IETF Logo Mail Archive

Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)

Christer Holmberg <christer.holmberg@ericsson.com> Sun, 21 August 2016 16:03 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E526A12D758 for <stir@ietfa.amsl.com>; Sun, 21 Aug 2016 09:03:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1rzYeFwomZ4 for <stir@ietfa.amsl.com>; Sun, 21 Aug 2016 09:03:55 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E254A12D1C2 for <stir@ietf.org>; Sun, 21 Aug 2016 09:03:54 -0700 (PDT)
X-AuditID: c1b4fb2d-917ff700000019a3-e6-57b9d0e75d7b
Received: from ESESSHC005.ericsson.se (Unknown_Domain [153.88.183.33]) by (Symantec Mail Security) with SMTP id 28.1C.06563.7E0D9B75; Sun, 21 Aug 2016 18:03:52 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.179]) by ESESSHC005.ericsson.se ([153.88.183.33]) with mapi id 14.03.0301.000; Sun, 21 Aug 2016 18:03:51 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>, Dave Crocker <dcrocker@bbiw.net>
Thread-Topic: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
Thread-Index: AQHR+8H73BrKAUToJka1ECibMJhuzKBTkYhg
Date: Sun, 21 Aug 2016 16:03:50 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B4BC29AD9@ESESSMB209.ericsson.se>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <cfd714ce-6145-1b60-aca2-ae702a8c133d@dcrocker.net> <CABcZeBNQgsjDOrW2k4WOucTVXSMHjEUjKgGkhYT119Z3yoUv1g@mail.gmail.com>
In-Reply-To: <CABcZeBNQgsjDOrW2k4WOucTVXSMHjEUjKgGkhYT119Z3yoUv1g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.150]
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B4BC29AD9ESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDIsWRmVeSWpSXmKPExsUyM2K7ou6LCzvDDW5P0rH4/ekDm8WK1+fY LZav3cbkwOxxaedJNo8lS34yeUx+3MYcwBzFZZOSmpNZllqkb5fAlTF9Dm/BtsOMFeumvGdv YFywj7GLkZNDQsBE4sico8xdjFwcQgLrGSXefnnJBJIQEljCKHF8h2MXIwcHm4CFRPc/bZCw iICTxJSLvWwgNrOAusSLR2/YQWxhgUCJpt42RoiaIInXB/+yQ9hGEne3XWUFsVkEVCWOrHrN DGLzCvhKrNwKUg+yt4lZYvehPrChnECDFp36CVbEKCAm8f3UGiaIZeISt57MZ4I4WkBiyZ7z zBC2qMTLx/9YIWwliRXbLzGC3MwskC/R9jMdYpegxMmZT1gmMIrMQjJpFkLVLCRVEGFNifW7 9CGqFSWmdD9kh7A1JFrnzGVHFl/AyL6KUbQ4tbg4N93IWC+1KDO5uDg/Ty8vtWQTIzDODm75 rbuDcfVrx0OMAhyMSjy8C2btCBdiTSwrrsw9xCjBwawkwhtwbGe4EG9KYmVValF+fFFpTmrx IUZpDhYlcV7/l4rhQgLpiSWp2ampBalFMFkmDk6pBka/7u87/9gH1W2pydxTqOf4RYT3M6PS 9LLIhlUyM2LsnrMq/e0KOWzsKDVb92wzM49HTcOTrEouvSJf+xfzq/afKTijVf/e++PFiq/a QXu4N/xL8lNcujHc0yY1b0MX6wP3Tv7J62uKpoSKOOzLEDGq7zX//qpf/N3BRes4Dlm3Tdqw gJ1JS4mlOCPRUIu5qDgRAO/AXqOvAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/DwWHuPpQCwhgZrZhfrT2C4aMZx4>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Aug 2016 16:03:58 -0000

Hi Dave,

I agree with Ekr, and being able to use something pre-existing is the reason I asked the passport authors to consider JWT. If you think there is something better pre-existing, please say so, but if you want to do something from scratch I think we’d need some really good justification for that. I don’t agree with your earlier statements that JWT is complex, and there are tons of tools to test and verify JWTs.

In Berlin I did raise an issue on how STIR uses JWT in SIP (the encoded object is “split up”, and different pieces are placed in different SIP elements), but Jon promised to make sure it’s clarified and well explained in the next version of the bis draft, so I think we should give him a chance to do that.

Regards,

Christer

From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Eric Rescorla
Sent: 21 August 2016 18:37
To: Dave Crocker <dcrocker@bbiw.net>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)

Dave,

Whenever we want to add some cryptographic functionality to a protocol [0] (especially
when it's messaging/object security functionality) we have to ask whether it would be
better to define something new, specific to the protocol, and hopefully simple, or reuse
something pre-existing, generic, and presumably more complicated. In my experience,
the history of those who take the former approach is that we find ourselves reinventing
a bunch of stuff and that it's not as simple as we hoped [1][2]

Given the difficulty of correctly specifying and implementing this kind of functionality,
I'd far prefer to stick with a pre-existing component. It doesn't have to be JSON of course
(for instance, I have no opinion on if COSE would be better) but I would not be in favor
of defining something specific here.

-Ekr

[0] Or, I guess, in a bunch of other cases.
[1] Indeed, JOSE is in some respects an attempt to apply this treatment to CMS.
[2] Another example is the current HTTPBIS encryption spec, which has rather expanded
from its simple origins.


On Wed, Aug 3, 2016 at 1:25 PM, Dave Crocker <dhc@dcrocker.net<mailto:dhc@dcrocker.net>> wrote:
On 7/29/2016 2:11 PM, Dave Crocker wrote:
On 7/29/2016 10:46 AM, Peterson, Jon wrote:
I wouldn't say it's a correction to the STIR charter - the charter was
always clear that it was not limited to SIP (see the bits about "one or
more non-SIP hops" and "out-of-band mechanism" in the charter). But given
that our original signing mechanism was, as I said, a concatenation of
SIP
header field values, the intervention was that other protocols would need
something less bound to SIP. JWT turned out to be the solution that the
group had consensus to adopt.

JWT has nothing to do with SIP.  So when applied to a SIP context, it's
entirely artificial.  And yes, I noted the views that thought it simpler
or equivalent to the computed string, but could not see the explicit
logic that made JWT a better choice, no does it seem obvious to me.
Quite the contrary.

Note that during the wg session in Berlin there was /still/ question
about where to put the JWT information.


Folks,

I'm citing the above text, for discussing the concern I rasied about JWT/JSON use in Passport, because that was the first time I criticized it, which was several rounds of postings after I sent my review.  That is, it was /not/ part of my review.  I made a conscious choice to leave that concern out, although I already saw it as likely problematic.

On its face, yes it looks like a reasonable choice.  It's pre-existing technology and it looks clean.  The concerns develop in its application, not its concept.

Look for JSON and JWT in SIP.  You won't find it.  That means that it is an added layer of specification.  Or, in this case, specifications.  And since JSON and JWT are their own environments, that means there is a learning curve and other baggage to carry, before it is useful to SIP and STIR.

Even better is that even the STIR specification for SIP does not require using JWT or JSON.  Note that ppt is optional.  This adds to the view that, at best, JWT/JSON is really just an abstraction for STIR.

But in fact the fact that ppt is optional really means that the SIP STIR specification has added complexity, with very unclear benefit.

As for the underlying justification for the Passport model, references to broader applicability are always appealing, but lacking concrete specifications and clear, documented intentions of use -- including a clear explanation of the benefit to be gained by the abstraction -- they turn out mostly to be a distraction from the immediate concern, namely added complexity to the mainstream use.

Again: JSON/JWT adds a layer (or two) of mechanism that almost certainly is not needed and almost certainly adds problematic complexity to the specification, probably to the point of impeding reader comprehension.

As I've noted, the underlying task here is pretty straightforward:

   *  Define a mechanism for finding and validating a public key.

   *  Decide on scope and canonicalization of data to be signed. Define
      a signing mechanism.

   *  Define a validation mechanism.

   *  Decide how to deal with partial adoption

   *  Decide how to deal with broken signatures.


Maybe a little more than this, but not much.


d/

--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net<http://bbiw.net>

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email