Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism
Ben Campbell <ben@nostrum.com> Sun, 08 September 2019 05:29 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76C7912004A for <stir@ietfa.amsl.com>; Sat, 7 Sep 2019 22:29:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HoxVbszLOPz6 for <stir@ietfa.amsl.com>; Sat, 7 Sep 2019 22:29:00 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E94A7120077 for <stir@ietf.org>; Sat, 7 Sep 2019 22:28:59 -0700 (PDT)
Received: from [192.168.127.245] (cpe-66-25-20-105.tx.res.rr.com [66.25.20.105]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x885SwsK085085 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <stir@ietf.org>; Sun, 8 Sep 2019 00:28:59 -0500 (CDT) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1567920539; bh=OKWVBX8BtbmiLMaGHRYZ//uHZuKt0F9KqPbAR+P55l4=; h=From:Date:Subject:References:In-Reply-To:To; b=rJHElc2G04SYoBJCZQjaOmcg8hszLILTCXc54FW2xUerc4Fh1DODz7BTJOteoc4NK BGdhhptD/lNSjrBdhN1iB/CeUGFvYf3oimQp5D9zwhe/cyUTKOxI03j8HdQx7PSZWy nc8hYjaux/+epd4iX1zpXEx0ZvQAqD50LOWS33pU=
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-20-105.tx.res.rr.com [66.25.20.105] claimed to be [192.168.127.245]
From: Ben Campbell <ben@nostrum.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Sun, 08 Sep 2019 00:28:52 -0500
Message-Id: <549EB9C4-A4AA-4C8F-976A-FA3E442072C9@nostrum.com>
References: <D0D57997-56AC-4E68-BC12-2CE07C52B711@nostrum.com> <0CCCD3F6-B0A5-4B0C-B563-2E85AC3E3B3A@nostrum.com>
In-Reply-To: <0CCCD3F6-B0A5-4B0C-B563-2E85AC3E3B3A@nostrum.com>
To: stir@ietf.org
X-Mailer: iPad Mail (16G77)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/0brmgFZ8yzXhJcJ6jupOL7Z-mfw>
Subject: Re: [stir] Questions on the draft-ietf-stir-passport-rcd-04 integrity mechanism
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Sep 2019 05:29:03 -0000
Oops, I also left “rcd” out of the subject. Fixed. > On Sep 7, 2019, at 11:50 AM, Ben Campbell <ben@nostrum.com> wrote: > > Minor correction below: > >> On Sep 6, 2019, at 4:31 PM, Ben Campbell <ben@nostrum.com> wrote: >> >> Signed PGP part >> Hi, >> >> I have a couple of high level questions about the new integrity mechanism in draft-ietf-stir-passport-04. Apologies if these have already been discussed. >> >> 1) Do I understand correctly that the certificate used to sign a PASSporT with an rcdi claim MUST include a constraint for the _value_ of the digest? That is, if someone makes any change to any of the information they would normally include in an rcd claim, the signing party must get a new cert? >> >> My concern is that, for good or bad, commercial callers really like to control the customer experience. Many like to change things up all the time. I can imagine things like special date-specific logos (e.g. Google doodles), “sale” badges on logos, distinctive branding for different “campaigns”, etc. I realize things like ACME make the process of getting a new cert lighter weight than it used to be, but is it reasonable to require a new cert for any change? >> >> This might be worse for third-party signers who may sign on behalf of many callers, each of which keeps changing things. >> >> 2) If I understand correctly, if anything in the rcd claim includes a URL, the rcdi claim incorporates the associated content. What about URLs? > > Uhm, I meant to say additional URLs > >> For example, lets say a jcl key links to a jCard, and that jCard has a LOGO element with a URI? Is the alleged logo content at that URI protected? >> >> I assume the answer is that the answer is no; otherwise it could be URLs all the way down and we have to stop somewhere. This is probably a matter of signer or issuer) policy. If so, it might be worth having some operational guidance that they need to think about such things. >> >> >> >> >> >
- [stir] Questions on the draft-ietf-stir-passport-… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- [stir] draft-ietf-stir-passport-rcd-04 Russ Housley
- Re: [stir] Questions on the draft-ietf-stir-passp… Chris Wendt
- Re: [stir] draft-ietf-stir-passport-rcd-04 Chris Wendt
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Peterson, Jon
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Chris Wendt
- Re: [stir] Questions on the draft-ietf-stir-passp… Eric Burger