Re: [stir] Benjamin Kaduk's Discuss on draft-ietf-stir-enhance-rfc8226-03: (with DISCUSS and COMMENT)

Chris Wendt <chris-ietf@chriswendt.net> Wed, 30 June 2021 15:58 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 342A63A212C for <stir@ietfa.amsl.com>; Wed, 30 Jun 2021 08:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t8ABtXMY-VZs for <stir@ietfa.amsl.com>; Wed, 30 Jun 2021 08:58:40 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A68303A2129 for <stir@ietf.org>; Wed, 30 Jun 2021 08:58:39 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id f20so1789351qtk.10 for <stir@ietf.org>; Wed, 30 Jun 2021 08:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=viLDssi5woBxIshHiaR0iWN0nBPPegv0/1U4soNaRzU=; b=wmCqr992TrLSnFdEYEtv9ig+Asgl352lfgx85eUlyyQAav4I05IpLRZdGfRWsa/4Lw PeHGKQ6NG7bt2FZXkhemRCBeEOvb1vhIO4ziwlkPiEB2DkP/9PB9WtTW9ebucrt2sGaK wRawFM+BkaNPLWZKMe+B8qKPD/YMno4n1gZc9O7aBTfYb+DZjrk/6Hs5NAWEnqgC7EmE ldx+u4TckDbigXcaGIMy+4O/d42U4sjiXVI0Lha5HUQ21LdiS/TaQmJftT1AGi5bHIo9 pucbaKt7cQ6Up+GsSy8ahijycVLuQYdYvR2HYxJ6K84FGYJ9tROgOWV2d9fb4/cQ7BCV ikQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=viLDssi5woBxIshHiaR0iWN0nBPPegv0/1U4soNaRzU=; b=QF1cHc4i2PQl1CJX0aeFk8ZXiqz70Nrh1UWB9wKXfbDyYPqKnrv94u48X0hfGicBkU 8hm+tpImf2l+mTA0Us+q+TgiXzXuwm6EyW44gO6keJdXeUj45IITgNAlvkfpL+HjSMJq 73U1FSdKs/WT2Rb9XFEJMi5hi8UsBLQrwNn3G0fAhsjPsK+EQRsnF7B3Hsmx9oxmvQKx W8kSqQ5r9Yo+q4nGlhtixlS9Amk2F/ovbkWjxwWcwWTsxhFHlfbzqVmixHwNIr0sBBK6 jm+onyNj2Qw2qMdIXqDqNpOpsw3OF3kC7Sjev98fnpH7oywMslCEztDgMTiNNTUrDfvX dtfQ==
X-Gm-Message-State: AOAM532l3Egk2Wivzkx0x8DWF+dmvbzqUpVvqZnjiuMKG9sAklHJq40i 26BDzvk8am0I2ooicHnlTtFh7IvpdrB4Vo5kIII=
X-Google-Smtp-Source: ABdhPJyjwUUMt3A1Xh4YbozE0crRYIDVOTi3XCF5GdouI4v3iAOrNZlVmtk5g0N1p+HiKfHCTnUEEg==
X-Received: by 2002:ac8:7dc1:: with SMTP id c1mr9977810qte.125.1625068717895; Wed, 30 Jun 2021 08:58:37 -0700 (PDT)
Received: from smtpclient.apple (c-69-242-46-71.hsd1.pa.comcast.net. [69.242.46.71]) by smtp.gmail.com with ESMTPSA id h7sm3460055qtq.79.2021.06.30.08.58.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Jun 2021 08:58:37 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <ABFB1638-CF63-4E6B-8F23-AAABD628384C@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6D027F4D-3BC0-487E-9006-2C7561263699"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Date: Wed, 30 Jun 2021 11:58:36 -0400
In-Reply-To: <3BC0966B-BA80-43FD-9893-30C9D64AB8AB@team.neustar>
Cc: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
To: "Peterson, Jon" <jon.peterson=40team.neustar@dmarc.ietf.org>
References: <162491913776.24561.10295832590740387025@ietfa.amsl.com> <17CC8994-103E-4EA6-BF43-624F0A08FD5B@vigilsec.com> <20210629050839.GC17170@kduck.mit.edu> <A46901E1-E0B6-45FB-B70A-70771643BC5B@vigilsec.com> <20210629140724.GE17170@kduck.mit.edu> <43571C73-38E6-4B58-9BE6-536B83C35CCF@vigilsec.com> <BD2651EC-175A-45D3-A098-2B48A3B96BBE@nostrum.com> <1B56D3D0-C887-435E-A611-C01AD6D446EF@vigilsec.com> <559AFF0B-2CAD-4203-B383-CE49087D96C5@nostrum.com> <E59CDA6C-D54E-4041-933D-A47B491862EC@vigilsec.com> <7E6BED26-32EF-4545-A862-8C23B7A19CCD@nostrum.com> <62E5EAE7-5A33-4C8E-A17D-BD0CC25AE97F@vigilsec.com> <3BC0966B-BA80-43FD-9893-30C9D64AB8AB@team.neustar>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/3sv2yAqfoAxr6JR42sRaiAPeuPM>
Subject: Re: [stir] Benjamin Kaduk's Discuss on draft-ietf-stir-enhance-rfc8226-03: (with DISCUSS and COMMENT)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2021 15:58:45 -0000

Yes ATIS-1000092 already says MUST to supporting EnhancedJWTClaimConstraints extension, so i think we are good.

-Chris

> On Jun 30, 2021, at 11:37 AM, Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org> wrote:
> 
> 
> I don't know that enhanced constraints need to be coupled that tightly to delegation. When delegation gets approved in the SHAKEN ecosystem (I wouldn't venture when exactly that will be), it would certainly make sense for SHAKEN specs to point to the enhanced constraints, but I'm not sure there's something we need to close in the IETF to make that possible. I think your Section 6 text looks fine. I guess I can also imagine non-delegation cases that could use enhanced constraints in the future as well, so I wouldn't necessarily want to make them so intertwined.
> 
> Jon Peterson
> Neustar, Inc.
> 
> On 6/29/21, 2:34 PM, "stir on behalf of Russ Housley" <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org> on behalf of housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
> 
>    Based on the comments from Ben Kaduk, I drafted the below guidance to CAs.
> 
>> 6.  Guidance to Certification Authorities
>> 
>> The EnhancedJWTClaimConstraints extension specified in this document
>> and the JWTClaimConstraints extension specified in [RFC8226] MUST NOT
>> both appear in the same certificate.
>> 
>> If the situation calls for mustExclude constraints, then the
>> EnhancedJWTClaimConstraints extension is the only extension that can
>> express the constraints.
>> 
>> On the other hand, if the situation does not call for mustExclude
>> constraints, then either the EnhancedJWTClaimConstraints extension or
>> the JWTClaimConstraints extension can express the constraints.  Until
>> such time as the EnhancedJWTClaimConstraints become widely
>> implemented, the use of the JWTClaimConstraints extension may be more
>> likely to be implemented.  This guess is based on the presumption
>> that the first specified extension will be implemented more widely in
>> the next few years.
> 
> 
>    The delegated certs activities lead to this document in the first place, so it seems appropriate to ask when people think that delegate certificates will be implement?  Will a future version of the delegated certificates document mandate the implementation of the EnhancedJWTClaimConstraints extension?  Do these answers to these questions offer any better guidance than the above?
> 
>    Russ
> 
>    _______________________________________________
>    stir mailing list
>    stir@ietf.org
>   https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/stir__;!!N14HnBHF!qpWJJws5s5r7C_Zrbo0SkTb2N7O6rIi1m4H2ESfUWJqjlysUHlPIPs3FWPg$ <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/stir__;!!N14HnBHF!qpWJJws5s5r7C_Zrbo0SkTb2N7O6rIi1m4H2ESfUWJqjlysUHlPIPs3FWPg$> 
> 
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org <mailto:stir@ietf.org>
> https://www.ietf.org/mailman/listinfo/stir <https://www.ietf.org/mailman/listinfo/stir>