Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
Christer Holmberg <christer.holmberg@ericsson.com> Tue, 23 August 2016 11:58 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D02012D937 for <stir@ietfa.amsl.com>; Tue, 23 Aug 2016 04:58:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JMHJo_RZ2flV for <stir@ietfa.amsl.com>; Tue, 23 Aug 2016 04:58:48 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C686012D93B for <stir@ietf.org>; Tue, 23 Aug 2016 04:58:47 -0700 (PDT)
X-AuditID: c1b4fb25-ca31e98000001071-d6-57bc3a75026b
Received: from ESESSHC007.ericsson.se (Unknown_Domain [153.88.183.39]) by (Symantec Mail Security) with SMTP id FD.38.04209.57A3CB75; Tue, 23 Aug 2016 13:58:46 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.179]) by ESESSHC007.ericsson.se ([153.88.183.39]) with mapi id 14.03.0301.000; Tue, 23 Aug 2016 13:58:36 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "dcrocker@bbiw.net" <dcrocker@bbiw.net>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
Thread-Index: AQHR/JI0ubFrdbKggkCO9F2iW0BZU6BWhCyA
Date: Tue, 23 Aug 2016 11:58:36 +0000
Message-ID: <D3E21244.D708%christer.holmberg@ericsson.com>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <cfd714ce-6145-1b60-aca2-ae702a8c133d@dcrocker.net> <CABcZeBNQgsjDOrW2k4WOucTVXSMHjEUjKgGkhYT119Z3yoUv1g@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B4BC29AD9@ESESSMB209.ericsson.se> <72ca2036-610e-2226-ed4f-34efbf0e9552@dcrocker.net>
In-Reply-To: <72ca2036-610e-2226-ed4f-34efbf0e9552@dcrocker.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
x-originating-ip: [153.88.183.17]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <43CC03A14B31A347BA3F632E3C6AD5E3@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBIsWRmVeSWpSXmKPExsUyM2K7um6Z1Z5wg9ebGC1+f/rAZrHi9Tl2 i+VrtzE5MHtc2nmSzWPJkp9MHpMftzEHMEdx2aSk5mSWpRbp2yVwZTyYdo294IFGxbnv35ga GFcrdDFyckgImEhcnX2AsYuRi0NIYD2jxLZ5D9ggnCWMEn8mNDN3MXJwsAlYSHT/0wZpEBHw lNjTcoEVxGYWUJd48egNO4gtLBAo0XPhLwtETZDEyRcv2SFsI4np0xrBbBYBVYlHmw8wgYzk FbCSeP61CiQsJPCHWWL5m0oQm1PAQeLNrRVgYxgFxCS+n1rDBLFKXOLWk/lMEDcLSCzZc54Z whaVePn4H9g5ogJ6Et+/zga7WEJAUWJ5vxxEq57EjalT2CBsa4kp33dAXa8tsWzha7AxvAKC EidnPmGZwCg+C8m2WUjaZyFpn4WkfRaS9gWMrKsYRYtTi5Ny042M9VKLMpOLi/Pz9PJSSzYx AuPv4JbfqjsYL79xPMQowMGoxMO7wHZ3uBBrYllxZe4hRgkOZiURXnPLPeFCvCmJlVWpRfnx RaU5qcWHGKU5WJTEef1fKoYLCaQnlqRmp6YWpBbBZJk4OKUaGG22lV7/5qzHK7a16e87iwab Us/fK9bGdQfIvGM6bewirhrV3fb2rp6XwcZJd861TxPhjxFJeuLkVpTulf2ns9HN/YYM874o sZrzkaeXb+dNXvKu99rBtf8uBbIvTM+LObN7K/vzHd/Nl17S7AplS2dtnBJkLVhjKmB//tjx 0lrdSYfSJ+ctUmIpzkg01GIuKk4EAPerrnm7AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/OOhO769k2fbBL61YbEpNCcBQ5Ys>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 11:58:50 -0000
Hi, >>I agree with Ekr, and being able to use something pre-existing is the >> reason I asked the passport authors to consider JWT. If you think there >> is something better pre-existing, please say so, but if you want to do >> something from scratch I think we¹d need some really good justification >> for that. I don¹t agree with your earlier statements that JWT is >> complex, and there are tons of tools to test and verify JWTs. > > >Christer, > >Just to be thorough, I'll repeat that I agree with the goal of using >existing solutions, where they represent a high-enough point of >departure (if they aren't a perfect match), preferably with enough track >record to establish efficacy. > >And I'll repeat that my view of the passport draft did not criticize the >use of JWT. (By the way, is it only JWT or is it actually JOSE, and if >it isn't why not?) It¹s actually JWS (JOSE is the name of the generic framework). It¹s probably something we should fix too. >It's not that I didn't question the use, it's that I didn't indulge in >that questioning at that point. This came later, as I watched the >documentation efforts to integrate use of JWT. > > > > In Berlin I did raise an issue on how STIR uses JWT in SIP (the encoded > > object is ³split up², and different pieces are placed in different SIP > > elements), but Jon promised to make sure it¹s clarified and well > > explained in the next version of the bis draft, so I think we should > > give him a chance to do that. > >There are at least two major problems here. > >The technical one is that the current approach requires doing encoding >and packaging twice, from what I can tell. Once in a JSON context and >the second in a SIP header context. By itself, that should be worrying. >That the latter hasn't been fully documented and agreed to, yet, raises >a question about how anyone thought the documents were ready for last >call. The latter is the exact issue I raised, and it must be well documented (together with examples) how it¹s done. However, once you done the JSON encoding, I don¹t think you need to do further ³encoding² (no need to escape characters etc). The idea (afaik) is to split the encoded string into different pieces, and place those in different SIP header field/parameters. But, HOW that split is done, and how the string is re-generated on the receiving side, must be clarified. >The other major problem is that the introduction of JSON/JWT has >produced levels of indirection in the documentation that made it >essentially impossible for me to understand and analyze the >specification details. And I tried pretty hard. So this does not bode >well for other new readers of the specifications. (More generally, the >documents make cross-references and indulge in cross-dependencies that >defeat the benefits of modularity and create really serious reading >complexity.) Assuming PASSPorT is supposed to be something generic, I think we should avoid normative references to the draft-bis from PASSPorT. (draft-bis draft obviously have to normatively reference PASSPorT.) As I have zero knowledge of DKIM, I¹ll let others discuss its¹ applicability to STIR, and whether it¹s better/worse than what we currently have. But, in general, I don¹t think WGLC is too late for a beauty contest. Regards, Christer >And now, yes, I'll indulge in the dreaded "DKIM" reference... > >DKIM is another existing mechanism that provides exactly the needed >functionality, with more than 10 years of field experience (counting the >predecessor Yahoo's Domainkeys) and a relatively simple design. > >As I've noted before, the list of 'topics' for the STIR work is not >long. I'll do an abbreviated listing here: > > 1. Calling value acquisition -- getting the string to validate > > 2. Key management --getting the key and validating that it is > authorized for use with the calling value. > > 3. A bunch of crypto-related computation -- including > canonicalization of the data of course > > 4. Packaging the result -- for use by the validation mechanism. > >Step 1 is not part of the crypto work, but it is of course fundamental, >as well as being specific to STIR. The crypto subsystem just uses it as >input. The choice of JSON/JWT, DKIM, or whatever is irrelevant to this >step. > >Step 2: > > a) For non-telephone URIs, DKIM's DNS model can be used directly. > > b) I'm unclear about the role of the domain name in the URIs that >have a phone number in the left-hand side. In any event, as I've noted >repeatedly, number-based key management is an open issue, with >demonstrated high risk, given that the previous effort failed. > >Step 3 can use DKIM almost directly. > >Step 4 can use DKIM almost directly. > > >So the DKIM approach is dramatically simpler and offers by far the >highest point of departure for STIR. > >In particular, the hard parts of doing STIR aren't solved by this choice >-- JSON/JWT don't help either. > >d/ >-- > > Dave Crocker > Brandenburg InternetWorking > bbiw.net
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… DOLLY, MARTIN C
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- [stir] Setting Direction for the STIR WG Last Call Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Richard Shockey
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Paul Kyzivat
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- [stir] JWT/JSON (was - Re: Review of: draft-ietf-… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Victor Pascual
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Burger
- [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Michael Hammer
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Alex Bobotek
- Re: [stir] Review of: draft-ietf-stir-passport-05 Stephen Farrell
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt