Re: [stir] Second WG Last Call for RFC4474bis

"Peterson, Jon" <jon.peterson@neustar.biz> Tue, 13 September 2016 22:27 UTC

Return-Path: <prvs=2064575d2d=jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6F7412B0E3 for <stir@ietfa.amsl.com>; Tue, 13 Sep 2016 15:27:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.701
X-Spam-Level:
X-Spam-Status: No, score=-102.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=neustar.biz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zYWcowRK_qR for <stir@ietfa.amsl.com>; Tue, 13 Sep 2016 15:27:28 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2745512B0BE for <stir@ietf.org>; Tue, 13 Sep 2016 15:27:27 -0700 (PDT)
Received: from pps.filterd (m0078666.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u8DMMb1x026237; Tue, 13 Sep 2016 18:27:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=neustar.biz; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=neustar.biz; bh=Bb1r3qopsOmUFj+ZM/La8WwvQ2z4KH9m6U5IO0DsBi0=; b=Xx8UFt82XxxFjpU55EZjD3z6r5Fp4VODPozXIicO6+rolXk6DtUr5biNJWkGaVo9xYHd tEtP3zNwiasvZOFCrlSZPJFliE2IowDEJHtjbokD6Wt36xs6hkklM8ehVoasIH6zX4Tk LdE0wfNtYtcC6o05XqF851w4MbGkZsUbyRyfEn4CMkhwaQk+vnSyk0vlKEsF/zxjnkDU Uwicj4+njTxrL4Tz+KR052N8DVTrbZYmSLgyn0KR3Z+PWu5xWe6L87smvhSsbKq3cMpj AFUkZAX8EaaXMCO5xuwkh8nNzIB2KI/eW5JDPZ1NaMhEe5k8JHgpSdXGQjUdVAOvK4Ll Lw==
Received: from stntexhc12.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 25ce9pxq66-1 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NOT); Tue, 13 Sep 2016 18:27:24 -0400
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.94]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0279.002; Tue, 13 Sep 2016 18:27:22 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Russ Housley <housley@vigilsec.com>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Thread-Topic: [stir] Second WG Last Call for RFC4474bis
Thread-Index: AQHSC3yUpcAXn9+uD0OZaEWmNt6JrqB3wGKAgAA0XwCAAA/tAIAACQ+A///E6IA=
Date: Tue, 13 Sep 2016 22:27:22 +0000
Message-ID: <D3FDC8EF.1B0865%jon.peterson@neustar.biz>
References: <C1E751BC-55E9-4D8C-A6A5-B5674835870E@vigilsec.com> <10F4895C-4103-497A-B1E0-7B6CB617F13C@vigilsec.com> <859C0A33-E957-4971-BA43-7CC2537FBE83@vigilsec.com> <b7615c44-4881-0cff-44ad-7f350f3261e2@alum.mit.edu> <45382e81-68f9-f1c7-ae3f-42a6069a11a9@alum.mit.edu> <10F20385-407D-41C5-94FF-013354FE44C0@vigilsec.com>
In-Reply-To: <10F20385-407D-41C5-94FF-013354FE44C0@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-originating-ip: [10.96.12.120]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <5BB84542982F5D4EB5A79FD8D6F41327@neustar.biz>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-09-13_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609020000 definitions=main-1609130318
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/BTiufF8bELBE7fD8vrQ8Fflm_l4>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] Second WG Last Call for RFC4474bis
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2016 22:27:32 -0000

We'll cite RFC7515 Appendix C for the base64 in the next rev. We'll also
remove the gratuitous uses of "\".

Additionally, we've gotten a request from the implementers at SIPit to
remove the leading and trailing quotes (LDQUOT and RDQUOT) around the
signed-identity-digest and the canon parameter value in the Identity
header. The presence of the quotes is really just mechanism grandfathered
in from RFC4474; it adds a few bites but don't seem to add any value.
Unless anyone objects, we'll remove those quotes from the syntax in the
next version. 

Jon Peterson
Neustar, Inc.

On 9/13/16, 11:58 AM, "stir on behalf of Russ Housley"
<stir-bounces@ietf.org on behalf of housley@vigilsec.com> wrote:

>
>On Sep 13, 2016, at 2:26 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>
>> Replying to myself :-(
>> 
>> I discovered more problems with this:
>> 
>> I presume that there should be some consistency between this document
>>and passport and JWS regarding how base64 encoding is done.
>> 
>> * JWS [RFC7515] defines a modified encoding that is like "base64url"
>>from RFC4648 except that it omits the trailing "=" for padding. It uses
>>BASE64URL(octets) to denote this.
>> 
>> * passport references JWS, and also uses BASE64URL in examples.
>> 
>> * as I noted below, the examples in rfc4474bis clearly use "base64"
>>encoding as defined in RFC4648, including the trailing "=" pad
>>characters.
>> 
>> ISTM the proper fix for this is for both rfc4474bis and passport to
>>explicitly reference RFC7515 for the definition of BASE64URL. Then the
>>examples in 4474bis need to be changed accordingly. Once this is done
>>there is no need for allowing "=" in the syntax.
>> 
>> More below.
>> 
>> On 9/13/16 1:29 PM, Paul Kyzivat wrote:
>>> On 9/13/16 10:21 AM, Russ Housley wrote:
>>>> I was talking to a developer a few minutes ago, and he found a small
>>>> bug.  It is very simple to fix.  Maybe he will find other bugs as
>>>> development continues Š
>>>> 
>>>> In section 4, the ABNF includes:
>>>> 
>>>>      base64-char = ALPHA / DIGIT / "/" / "+"
>>>> 
>>>> 
>>>> This line should say:
>>>> 
>>>>      base64-char = ALPHA / DIGIT / "/" / ³+² / ³="
>> 
>> Actually, now it should be:
>> 
>>         base64-char = ALPHA / DIGIT / "-" / ³_²
>> 
>>> That is an improvement.  However, the document lacks any definition of
>>> how base64 encoding/decoding works. I suggest a reference to RFC4648.
>>> That RFC has two distinct base64 encodings: "base64" and "base64url".
>>> The examples in this draft clearly use "base64" because some of them
>>> contain "/".
>> 
>> 
>>> Also, it would be possible to write the syntax to more tightly define
>>> the syntax for base64:
>>> 
>>>      canonical-str = "canon" EQUAL LDQUOT base64-encoding RDQUOT
>>>      base64-encoding =
>>>         *(3base64-char) [ (2base64-char "=") / (base64-char 2"=") ]
>> 
>> The above isn't right. I was going to correct it, but now there is no
>>need to do so.
>> 
>
>You are right, the equal sign is not needed.  JWT uses Base64url
>encoding, which is defined in RFC 7515.  Base64url encoding produces the
>URL-safe and filename-safe result.  It uses ³-³ instead of ³+³, it uses
>³_² instead of ³/³, and it strips any trailing ³=³ characters.
>
>RFC 7515, Appendix C shows how to convert a Base64 string to a Base64url
>string.
>
>So, the ABNF above should be:
>
>      signed-identity-digest = LDQUOT *base64url-char RDQUOT
>
>      canonical-str = "canon" EQUAL LDQUOT *base64url-char RDQUOT
>
>     base64url-char = ALPHA / DIGIT / ³_" / ³-³
>
>Russ
>
>_______________________________________________
>stir mailing list
>stir@ietf.org
>https://www.ietf.org/mailman/listinfo/stir