IETF Logo Mail Archive

Re: [stir] Benjamin Kaduk's Discuss on draft-ietf-stir-enhance-rfc8226-03: (with DISCUSS and COMMENT)

"Peterson, Jon" <jon.peterson@team.neustar> Wed, 30 June 2021 15:37 UTC

Return-Path: <prvs=08150d1dfb=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 891C13A2080 for <stir@ietfa.amsl.com>; Wed, 30 Jun 2021 08:37:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L3=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=AooNJsOE; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=neustar.onmicrosoft.com header.b=wBY+Z8C+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEDF57MeqefD for <stir@ietfa.amsl.com>; Wed, 30 Jun 2021 08:37:30 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C984A3A207D for <stir@ietf.org>; Wed, 30 Jun 2021 08:37:29 -0700 (PDT)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15UFYxRE008983 for <stir@ietf.org>; Wed, 30 Jun 2021 11:37:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=O66WOffzjT6s65ZFknMkUL7DMGIW5WGmeKlmEwbcevs=; b=AooNJsOEU70Z5+83wVtNeRj5WLSW756hzCth/MRX5qyEjcpixgzY2MBapz72K/50iphD aNvYtrg7X+5J37LdieSZw/vKpC7ER8ggyKcXCXJJMQ277Ia2bpsl57Sd3oOKey1wHsT6 rqPLm/ZJ81X0pQATLqp/7qgpy8Ag5ifyVYBCAenOeDCpxITvWgFHnR+yUHYyEYhPrVmv CfTUz6lcVnoYY18uOdtZWEU8SJ7tBPSEb3+0Wn9WtuZYBaehvSEpIx8dOUBCQD4IRtiV /sYpq0FSZ7g22hv/vu1ClOZ3EDciyIkWy5guqJaVjnzN/ZPQB26jxFs5r/lzji6YPIkI yA==
Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-0018ba01.pphosted.com with ESMTP id 39grpm0jr0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <stir@ietf.org>; Wed, 30 Jun 2021 11:37:25 -0400
Received: from m0049401.ppops.net (m0049401.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15UFZMVg009461 for <stir@ietf.org>; Wed, 30 Jun 2021 11:37:24 -0400
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2175.outbound.protection.outlook.com [104.47.58.175]) by mx0b-0018ba01.pphosted.com with ESMTP id 39grpm0jqw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Jun 2021 11:37:24 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c6k81WVqHaliCzWKDn4GZHRFRJnHJgwzACqGACocOrvx5tE33gSE/cDLNxI4oBhQn88vm7uD6FQEpOXKLEqIzNqXbpZOvKmvsfBBFAaw3wuKzod59cO79Ra1sdeRktxHzbSW+tMKiAK//ruIwcGYH0kKpprEtXgTr0JYs4LuXOrYAvg9S7/29NB8ZZTkLYEqfGw6FsNAfvpUJM34koQ8qRkJqJfqfO0cNhUAs8TGBwPUAHRGYmGHZVwUkAooR0HuqveNvC9Nnj+WZKZIFgFROIzEapjru3MqGVscoTeWTesLV4gdi/mBC7Ad0PdqkhLtM324s6Zvd5oNQYGECH/1ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cqmvsk2i35iKpSHYO5XqZCFzTquW8umQIe5yK9W9IDc=; b=QAxOmdLjKwHx+NjbEnh9U3CNDdVnjNoKuI03J/0seYBIMyKtZwdA2O/YUmnT3MOfmZZDQlBdIzVUC/UQzmlQjs2s8qFbznZ2le8uOyRsvH7rF9bQGpzHcpd1nil7NG7DH9pFkyK2HHyQVF3ejsuT5wjdETdCmt7KhjPrbn9R/kiKu3Eefw6qgGKoBAb5Rl9xp8WNJIs6P98XHfN+TknFSKG0r48cL5+VdRdPOxppteA4QxlktnzNbUhRndrEGyqwS6GUV17LXeTVJkGdr4Q62c4brBBPuYCgkJ7oJl4Pc181eQjEoqiiSUIM0IVi3/COBIOqUxYSZ7w/hyxsaMhzhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cqmvsk2i35iKpSHYO5XqZCFzTquW8umQIe5yK9W9IDc=; b=wBY+Z8C+8+caerRibcTX+nDEgo4kVQIpCOY+mthaIVGDoghW/2JZ4kbo/QlW30wKWtH9T+lWdjltMESDFx3qf8HHHwZ3gLNGOuJVNgvxF69a64NPQzewZLuF5srWQ+2Z25HORcaCCxyegVABCFp/wQy+C5+jHvSPKp/qG5CQSR8=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by SJ0PR17MB4806.namprd17.prod.outlook.com (2603:10b6:a03:37b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.22; Wed, 30 Jun 2021 15:37:18 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::4093:43ea:c83:1e99]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::4093:43ea:c83:1e99%4]) with mapi id 15.20.4287.023; Wed, 30 Jun 2021 15:37:17 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] Benjamin Kaduk's Discuss on draft-ietf-stir-enhance-rfc8226-03: (with DISCUSS and COMMENT)
Thread-Index: AQHXbGyRGU7MxVqtzEi1dzyY3PUjQasqDtmAgABh8oCAAJI5AIAABE0AgAAB0ICAAHsyPoAAuReA
Date: Wed, 30 Jun 2021 15:37:17 +0000
Message-ID: <3BC0966B-BA80-43FD-9893-30C9D64AB8AB@team.neustar>
References: <162491913776.24561.10295832590740387025@ietfa.amsl.com> <17CC8994-103E-4EA6-BF43-624F0A08FD5B@vigilsec.com> <20210629050839.GC17170@kduck.mit.edu> <A46901E1-E0B6-45FB-B70A-70771643BC5B@vigilsec.com> <20210629140724.GE17170@kduck.mit.edu> <43571C73-38E6-4B58-9BE6-536B83C35CCF@vigilsec.com> <BD2651EC-175A-45D3-A098-2B48A3B96BBE@nostrum.com> <1B56D3D0-C887-435E-A611-C01AD6D446EF@vigilsec.com> <559AFF0B-2CAD-4203-B383-CE49087D96C5@nostrum.com> <E59CDA6C-D54E-4041-933D-A47B491862EC@vigilsec.com> <7E6BED26-32EF-4545-A862-8C23B7A19CCD@nostrum.com> <62E5EAE7-5A33-4C8E-A17D-BD0CC25AE97F@vigilsec.com>
In-Reply-To: <62E5EAE7-5A33-4C8E-A17D-BD0CC25AE97F@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=team.neustar;
x-originating-ip: [2600:1700:2ec0:8108::7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1fa23005-9dca-465d-dba1-08d93bdcf174
x-ms-traffictypediagnostic: SJ0PR17MB4806:
x-microsoft-antispam-prvs: <SJ0PR17MB4806A3629DA7A1B9DC27C3E8E2019@SJ0PR17MB4806.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PzkC3yQVFpKTUryuNdkAXBkq82jJMwAyNj5ki808GclCbKssnphWJiDWEe0A+ytxv6ZChIXrVtAcQvBMkr/Jvafy7crxbeDbu9X0ffdQbrlivB7/Fbmc49beVjWLmTcTYYzTJPyFDrRkblZKl9p8ocxGE4r26Q69sC+Xcw0XnGcms2Z1txtgFeVjsx436hfsxc0ge26aK1mjIx69Tc960P47ENUvaE/KIMFF9M8qVJI4JQIiotCr1tkMt5MUi85unR2jru7QJz1Ey/+OXTrf9Z0oYI2ITFPr9zLEW9kR55YFpwo9ELNwM42mSuWdQLd7hIkcZNpOLHfJzvIc+eoLOLhz5nMi5Mx3Z+FIji1+7T8WskVCDhnESvcWEPT9KfMOcRJyFGF8S5rDpuLd9U5HKj/Ton66O2OCc0BuFL01a6GkKp1KPymcBw/0LHRr9ad+rCDn1UbBBYCUy4ksQvFPcX+UdCgbaHUryBmWwGFIso1iwKhrGAugOy1LYlhfabtf21rdPg+4jgLuhNxuyU5Bwyxfi4vlN296Q7n8M+bzaQdx4XbpKHCVi8oIVGT/bibKOhxyU5E/jBWDephjE4h0QfmPcv9tgBwHCAOUT8X/fBdLOBt78V1SOoD+a9Tg26Eg1DRWCcoduLy6K/xCJSvONi93W0iKF0VztYQ2EcJnYXLWoJUsXLF7GXF9TI/G2qEzB47ARau9Ec5jX3vr86E6OIzdCeLfUlAPgRVDqFwLswgo8fB0zYuYKH+cTL8/GzBbaokz2rLEqm0GBgV7Aggcg1fMhumE+xEWtNjaTToMuBS9iHVrf1KD2aiAe9XVFloUtcOKjBPigLM6AZ/tdqa4iR8LrShmOhh6vyr5Q3+JGHE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(39860400002)(366004)(376002)(346002)(136003)(38100700002)(478600001)(122000001)(966005)(2616005)(6506007)(83380400001)(2906002)(186003)(86362001)(110136005)(316002)(66946007)(33656002)(76116006)(66476007)(66556008)(64756008)(8676002)(5660300002)(66446008)(6512007)(8936002)(6486002)(71200400001)(46492011)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 569YPZ+hIIDG/oLAY3rLt4ifS7qS2CkEEV6/mzYKhopBxQx0B43M38H910y2u/GmIvcSq7Kop7DaBud1hMqUOioytnAA9GGUrujSRpjVur3e+5H7srHRne2dTwDEunwLvj/Igkr+iIrcrXdq470eA0Ns+Z/FinH88oyop3I7jGmeyJUjvIef4SHEYDztTb/PjBPHGXXeh6fW8aGzvYq0ySeTI7OI1r3+XoFyLn+pbEHQZUpXXyxotOeVManzP9M5Hl/Y6hWXjYduFXLaAaY42ImOs8CsEuFJNfz5jjNNtXPCj74cqOPq76AK7gVE5cABV4JFeuyHtFJhfkJyaV7Ik52gSrhUAWQ458eJ19+EI5MHhjPb+Y+ywjUJQvaFE+l22/G8tpZm2pG+vNJwYxHOcmkEtTmvdrJM1U7mRAWDnRGveOiVQh+vmLCmG0HNEsxy/tqX6v6ZkXkSEx19vsQl7IqmlHjB1sB73R5WYKCHMKx3becqAyQUJci3QWjXjST0RtIxPWpKCNCGrMaHCQq5eLfgXqzRmt7/gkUg6lasNk6a76Z+dxzlzmcPi45uCXhiPvxxP5e8O67xDL8xGDMNth4+6cfHUpV4D5EPM9uWToftEhbQWi8Pjj7toCnsbMannhtXT8wukPDNu0m0WuiYNskQI8H2JY4Jc3RVk56nZBwKWqYEM1LEICJ9iAgiIOMNJdcIG4UQgOFR+vH6qluhr1ugyskVJhy5evzUqb8hX/sHvl1g5/ZmItZNgpleUHnmDz+yeSwC7h4o6rV6MyMKvtgpuz3i+PHwVEAEv/xTegR7Sd+BtiUFVOqkvzrTvHMBXaQzdrAgIxaDflcEfUnk/ftbHVrCdkggYXgbS9Lrr0/4bF/ICzEB8sB+hdK8C3hB8Y8vsLm6+ct+s++ILLNwh2som0dlnNs41HcZEiFcuEAk8IJ2ALPTcMX6Y6V9O/wLpfmzwXBV3g3gp6KBuVPOJYngzI8LWRoWfRH+e7bcZbbQDwlBxMjMycwRq54jgII1GRJWjii+oL5UeYA45sHYm4oxeJxVjtNLvX0/YuISKjnGJpsw0YkmTNzpRXaL9oSODDsfiN3P2d/dCDso/lIVzuG01qEnds1g+rk8eNV6aIpAq8kXZltdtkVFLAZd6xlpR1xi8iG8kgohmhuYQd/F88rWOCcATmCL/fL6SzmAsE3NdtXylpAiYVT5lQAYwukYO/WU9J8yBTJX8WlS5gCAO+PBDnyIV1QcKhv6Y9nwzp8PTzTn0SaQs0o0NXxzYN/EiF+GIQClKvfj1C0BcrigZQxQJ3Gc8kH9mSQUlNjQAt9mwDJ22MpJknCEI48p7L/1j31fOBXlgHMtdwK2iUV9Zg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <76DC1AFB4A797A4F9FB8792E0E9ED69C@namprd17.prod.outlook.com>
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1fa23005-9dca-465d-dba1-08d93bdcf174
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2021 15:37:17.8387 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0b8mpCZ+pZkdSCMIdLfMbhmvw9lHH3vIVp2FcMwvmSN6UkAYA46Js6HoQQevNg7wl3nPiezGqzsZCJThSRRleZqZrxbDHo0ZO6YTHnP0zYY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR17MB4806
X-Proofpoint-GUID: gqTEQLe7Ol35onaCsBqHXon5_ggYqMjU
X-Proofpoint-ORIG-GUID: gqTEQLe7Ol35onaCsBqHXon5_ggYqMjU
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-30_06:2021-06-30, 2021-06-30 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 suspectscore=0 malwarescore=0 priorityscore=1501 impostorscore=0 mlxscore=0 phishscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 bulkscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=2 engine=8.12.0-2104190000 definitions=main-2106300092
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/RmbB_JK0xqLyNH6uVn2J_U9hgyQ>
Subject: Re: [stir] Benjamin Kaduk's Discuss on draft-ietf-stir-enhance-rfc8226-03: (with DISCUSS and COMMENT)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2021 15:37:36 -0000

I don't know that enhanced constraints need to be coupled that tightly to delegation. When delegation gets approved in the SHAKEN ecosystem (I wouldn't venture when exactly that will be), it would certainly make sense for SHAKEN specs to point to the enhanced constraints, but I'm not sure there's something we need to close in the IETF to make that possible. I think your Section 6 text looks fine. I guess I can also imagine non-delegation cases that could use enhanced constraints in the future as well, so I wouldn't necessarily want to make them so intertwined.

Jon Peterson
Neustar, Inc.

On 6/29/21, 2:34 PM, "stir on behalf of Russ Housley" <stir-bounces@ietf.org on behalf of housley@vigilsec.com> wrote:

    Based on the comments from Ben Kaduk, I drafted the below guidance to CAs.
    
    > 6.  Guidance to Certification Authorities
    > 
    >  The EnhancedJWTClaimConstraints extension specified in this document
    >  and the JWTClaimConstraints extension specified in [RFC8226] MUST NOT
    >  both appear in the same certificate.
    > 
    >  If the situation calls for mustExclude constraints, then the
    >  EnhancedJWTClaimConstraints extension is the only extension that can
    >  express the constraints.
    > 
    >  On the other hand, if the situation does not call for mustExclude
    >  constraints, then either the EnhancedJWTClaimConstraints extension or
    >  the JWTClaimConstraints extension can express the constraints.  Until
    >  such time as the EnhancedJWTClaimConstraints become widely
    >  implemented, the use of the JWTClaimConstraints extension may be more
    >  likely to be implemented.  This guess is based on the presumption
    >  that the first specified extension will be implemented more widely in
    >  the next few years.
    
    
    The delegated certs activities lead to this document in the first place, so it seems appropriate to ask when people think that delegate certificates will be implement?  Will a future version of the delegated certificates document mandate the implementation of the EnhancedJWTClaimConstraints extension?  Do these answers to these questions offer any better guidance than the above?
    
    Russ
    
    _______________________________________________
    stir mailing list
    stir@ietf.org
    https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/stir__;!!N14HnBHF!qpWJJws5s5r7C_Zrbo0SkTb2N7O6rIi1m4H2ESfUWJqjlysUHlPIPs3FWPg$

v2.23.0 | Report a Bug | By Email