Re: [stir] Questions on the draft-ietf-stir-passport-04 integrity mechanism
Ben Campbell <ben@nostrum.com> Sat, 07 September 2019 16:50 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C3D1200EB for <stir@ietfa.amsl.com>; Sat, 7 Sep 2019 09:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0WJjK41xf30 for <stir@ietfa.amsl.com>; Sat, 7 Sep 2019 09:50:28 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAE76120137 for <stir@ietf.org>; Sat, 7 Sep 2019 09:50:28 -0700 (PDT)
Received: from bens-macbook.lan (cpe-66-25-20-105.tx.res.rr.com [66.25.20.105]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x87GoQmh058176 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <stir@ietf.org>; Sat, 7 Sep 2019 11:50:28 -0500 (CDT) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1567875028; bh=Gq7MfWhchNM7f2TU644XafkLNWfPGrYZpcCACpjZEuw=; h=From:Subject:Date:References:To:In-Reply-To; b=BiVWXa4hns9786roaqatEc+bqQ7WBen9ZDjX5vPkCrdwiIeEjhZL8/cZAU/tu9KM0 +GCMS13Q1pCRKA98u4IoV0lYHcAF6cLxtLvt96WZfnJs7AGrZ8cy5EWME3X5MMD51t viIC/feyJXP4s4nF1BPdAI/YsF9K6jCoBKicURLI=
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-20-105.tx.res.rr.com [66.25.20.105] claimed to be bens-macbook.lan
From: Ben Campbell <ben@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_8771B2D6-C7B4-4256-A612-30A940F0F7CE"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sat, 07 Sep 2019 11:50:21 -0500
References: <D0D57997-56AC-4E68-BC12-2CE07C52B711@nostrum.com>
To: stir@ietf.org
In-Reply-To: <D0D57997-56AC-4E68-BC12-2CE07C52B711@nostrum.com>
Message-Id: <0CCCD3F6-B0A5-4B0C-B563-2E85AC3E3B3A@nostrum.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/4Qewe91InLhsdnGyzB6oAgC3UZ8>
Subject: Re: [stir] Questions on the draft-ietf-stir-passport-04 integrity mechanism
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2019 16:50:32 -0000
Minor correction below: > On Sep 6, 2019, at 4:31 PM, Ben Campbell <ben@nostrum.com> wrote: > > Signed PGP part > Hi, > > I have a couple of high level questions about the new integrity mechanism in draft-ietf-stir-passport-04. Apologies if these have already been discussed. > > 1) Do I understand correctly that the certificate used to sign a PASSporT with an rcdi claim MUST include a constraint for the _value_ of the digest? That is, if someone makes any change to any of the information they would normally include in an rcd claim, the signing party must get a new cert? > > My concern is that, for good or bad, commercial callers really like to control the customer experience. Many like to change things up all the time. I can imagine things like special date-specific logos (e.g. Google doodles), “sale” badges on logos, distinctive branding for different “campaigns”, etc. I realize things like ACME make the process of getting a new cert lighter weight than it used to be, but is it reasonable to require a new cert for any change? > > This might be worse for third-party signers who may sign on behalf of many callers, each of which keeps changing things. > > 2) If I understand correctly, if anything in the rcd claim includes a URL, the rcdi claim incorporates the associated content. What about URLs? Uhm, I meant to say additional URLs > For example, lets say a jcl key links to a jCard, and that jCard has a LOGO element with a URI? Is the alleged logo content at that URI protected? > > I assume the answer is that the answer is no; otherwise it could be URLs all the way down and we have to stop somewhere. This is probably a matter of signer or issuer) policy. If so, it might be worth having some operational guidance that they need to think about such things. > > > > >
- [stir] Questions on the draft-ietf-stir-passport-… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- [stir] draft-ietf-stir-passport-rcd-04 Russ Housley
- Re: [stir] Questions on the draft-ietf-stir-passp… Chris Wendt
- Re: [stir] draft-ietf-stir-passport-rcd-04 Chris Wendt
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Peterson, Jon
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Chris Wendt
- Re: [stir] Questions on the draft-ietf-stir-passp… Eric Burger