[stir] [Technical Errata Reported] RFC8225 (5392)
RFC Errata System <rfc-editor@rfc-editor.org> Thu, 14 June 2018 20:21 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93775130E70 for <stir@ietfa.amsl.com>; Thu, 14 Jun 2018 13:21:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBadK29mk6DT for <stir@ietfa.amsl.com>; Thu, 14 Jun 2018 13:21:46 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B866D130F50 for <stir@ietf.org>; Thu, 14 Jun 2018 13:21:46 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 3B94DB81A01; Thu, 14 Jun 2018 13:21:44 -0700 (PDT)
To: chris-ietf@chriswendt.net, jon.peterson@neustar.biz, ben@nostrum.com, aamelnikov@fastmail.fm, adam@nostrum.com, rjsparks@nostrum.com, housley@vigilsec.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: tasveren@rbbn.com, stir@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20180614202144.3B94DB81A01@rfc-editor.org>
Date: Thu, 14 Jun 2018 13:21:44 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/3Kd0vGFsDjkgpN46sI7zWd2uCLE>
X-Mailman-Approved-At: Thu, 14 Jun 2018 13:56:21 -0700
Subject: [stir] [Technical Errata Reported] RFC8225 (5392)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2018 20:21:55 -0000
The following errata report has been submitted for RFC8225, "PASSporT: Personal Assertion Token". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5392 -------------------------------------- Type: Technical Reported by: Invalid "iat" content <tasveren@rbbn.com> Section: 5.1.1 Original Text ------------- The JSON claim MUST include the "iat" (Issued At) claim ([RFC7519], Section 4.1.6). As defined, the "iat" claim should be set to the date and time of issuance of the JWT and MUST indicate the date and time of the origination of the personal communications. The time value should be of the NumericDate format as defined in [RFC7519], Section 2. This is included for securing the token against replay and cut-and-paste attacks, as explained further in Section 10 ("Security Considerations"). Corrected Text -------------- The JSON claim MUST include the "iat" (Issued At) claim ([RFC7519], Section 4.1.6). As defined, the "iat" claim should be set to the date and time of issuance of the JWT. The time value should be of the NumericDate format as defined in [RFC7519], Section 2. This is included for securing the token against replay and cut-and-paste attacks, as explained further in Section 10 ("Security Considerations"). Notes ----- It is mentioned that “iat” should be set based on issuance of JWT (which would be when PASSPorT is constructed). OTOH, it is also stated that it MUST indicate the date and time of the origination of the personal communication. The former seems to be the right approach as what we would like to protect against cut-and-paste attacks is the PASSPorT in the context of a particular communication session. The times for these two events are not necessarily the same/close enough to be considered the same. RFC7519 JSON Web Token (JWT) 4.1.6. "iat" (Issued At) Claim The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL. This text clearly states that “iat” is for the generation time of JWS. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8225 (draft-ietf-stir-passport-11) -------------------------------------- Title : PASSporT: Personal Assertion Token Publication Date : February 2018 Author(s) : C. Wendt, J. Peterson Category : PROPOSED STANDARD Source : Secure Telephone Identity Revisited Area : Applications and Real-Time Stream : IETF Verifying Party : IESG
- [stir] [Technical Errata Reported] RFC8225 (5392) RFC Errata System