IETF Logo Mail Archive

Re: [stir] New Version Notification for draft-ietf-stir-enhance-rfc8226-01.txt

Ben Campbell <ben@nostrum.com> Mon, 29 March 2021 21:44 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF47A3A22A2 for <stir@ietfa.amsl.com>; Mon, 29 Mar 2021 14:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.021
X-Spam-Level: *
X-Spam-Status: No, score=1.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MAY_BE_FORGED=2.699, RCVD_IN_DNSWL_BLOCKED=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jlEK65HNuXWk for <stir@ietfa.amsl.com>; Mon, 29 Mar 2021 14:44:41 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55D833A229D for <stir@ietf.org>; Mon, 29 Mar 2021 14:44:41 -0700 (PDT)
Received: from macbook-pro.localdomain (mta-70-120-133-87.satx.rr.com [70.120.133.87] (may be forged)) (authenticated bits=0) by nostrum.com (8.16.1/8.16.1) with ESMTPSA id 12TLiWWx082787 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 29 Mar 2021 16:44:33 -0500 (CDT) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1617054276; bh=BeuivNtucFmgunr6R3jj0qPcBfjdUzpbPcIHlBqydcA=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=GDa1Prt9CcAtfig/sKCQ1yTX5uDnixLIXPIZRejsy+fOJJfeqhwBzPXEkeEaOkiqJ 8i3eaRTylOw05SIKOVT9SNyPOnsHcDwdY0DyU3zHfIkPjSQ2j7az4ftkfQe8j+oAdd CW/tMRS1ecUW83bdXkkLRYcavZL4cic3+Xx4ELwA=
X-Authentication-Warning: raven.nostrum.com: Host mta-70-120-133-87.satx.rr.com [70.120.133.87] (may be forged) claimed to be macbook-pro.localdomain
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <1AAA1628-A2CF-47BC-8E4D-745ED980A7EA@chriswendt.net>
Date: Mon, 29 Mar 2021 16:44:27 -0500
Cc: Richard Shockey <richard@shockey.us>, Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B3202ED5-A436-4B6E-9C78-94BBB7D7F616@nostrum.com>
References: <161659636453.2114.15175107388994818901@ietfa.amsl.com> <F4F9D652-8A6B-4AD7-B9D9-FA7AEAC08866@vigilsec.com> <130D436A-BABE-4ECC-8940-DBBC9D961F7C@nostrum.com> <FFA105EB-B1AF-43B1-8002-BFE1B8C69C92@vigilsec.com> <86E5E595-328B-430E-BB11-58475AFF852C@nostrum.com> <3A1072FB-4750-4935-AD27-F700B00D474F@vigilsec.com> <529010F6-6319-4B64-91D2-473DC0F1BF2F@shockey.us> <DF9C13EE-8979-47C7-8ECF-113B9FF8B9C8@chriswendt.net> <90AF19BD-3F68-4369-A63E-24761C388317@chriswendt.net> <2B6B882E-89AC-4D5E-B0FA-B0EF3FFB09BF@nostrum.com> <1AAA1628-A2CF-47BC-8E4D-745ED980A7EA@chriswendt.net>
To: Chris Wendt <chris-ietf@chriswendt.net>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/5V8P-5QdSW5sB51oobz0a2P_bM8>
Subject: Re: [stir] New Version Notification for draft-ietf-stir-enhance-rfc8226-01.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2021 21:44:47 -0000

Right—the value of excluding claims seems pretty clear.

I’m not sure I would go so far as to call excludeValues a security risk, but I think it might at least need a safety label :-) Since you mention RPH, I can see where excludeClaims might be useful in a use case like RPH where you tend to select claim values from enumerated lists.

Ben.


> On Mar 29, 2021, at 2:21 PM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
> 
> Hi Ben,
> 
> I think excluding claims use-case is the primary case where you simply don’t want people adding, for example, rph to an rcd passport because they could and it would look legit without the exclusion capability.  I think we added excludeValue because we thought it made sense to have it, however, i maybe don’t see as much of a use-case for that at present, however doesn’t mean that a use-case doesn’t exist.  Perhaps what you are asking Ben, is excludeValue may not be worth including and may be a security risk.  I would need to noodle on that a bit more, but it might be worth considering before we finalize the enhance-8226 document.
> 
> -Chris
> 
> 
>> On Mar 29, 2021, at 1:12 PM, Ben Campbell <ben@nostrum.com> wrote:
>> 
>> My original point was that (maybe) the value should be canonicalized in the JWTContraints, and that the claim values should be canonicalized when comparing against the constraints. And I meant that more as a question than an assertion :-)
>> 
>> But on reflection, the issue may be that I don’t really understand how we plan to use excludedValues. (Apologies if this has already been discussed and I either missed it or just forgot)
>> 
>> For the case of includedValues, one assumes that whoever builds the PASSporT is aware of the JWTConstraints in their certificate, and will put rcd/rcdi values that match. Maybe some guidance on not screwing that up would be helpful, but implementors will (eventually) figure it out. It is in their interests to get it right, else their calls will fail verification.
>> 
>> But in the case of excludedValues,  IIUC we are saying “you can’t put in an rcd claim that looks _exactly_ like this.”  What behavior are we trying to prevent? Is it in some senders' interests to circumvent the protection? It seems trivial to construct an RCD claim that is not identical to the prohibited value but close enough to confuse a recipient. Canonicalization might help prevent errors but probably won’t prevent intentional attempts to bypass the protection.
> 
>> Thanks!
>> 
>> Ben.
>> 
>>> On Mar 29, 2021, at 11:55 AM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
>>> 
>>> Maybe i’m seeing the point actually, are you saying we should be explicit that the permitted or excludedValues are canonicalized (i.e. white space removal) before being encoded into cert.  This was my assumption, but would need to look if we have anything to say that explicitly.  My assumption was that the values when compared between the signed PASSporT and the certificate permited/excludedValues would not require any canonicalization procedures.
>>> 
>>> -Chris
>>> 
>>>> On Mar 29, 2021, at 12:47 PM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
>>>> 
>>>> Relative to order what Jon and I did for integrity was to include the base /rcd as part of the required part of the “rcdi” integrity, so because the digest is based on the JSON in a particular order, also required to make sure the JSON pointer points to the correct URI, that takes care of the array order of the jCard in particular.
>>>> 
>>>> But I think to Ben’s original point, I’m confused how you could "sneak anything by" with white space, or unicode swaps.  excludedValues is at the claim level, so it seems to me to be either correct or not correct in terms of the entire “rcd” or “rcdi” claims.  It’s not that you are going in and interpreting values or anything.  But maybe i missed the point.
>>>> 
>>>> -Chris
>>>> 
>>>>> On Mar 29, 2021, at 12:31 PM, Richard Shockey <richard@shockey.us> wrote:
>>>>> 
>>>>> 
>>>>> But maybe it should.  One of the biggest interoperablity concerns with STIR/SHAKEN in general is the lack of, or improper canonicalization.
>>>>> 
>>>>> 
>>>>> On 3/29/21, 11:46 AM, "stir on behalf of Russ Housley" <stir-bounces@ietf.org on behalf of housley@vigilsec.com> wrote:
>>>>> 
>>>>> Ben:
>>>>> 
>>>>> The JWT specification (RFC 7519) does not require canonicalization.
>>>>> 
>>>>> JSON allows these types:
>>>>> -   a string
>>>>> -   a number
>>>>> -   a JSON object
>>>>> -   an array
>>>>> -   a boolean
>>>>> -   null
>>>>> 
>>>>> Only the array and JSON object can be a concern.
>>>>> 
>>>>> For an array, the ordering could be important, so the only thing we can do is remove all of the whitespace between array elements.
>>>>> 
>>>>> For a JSON Object, again we can remove whitespace outside of quotes, but we could require a sort order the elements of the object.
>>>>> 
>>>>> Looking at the example in passport-rcd:
>>>>> 
>>>>>   {
>>>>>     "orig": { "tn": "12025551000"},
>>>>>     "dest": { "tn": ["12155551001"]},
>>>>>     "iat": 1443208345,
>>>>>     "rcd": {
>>>>>       "nam": "Q Branch Spy Gadgets",
>>>>>       "jcd": ["vcard",
>>>>>       [ ["version",{},"text","4.0"],
>>>>>         ["fn",{},"text","Q Branch"],
>>>>>         ["org",{},"text","MI6;Q Branch Spy Gadgets"],
>>>>>         ["photo",{},"uri","https://example.com/photos/q-256x256.png"],
>>>>>         ["logo",{},"uri","https://example.com/logos/mi6-256x256.jpg"],
>>>>>         ["logo",{},"uri","https://example.com/logos/mi6-64x64.jpg"]
>>>>>       ] ]
>>>>>     },
>>>>>     "crn": "Rendezvous for Little Nellie",
>>>>>     "rcdi": {
>>>>>       "/nam": "sha256-918VNJD12938SNCJ",
>>>>>       "/jcd": "sha256-VNJDSNCJ12938918",
>>>>>       "/jcd/1/3/3": "sha256-12938918VNJDSNCJ",
>>>>>       "/jcd/1/4/3": "sha256-VNJDSNCJ12938918",
>>>>>       "/jcd/1/5/3": "sha256-4049852730SFLGHL"
>>>>>     }
>>>>>   }
>>>>> 
>>>>> Would a sort order be helpful?
>>>>> 
>>>>> Russ
>>>>> 
>>>>>> On Mar 28, 2021, at 2:11 PM, Ben Campbell <ben@nostrum.com> wrote:
>>>>>> 
>>>>>> Another thought just occurred to me, related to the previous conversation about non-string JSON types, although it probably matters for strings as well.
>>>>>> 
>>>>>> Does the addition of “excludedValues” suggest a need for canonicalization of the values? If not, it seems like a bad actor could sneak things past the verifier by varying white space usage, element order, etc.
>>>>>> 
>>>>>> This might also be useful for “permittedValues”, but in that case it might be more to help prevent errors.
>>>>>> 
>>>>>> As I think about this, I wonder if we should have a security consideration pointing out that the excludeValues mechanism cannot defend against more sophisticated bad actions such as confusable unicode strings. Unless we want to suggest that the issuer include every conceivable variation of the prohibited values, which seems a bit extreme.
>>>>>> 
>>>>>> Thanks!
>>>>>> 
>>>>>> Ben.
>>>>>> 
>>>>>>> On Mar 24, 2021, at 11:04 AM, Russ Housley <housley@vigilsec.com> wrote:
>>>>>>> 
>>>>>>> Ben:
>>>>>>> 
>>>>>>> I agree that something about the constraints belongs in the RCD document, but I do not think a heads up in this document is bad.
>>>>>>> 
>>>>>>> Russ
>>>>>>> 
>>>>>>> 
>>>>>>>> On Mar 24, 2021, at 11:57 AM, Ben Campbell <ben@nostrum.com> wrote:
>>>>>>>> 
>>>>>>>> This version addresses all of my comments.
>>>>>>>> 
>>>>>>>> I wonder if the new security consideration for rcdi might be better placed in the RCD spec? (No strong feelings—I’m okay leaving it here.)
>>>>>>>> 
>>>>>>>> Thanks!
>>>>>>>> 
>>>>>>>> Ben.
>>>>>>>> 
>>>>>>>>> On Mar 24, 2021, at 9:37 AM, Russ Housley <housley@vigilsec.com> wrote:
>>>>>>>>> 
>>>>>>>>> This revision addresses the WG Last Call comments from Ben Campbell.  It also adds a security consideration regarding the "rcdi" claim defined in draft-ietf-stir-passport-rcd.  In addition, I thought of an additional security consideration regarding certificate renewal.  Finally, the reference to RFC 5912 is now normative.
>>>>>>>>> 
>>>>>>>>> Russ
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> A new version of I-D, draft-ietf-stir-enhance-rfc8226-01.txt
>>>>>>>>>> has been successfully submitted by Russ Housley and posted to the
>>>>>>>>>> IETF repository.
>>>>>>>>>> 
>>>>>>>>>> Name:		draft-ietf-stir-enhance-rfc8226
>>>>>>>>>> Revision:	01
>>>>>>>>>> Title:		Enhanced JWT Claim Constraints for STIR Certificates
>>>>>>>>>> Document date:	2021-03-23
>>>>>>>>>> Group:		stir
>>>>>>>>>> Pages:		11
>>>>>>>>>> URL:            https://www.ietf.org/archive/id/draft-ietf-stir-enhance-rfc8226-01.txt
>>>>>>>>>> Status:         https://datatracker.ietf.org/doc/draft-ietf-stir-enhance-rfc8226/
>>>>>>>>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-stir-enhance-rfc8226
>>>>>>>>>> Htmlized:       https://tools.ietf.org/html/draft-ietf-stir-enhance-rfc8226-01
>>>>>>>>>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-stir-enhance-rfc8226-01
>>>>>>>>>> 
>>>>>>>>>> Abstract:
>>>>>>>>>> RFC 8226 provides a certificate extension to constrain the JWT claims
>>>>>>>>>> that can be included in the PASSporT as defined in RFC 8225.  If the
>>>>>>>>>> signer includes a JWT claim outside the constraint boundaries, then
>>>>>>>>>> the recipient will reject the entire PASSporT.  This document defines
>>>>>>>>>> additional ways that the JWT claims can be constrained.
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> stir mailing list
>>>>>>>>> stir@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/stir
>>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> stir mailing list
>>>>>>> stir@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/stir
>>>>>> 
>>>>>> _______________________________________________
>>>>>> stir mailing list
>>>>>> stir@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/stir
>>>>> 
>>>>> _______________________________________________
>>>>> stir mailing list
>>>>> stir@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/stir
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> stir mailing list
>>>>> stir@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/stir
>>>> 
>>> 
>> 
>

v2.23.0 | Report a Bug | By Email