Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
Eric Rescorla <ekr@rtfm.com> Sun, 21 August 2016 15:37 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B71612D0A0 for <stir@ietfa.amsl.com>; Sun, 21 Aug 2016 08:37:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CVvw5RKjXJUQ for <stir@ietfa.amsl.com>; Sun, 21 Aug 2016 08:37:46 -0700 (PDT)
Received: from mail-yb0-x229.google.com (mail-yb0-x229.google.com [IPv6:2607:f8b0:4002:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F13F12D526 for <stir@ietf.org>; Sun, 21 Aug 2016 08:37:46 -0700 (PDT)
Received: by mail-yb0-x229.google.com with SMTP id z10so30085084ybh.2 for <stir@ietf.org>; Sun, 21 Aug 2016 08:37:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Vx1thjRw+R2CnIUGuJIxzsVqwkzMpZrKopqVGMwIuLc=; b=VqKVAIy2JjgiCHp+6WSTQ9xfte1uLPhElxr7rnUCN+b77CUYLlZDwvRbcoJsqF9Dxk GbCoOO++hHX51pQ6XA6R0loie2mV5svJcg2Lmua8uJ0GMRCFNaBgIqk6bbpOHzKeQmWO TdGCC/99uXnwCcI70+Gb3/lw7OgTk3Tt0CLiAKGMSve1aNimmMI+JZl8Y1t+awOkVS96 EpW45kBVB5+usybF12ZpZofJRQBucM/8rUvHeUhqJzQ4RNRSDF7QXvjTZNYGc5ywc/wW olMCtonqMAvql/WJH/nvGkE8bVRfFdMdsiwFYiUBGsapfZuJgGrUdAIrp3B+bPLr99wK 9c7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Vx1thjRw+R2CnIUGuJIxzsVqwkzMpZrKopqVGMwIuLc=; b=C5MAZEEjUugM1YGpYoFimW5+NMuoWqeEeGEDcFy/5zx85T14LLEyGI+BUsfgw34A57 DhaA1hk1DuPEK6Ip/6BgInMCsa7hV8SpsuMR36biqo52euKgXAc9G8/E1cfcpxXOAV/j N+QUhdFy6zcjS2s3cI1dC4WPBIjEGq67n6TuXqpk/xghyfFdfIx6UgW5ffoTi9bPVckD CIAavYgsLdKCTo8A4dq79YjbbzGszkxAbYaYBGC1fW1J+KUZloddmCoMU/Kvf3flq5ey 3v61+fw0bluNFFgGVrEsEzETQisNIqXDlEJncMljRLj0ultnudG4Aw1RzbgI8o+K7nUj TcGg==
X-Gm-Message-State: AEkoouv9FLG7uk7Pm5WKl3SshyyAoY+obB9IWalQ1RXG5HtahwxCYafXE0Y0WS4qBG1Jk5x0pj//vj7adplytQ==
X-Received: by 10.37.160.99 with SMTP id x90mr13462239ybh.130.1471793865253; Sun, 21 Aug 2016 08:37:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.48.193 with HTTP; Sun, 21 Aug 2016 08:37:04 -0700 (PDT)
In-Reply-To: <cfd714ce-6145-1b60-aca2-ae702a8c133d@dcrocker.net>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <cfd714ce-6145-1b60-aca2-ae702a8c133d@dcrocker.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 21 Aug 2016 08:37:04 -0700
Message-ID: <CABcZeBNQgsjDOrW2k4WOucTVXSMHjEUjKgGkhYT119Z3yoUv1g@mail.gmail.com>
To: Dave Crocker <dcrocker@bbiw.net>
Content-Type: multipart/alternative; boundary="94eb2c19831e85981d053a96b682"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/72OUIGuRJAiDF3aQdm10lL-TKso>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Aug 2016 15:37:48 -0000
Dave, Whenever we want to add some cryptographic functionality to a protocol [0] (especially when it's messaging/object security functionality) we have to ask whether it would be better to define something new, specific to the protocol, and hopefully simple, or reuse something pre-existing, generic, and presumably more complicated. In my experience, the history of those who take the former approach is that we find ourselves reinventing a bunch of stuff and that it's not as simple as we hoped [1][2] Given the difficulty of correctly specifying and implementing this kind of functionality, I'd far prefer to stick with a pre-existing component. It doesn't have to be JSON of course (for instance, I have no opinion on if COSE would be better) but I would not be in favor of defining something specific here. -Ekr [0] Or, I guess, in a bunch of other cases. [1] Indeed, JOSE is in some respects an attempt to apply this treatment to CMS. [2] Another example is the current HTTPBIS encryption spec, which has rather expanded from its simple origins. On Wed, Aug 3, 2016 at 1:25 PM, Dave Crocker <dhc@dcrocker.net> wrote: > On 7/29/2016 2:11 PM, Dave Crocker wrote: > >> On 7/29/2016 10:46 AM, Peterson, Jon wrote: >> >>> I wouldn't say it's a correction to the STIR charter - the charter was >>> always clear that it was not limited to SIP (see the bits about "one or >>> more non-SIP hops" and "out-of-band mechanism" in the charter). But given >>> that our original signing mechanism was, as I said, a concatenation of >>> SIP >>> header field values, the intervention was that other protocols would need >>> something less bound to SIP. JWT turned out to be the solution that the >>> group had consensus to adopt. >>> >> >> JWT has nothing to do with SIP. So when applied to a SIP context, it's >> entirely artificial. And yes, I noted the views that thought it simpler >> or equivalent to the computed string, but could not see the explicit >> logic that made JWT a better choice, no does it seem obvious to me. >> Quite the contrary. >> >> Note that during the wg session in Berlin there was /still/ question >> about where to put the JWT information. >> > > > Folks, > > I'm citing the above text, for discussing the concern I rasied about > JWT/JSON use in Passport, because that was the first time I criticized it, > which was several rounds of postings after I sent my review. That is, it > was /not/ part of my review. I made a conscious choice to leave that > concern out, although I already saw it as likely problematic. > > On its face, yes it looks like a reasonable choice. It's pre-existing > technology and it looks clean. The concerns develop in its application, > not its concept. > > Look for JSON and JWT in SIP. You won't find it. That means that it is > an added layer of specification. Or, in this case, specifications. And > since JSON and JWT are their own environments, that means there is a > learning curve and other baggage to carry, before it is useful to SIP and > STIR. > > Even better is that even the STIR specification for SIP does not require > using JWT or JSON. Note that ppt is optional. This adds to the view that, > at best, JWT/JSON is really just an abstraction for STIR. > > But in fact the fact that ppt is optional really means that the SIP STIR > specification has added complexity, with very unclear benefit. > > As for the underlying justification for the Passport model, references to > broader applicability are always appealing, but lacking concrete > specifications and clear, documented intentions of use -- including a clear > explanation of the benefit to be gained by the abstraction -- they turn out > mostly to be a distraction from the immediate concern, namely added > complexity to the mainstream use. > > Again: JSON/JWT adds a layer (or two) of mechanism that almost certainly > is not needed and almost certainly adds problematic complexity to the > specification, probably to the point of impeding reader comprehension. > > As I've noted, the underlying task here is pretty straightforward: > > * Define a mechanism for finding and validating a public key. > > * Decide on scope and canonicalization of data to be signed. Define > a signing mechanism. > > * Define a validation mechanism. > > * Decide how to deal with partial adoption > > * Decide how to deal with broken signatures. > > > Maybe a little more than this, but not much. > > > d/ > > -- > > Dave Crocker > Brandenburg InternetWorking > bbiw.net > > _______________________________________________ > stir mailing list > stir@ietf.org > https://www.ietf.org/mailman/listinfo/stir >
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… DOLLY, MARTIN C
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- [stir] Setting Direction for the STIR WG Last Call Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Richard Shockey
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Paul Kyzivat
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- [stir] JWT/JSON (was - Re: Review of: draft-ietf-… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Victor Pascual
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Burger
- [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Michael Hammer
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Alex Bobotek
- Re: [stir] Review of: draft-ietf-stir-passport-05 Stephen Farrell
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt