[stir] [Errata Held for Document Update] RFC8225 (5392)

RFC Errata System <rfc-editor@rfc-editor.org> Fri, 15 November 2024 20:29 UTC

To: tasveren@rbbn.com, chris-ietf@chriswendt.net, jon.peterson@neustar.biz
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20241115202905.A96083B87C@rfcpa.rfc-editor.org>
Date: Fri, 15 Nov 2024 12:29:05 -0800
Message-ID-Hash: RET6RFCCRMA7KJGUYMQPTKAZJEDK5I5W
CC: orie@transmute.industries, iesg@ietf.org, stir@ietf.org, rfc-editor@rfc-editor.org
Precedence: list
Subject: [stir] [Errata Held for Document Update] RFC8225 (5392)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Jw4JXM67RMoGSv2OKTWX-L4MgZc>

The following errata report has been held for document update
for RFC8225, "PASSporT: Personal Assertion Token".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5392

--------------------------------------
Status: Held for Document Update
Type: Technical

Reported by: Invalid "iat" content <tasveren@rbbn.com>
Date Reported: 2018-06-14
Held by: Orie Steele (IESG)

Section: 5.1.1

Original Text
-------------

The JSON claim MUST include the "iat" (Issued At) claim ([RFC7519],
Section 4.1.6). As defined, the "iat" claim should be set to the
date and time of issuance of the JWT and MUST indicate the date and
time of the origination of the personal communications. The time
value should be of the NumericDate format as defined in [RFC7519],
Section 2. This is included for securing the token against replay
and cut-and-paste attacks, as explained further in Section 10
("Security Considerations").

Corrected Text
--------------
The JSON claim MUST include the "iat" (Issued At)
claim ([RFC7519], Section 4.1.6). As defined, the
"iat" claim should be set to the date and time of
issuance of the JWT. The time value should be of the
NumericDate format as defined in [RFC7519], Section 2.
This is included for securing the token against replay
and cut-and-paste attacks, as explained further in
Section 10 ("Security Considerations").

Notes
-----
It is mentioned that “iat” should be set based on issuance of JWT (which would be when PASSPorT is constructed). OTOH, it is also stated that it MUST indicate the date and time of the origination of the personal communication. The former seems to be the right approach as what we would like to protect against cut-and-paste attacks is the PASSPorT in the context of a particular communication session. The times for these two events are not necessarily the same/close enough to be considered the same.

RFC7519 JSON Web Token (JWT)

4.1.6. "iat" (Issued At) Claim

The "iat" (issued at) claim identifies the time at which the JWT was
issued. This claim can be used to determine the age of the JWT. Its
value MUST be a number containing a NumericDate value. Use of this
claim is OPTIONAL.

This text clearly states that “iat” is for the generation time of JWS.

--------------------------------------
RFC8225 (draft-ietf-stir-passport-11)
--------------------------------------
Title : PASSporT: Personal Assertion Token
Publication Date : February 2018
Author(s) : C. Wendt, J. Peterson
Category : PROPOSED STANDARD
Source : Secure Telephone Identity Revisited
Stream : IETF
Verifying Party : IESG

[stir] [Errata Held for Document Update] RFC8225 … RFC Errata System