Re: [stir] Zaheduzzaman Sarker's No Objection on draft-ietf-stir-enhance-rfc8226-03: (with COMMENT)

Russ Housley <housley@vigilsec.com> Tue, 29 June 2021 13:31 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABAD53A346A for <stir@ietfa.amsl.com>; Tue, 29 Jun 2021 06:31:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id naCwWJCc-oEB for <stir@ietfa.amsl.com>; Tue, 29 Jun 2021 06:31:07 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A6C13A346E for <stir@ietf.org>; Tue, 29 Jun 2021 06:31:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 880CB300BEB for <stir@ietf.org>; Tue, 29 Jun 2021 09:31:06 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PMIjzQXe5txy for <stir@ietf.org>; Tue, 29 Jun 2021 09:31:00 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 58FFD3001A8; Tue, 29 Jun 2021 09:31:00 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <162496215867.20192.7105141425724752003@ietfa.amsl.com>
Date: Tue, 29 Jun 2021 09:30:59 -0400
Cc: IESG <iesg@ietf.org>, IETF STIR Mail List <stir@ietf.org>, Robert Sparks <rjsparks@nostrum.com>, Ben Campbell <ben@nostrum.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2D0C3C62-A211-4349-9B2F-6F0A3A0DB04B@vigilsec.com>
References: <162496215867.20192.7105141425724752003@ietfa.amsl.com>
To: Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/J6DWgOzgwvya_hCpiAcRvvPwDOM>
Subject: Re: [stir] Zaheduzzaman Sarker's No Objection on draft-ietf-stir-enhance-rfc8226-03: (with COMMENT)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 13:31:13 -0000

Zaheduzzaman:

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for the effort here.
> 
> I have one single comments or clarification question -
> 
> * Section 4:
>   If a CA issues a certificate to an authentication service that
>      includes an Enhanced JWT Claim Constraints certificate extension
>      that contains the permittedValues JWTClaimName "confidence" and a
>      permitted "high" value, then a verification service will treat as
>      invalid any PASSporT it receives with a PASSporT "confidence"
>      claim with a value other than "high".  However, a verification
>      service will not treat as invalid a PASSporT it receives without a
>      PASSporT "confidence" claim at all.
> 
>   Please clarify why a PASSporT is not invalid as described in the last
>   sentence of be above bullet. I think it is supposed to be clear by preceding
>   section, however, it is not (at least to me).


I think numbered item 2 in Section 3 explains this correctly:

   2.  permittedValues indicates that if the claim name is present, the
       claim MUST exactly match one of the listed values.

Therefore, if the claim is not present in the PASSporT, then the constraint is satisfied.

Russ