Re: [stir] draft-housley-stir-enhance-rfc8226-00
Jack Rickard <Jack.Rickard@metaswitch.com> Tue, 02 February 2021 11:10 UTC
Return-Path: <Jack.Rickard@metaswitch.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2EA3A1996 for <stir@ietfa.amsl.com>; Tue, 2 Feb 2021 03:10:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=metaswitch.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CeFpf7K9AVmZ for <stir@ietfa.amsl.com>; Tue, 2 Feb 2021 03:10:34 -0800 (PST)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680119.outbound.protection.outlook.com [40.107.68.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA1E83A1995 for <stir@ietf.org>; Tue, 2 Feb 2021 03:10:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FG2b714/Pn+5ZNmA3sWj+kMTSvtixRE1OTU2bX2lI92nSU18T62oXvboVrEpiiLMLfxeoKkLRTnVTY2tzL9IJW9fA6ZeTvcvMGO5HJK9fz/Ye8F2oYflFznSJCVl+mOzpSLIidZ+yut8CWPBYwu1PjxHfz3Y0gjSVaE+KILg6ZwOBhRBLfTJUHl89hZXFdmJ/gIY8KgPmahDArVI4apIBs50MfxJYyw0QkG9qm8EQ1/fsmr8KCHOUHv7nXkNOPlF+6rjZhp2jjwgrNmW3ND7JWeKnbyj/dfzNa+UNIh0PVPyewotXiN/j/vHWMUZK/G0sb3DSYH+puAiKECfc21PFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aC7Iv0G/DC45fqNB3JW292UNMX0p5pV5Gmp2D7MLm4o=; b=kyQJrU4O2sMa89FIgRpiAeCvnXMk6sWH6/iM85XP5dc6oTs8DR/vtobgkFcs0cZRgbe3Xp+Zn5rvg402qMMNwpekc/M3ncsahH7sC4STjz3ShWXjC5Qq6Hd7IQ7YdcJZ7HnwbjMDdTMup6rKE8AMpU/yLmfnTuj7MeHJIFgMgOUCownfeDm6e+LKDnKjtzM4P8OlauMzYvpQ3BGP1YbS3oxRihFVsLCRo6mUJjVhwMnUwd8IvB0USlA25zWzm2Lt+MtUmOne4zX+Rtlez28XTXEy2R51ZD3X85U/LYQ9sDXcqIFJE5lfwEduOYWyd0CF8WZCBewfR9QQDF5zqVDpnQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=metaswitch.com; dmarc=pass action=none header.from=metaswitch.com; dkim=pass header.d=metaswitch.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metaswitch.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aC7Iv0G/DC45fqNB3JW292UNMX0p5pV5Gmp2D7MLm4o=; b=fvom57ALoBzP2vUPuhm7o9ha3ZrzSjixH9MMIOEOqZKHJEy9Xw3h+tkOpDCwGO/Da9amDongTuLY7ffAD5sAJSNMpiNqxSq7lBXVa8701UzVBIPr6NX7aqDf6iWpcvVQ2BzrH/V7Argho06mgH+SF5L1O++0WZrz0A+2cbTdzrg=
Received: from BYAPR02MB5189.namprd02.prod.outlook.com (2603:10b6:a03:62::29) by SJ0PR02MB7437.namprd02.prod.outlook.com (2603:10b6:a03:29b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.17; Tue, 2 Feb 2021 11:10:33 +0000
Received: from BYAPR02MB5189.namprd02.prod.outlook.com ([fe80::5024:252e:5379:9b69]) by BYAPR02MB5189.namprd02.prod.outlook.com ([fe80::5024:252e:5379:9b69%7]) with mapi id 15.20.3805.024; Tue, 2 Feb 2021 11:10:33 +0000
From: Jack Rickard <Jack.Rickard@metaswitch.com>
To: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] draft-housley-stir-enhance-rfc8226-00
Thread-Index: AQHW8Dz1eJhoVZBSyE+XuTuDgalh1qpExUfA
Date: Tue, 02 Feb 2021 11:10:33 +0000
Message-ID: <BYAPR02MB518990628D397B1CDB44839EF3B59@BYAPR02MB5189.namprd02.prod.outlook.com>
References: <161126455434.3362.14572023954174036871@ietfa.amsl.com> <6515CC12-1A12-4524-9EB9-5C46D01855CF@vigilsec.com>
In-Reply-To: <6515CC12-1A12-4524-9EB9-5C46D01855CF@vigilsec.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=metaswitch.com;
x-originating-ip: [84.92.33.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bf5db945-08de-4182-37d5-08d8c76b28b9
x-ms-traffictypediagnostic: SJ0PR02MB7437:
x-microsoft-antispam-prvs: <SJ0PR02MB7437F92A60C5E19985750826F3B59@SJ0PR02MB7437.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dLUEvfeQzRKhhUnyn/KgA36HjnsvmQU9dY0fNKOyTFP2taKlS6wjqjoKI4Wn1DFm/X6Ntb2rFziTdmVfAH9RIeARUmOApBjTTJcsR3h5Xp0t0Is6XlcT99TU1+/OiK7c1crDJ7fEw9SUmMt1vSEGmG1t/TaSQy8/DeBoStsaHc8f+hjca+PX5ZuqSMjpXkUUNfdptZIw5zcKtqNin1pSg2+0JQEgJRCnWK9jDBnbvkVQ7Uu4YVxx2mDd/82FAt1voFZdxSOg5QW3dNjnb+9T0HaG0Xm1tA/SeScaLPfFiGUr2TEHbAFfBZMZkKZdew/iug7xGzJhxNI02quJAgQkhf7SYwrMnkQsrsr0IP9TkOCU0COgsYs0OdAj7ZC7k1FeamQqsrtkFl4GG3mC0Wc5uyD89infeZTzq1LPAcvPUN9d61pn5GNHkH+V9QSo7U8kUHBWXuaw75yAuTFVIQ8qP7DLuvYrRiC4ZCQilkjcqurnLKGoBhaWSxjzkYx55myuV4v0MY2L8NRqsBz761S9Yl6NMDfZpjGbnxiZT5CUNjTzjoB2IZGo3AJA013VTV8vDXN3JxWMO8HpOHYpeFZFFnevJS9rhPMD9YMQDHRWDcc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR02MB5189.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(396003)(39850400004)(376002)(366004)(5660300002)(478600001)(66556008)(66476007)(7696005)(76116006)(66946007)(316002)(966005)(8936002)(66446008)(110136005)(64756008)(52536014)(71200400001)(86362001)(6506007)(8676002)(53546011)(166002)(26005)(186003)(33656002)(83380400001)(2906002)(55016002)(66574015)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: tjmbtnrw828soC9Lou7dMEFn1P8IoMm32qBlBfOEVQLkPcT265fZ30Nf3HWG6BZnL6lKa97uCS448H0v/MtgyGW5omkU3FnBtWWzElMcHi8b0jnbNOltEW0LwWHzv6lnH3x/9MOO/gK55rnXV3CrZjo2ashQv/F+gOP5sIvyKPq1W1ERnPoZn5L48CU3Sqx1uU2ZwzG2kFhB5u3iJKXrvyvRSNSQKKApsvxIZxdG6NuPxZEso9tT1FJW35MVPX7j94zGFJ3VjMmvPh2i+Aoo6xUQSRQj/5bLsJvW+rcVfhOi70xIS1A/3ThM5FwN7M7kX9Mb3X4gACRqMN3HmDyyB/rDidZZDf1rIsxTwXVCZJ8NUC+dJEXn60yw+45sPJttxl4oqCiPnR5GVHTnF5vooI151in9jldc0WhLTwbd1X+10Q56bP0K/BjsN0m6qhU/0GdaMVC/zy4oZe3U7brKUSGlXA1JS0mhFyESNHOeVuq3GxLUMdsYg2emp/IgzzUyM3fEGnYjV1oqSzmLHKeuMZnJy1JGCw8e3nRFoLgCo+hQy2i2gCS+k/ADH8a1YpVMIuxfZMJlJZqoKiv5BsSQb/WOpTSeWCOXen8vVACiT23Ifhb6zxCPU4BOfm9u/ZnensafzXYQ0TCXp6uOB6eW1RePZzQhvjjZ8938ss0Ei/UHuyzpICL9b/azApjLKB9SmTMOCwK+mrr88nvzryk9S8l2CZkU7obXHhgextAZGhU4vD0OnpOycVR97NnH1ZetC5xQaBWdyRD4iHL2CDy5d/+mysaCK4Lu4TVH1Ad1WHYN2zUBRh53zFX/MbYceB4zp2/qt+YOvWxy270/0NwRpyaTZBW10/DGRRBhi/fvl54DmmKz/1Jli6zUspynMI6lljpLJeNEwmE0641TTLz8o9YNRCV5zxVowihLUCPJogmxPn0Fvu4mDl4voGVqXgMQnMkBCxnIl6C520otz7tex8hUX93z49FoMtms/MxGg12QZeKPoKX/TsapflbZzHwQBha5z0su+yDNHRZ5GsP8LiUSA9WTjDshRM5roGLg4xY=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR02MB518990628D397B1CDB44839EF3B59BYAPR02MB5189namp_"
MIME-Version: 1.0
X-OriginatorOrg: metaswitch.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR02MB5189.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bf5db945-08de-4182-37d5-08d8c76b28b9
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2021 11:10:33.0411 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9d9e56eb-f613-4ddb-b27b-bfcdf14b2cdb
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PWIGGWvBImbg+2tCNiA2+lTKqFYhTIrWCl8ncuaPZc7O+Ll8CZEr4ucfj3KL/xlLfVPknPhJmgH9qR8bsmgNXw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR02MB7437
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/gkZJVYaY9oZgdVuSNMGb-flpeek>
Subject: Re: [stir] draft-housley-stir-enhance-rfc8226-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 11:10:37 -0000
This looks fine from my point of view, however, what is the actual motivation behind this? I'd like to know why these extra constraint options need to be added before supporting it. Thanks, Jack From: stir <stir-bounces@ietf.org> On Behalf Of Russ Housley Sent: 21 January 2021 21:32 To: IETF STIR Mail List <stir@ietf.org> Subject: [stir] draft-housley-stir-enhance-rfc8226-00 NOTE: Message is from an external sender Please review and comment. Christ Wendt has found some use cases where the JWT Claims Constraints in RFC 8226 are not adequate. This I-D proposes an enhancement to make the constraints more rich. Russ From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> Subject: New Version Notification for draft-housley-stir-enhance-rfc8226-00.txt Date: January 21, 2021 at 4:29:14 PM EST To: "Russ Housley" <housley@vigilsec.com<mailto:housley@vigilsec.com>> A new version of I-D, draft-housley-stir-enhance-rfc8226-00.txt has been successfully submitted by Russ Housley and posted to the IETF repository. Name: draft-housley-stir-enhance-rfc8226 Revision: 00 Title: Enhanced JWT Claim Constraints for STIR Certificates Document date: 2021-01-21 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-housley-stir-enhance-rfc8226-00.txt<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-housley-stir-enhance-rfc8226-00.txt&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663231466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Up1Zpc7Zdsels%2BIi4BDYQaOQBMHKdNvgIR4eYWkTuSE%3D&reserved=0> Status: https://datatracker.ietf.org/doc/draft-housley-stir-enhance-rfc8226/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-housley-stir-enhance-rfc8226%2F&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663241455%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W7ymLZVcTnd%2FghnUexmB4P1x1KezM8I%2BdYGANBW0u0M%3D&reserved=0> Htmlized: https://datatracker.ietf.org/doc/html/draft-housley-stir-enhance-rfc8226<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-housley-stir-enhance-rfc8226&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663241455%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zxAv5QKkbF3PsWFCEe5DLtNWORCv2Cs32t4heAFEWds%3D&reserved=0> Htmlized: https://tools.ietf.org/html/draft-housley-stir-enhance-rfc8226-00<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-housley-stir-enhance-rfc8226-00&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663251451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Pw7YnTkYETyXDYUEBarZ1zkBkP8fGPfG4uj3cp%2BRcfM%3D&reserved=0> Abstract: RFC 8226 provides a certificate extension to constrain the JWT claims that can be included in the PASSporT as defined in RFC 8225. If the signer includes a JWT claim outside the constraint boundaries, then the recipient will reject the entire PASSporT. This document defines additional ways that the JWT claims can be constrained. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org%2F&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663251451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Pfo8cYuP9pvWiy4AuNGEnXjsCLuqd5OrC%2FIw4UL0Sw4%3D&reserved=0>. The IETF Secretariat
- [stir] draft-housley-stir-enhance-rfc8226-00 Russ Housley
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Peterson, Jon
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Chris Wendt
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Jack Rickard
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Chris Wendt
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Jack Rickard
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Sean Turner