Re: [stir] Éric Vyncke's No Objection on draft-ietf-stir-enhance-rfc8226-03: (with COMMENT)

Russ Housley <housley@vigilsec.com> Fri, 25 June 2021 15:19 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D1483A1BF0 for <stir@ietfa.amsl.com>; Fri, 25 Jun 2021 08:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmeIsyAWAaQ7 for <stir@ietfa.amsl.com>; Fri, 25 Jun 2021 08:19:21 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A05A43A1C4A for <stir@ietf.org>; Fri, 25 Jun 2021 08:19:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 6CE32300C20 for <stir@ietf.org>; Fri, 25 Jun 2021 11:19:15 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MenwdJ_VRBUy for <stir@ietf.org>; Fri, 25 Jun 2021 11:19:08 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 725B0300A0D; Fri, 25 Jun 2021 11:19:08 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <162463348978.18066.15281632456213641582@ietfa.amsl.com>
Date: Fri, 25 Jun 2021 11:19:07 -0400
Cc: IESG <iesg@ietf.org>, IETF STIR Mail List <stir@ietf.org>, Robert Sparks <rjsparks@nostrum.com>, Ben Campbell <ben@nostrum.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AF7A5C08-16F4-43D4-922E-BACE63C3EC03@vigilsec.com>
References: <162463348978.18066.15281632456213641582@ietfa.amsl.com>
To: Eric Vyncke <evyncke@cisco.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/31D9wH06JXnZ89WVYUK8sPpL5W0>
Subject: Re: [stir] =?utf-8?q?=C3=89ric_Vyncke=27s_No_Objection_on_draft-ietf?= =?utf-8?q?-stir-enhance-rfc8226-03=3A_=28with_COMMENT=29?=
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2021 15:19:27 -0000


> On Jun 25, 2021, at 11:04 AM, Éric Vyncke via Datatracker <noreply@ietf.org> wrote:
> 
> Éric Vyncke has entered the following ballot position for
> draft-ietf-stir-enhance-rfc8226-03: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-stir-enhance-rfc8226/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you for the work put into this document.
> 
> Please find below some non-blocking COMMENT points (but replies would be
> appreciated).
> 
> I hope that this helps to improve the document,
> 
> Regards,
> 
> -éric
> 
> == COMMENTS ==
> 
> -- Abstract --
> "This document updates RFC 8226 to define an additional way that the JWT claims
> can be constrained" at first sight, it is unclear whether the change adds a
> constraints or present another set of constraints (may be it is being
> non-ENglish native issue...) The introduction clarifies the ambiguity but the
> abstract should stand alone.

Does this updated Abstract resolve your non-blocking concern?

   RFC 8226 specifies the use of certificates for Secure Telephone
   Identity Credentials, and these certificates are often called "STIR
   Certificates".  RFC 8226 provides a certificate extension to
   constrain the JSON Web Token (JWT) claims that can be included in the
   Personal Assertion Token (PASSporT) as defined in RFC 8225.  If the
   PASSporT signer includes a JWT claim outside the constraint
   boundaries, then the PASSporT recipient will reject the entire
   PASSporT.  This document updates RFC 8226; it provides all of the
   capabilities available in the original certificate extension as well
   as an additional way to constrain the allowable JWT claims.  The
   enhanced extension can also provide a list of claims that are not
   allowed to be included in the PASSporT.

> -- Section 3 --
> Suggest to be consistent with the use of double quotes in <to the iat, orig,
> and dest claims.  The baseline PASSporT claims ("iat", "orig", and "dest")>.

This was raised during Last Call, and the current quotes are consistent with RFC 8225 and RFC 8226.

> -- Section 7 --
> Wondering whether a reference to RFC4949 is required for "renewal".

Someone asked to a reference at some point along the way.  There are other early documents from the PKIX WG that also define the term, but RFC 4949 seemed to have the least baggage.

Russ