rich some of the pain) agnostic. Claims in the architecture are
>> therefore representation agnostic, too. Claims in tokens - by RFC definition
>> - are not.
> 
> To me, it seemed like in JWT, we have 'sets of claims' and then these
> claim sets are serialized into a string representation ('serialized
> sets of claims') and the serialization is finally digitally signed and
> encrypted, giving us a token. This works for me.
> 
> The notion of "claim sets that compose token" confuses me. If I compose
> token, I get a "set of tokens". Yes, indirectly I get also a union(?)
> of the claim sets included in the tokens.

Bad wording. Readability. My weak spot as it seems. What I meant was 
that (literally) a set of Claims in a JSON object compose a Web Token. 
Very simple nothing more :) I think we mean the same. Please correct me, 
if I am wrong.

> 
> Anyway, we need to get terminology worked out or we will not
> understand what we are doing or worse we agree on something but
> people interpret the agreement differently...

We are in wild agreement here.

> 
>> I am not a super big fan of this compromise, but it found consensus, removed
>> a blocker, and we were able to progress.
> 
> Progress is when we all agree on the same thing.

There was. At some point. If it is not anymore, we can make this an 
issue in the upcoming converged architecture I-D.

> 
> /js
> 

Viele Grüße,

Henk