Re: [stir] draft-ietf-stir-passport-rcd-04
Chris Wendt <chris-ietf@chriswendt.net> Mon, 09 September 2019 19:04 UTC
Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AE4E1200A4 for <stir@ietfa.amsl.com>; Mon, 9 Sep 2019 12:04:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NV4okyvgxLZz for <stir@ietfa.amsl.com>; Mon, 9 Sep 2019 12:04:47 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE6D6120020 for <stir@ietf.org>; Mon, 9 Sep 2019 12:04:46 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id g13so17076973qtj.4 for <stir@ietf.org>; Mon, 09 Sep 2019 12:04:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=gC5eS9CJQNAuqWeSpLprK/HJ+aTGywaxrjuFFzn8cEA=; b=u68zirLbaR85VX6a5/HTHYlIPgLlruoAAn30ddG2X+eSDPrHKZod4rwJ14Ii6Rl9/L 6ullMnGIaVhL8EuGe+q9Yd8QQ0v9t7rbmia3LTqyfa+GlVlmEZkBF2XUOwhx0AU5hlmP K3E+UEQh96QtkPoxe63ML/W6Yoa8pHpGnWo6jmiWpy/qEa1WCFLE6XdVgul1XxZZJXyt HIY0gPaM/qBnq0nCuC3rmesu3pJgHgBsU5eglQegFofd2eeE6cOYDhX7xApnfm9dEtjc 4lgrFQpG3NaqDdbNQdZ0EQ8NQwCUiC5q67VV4QX10sMw/SoGSiClx7Gd6Jtiaa4afJuJ M9WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=gC5eS9CJQNAuqWeSpLprK/HJ+aTGywaxrjuFFzn8cEA=; b=Gi7ziRAL9mlt0IOPPaODcrhiTsvWbrEJhuhCf8Sa6PBGh2hadrDE/iGMBqhkNVhDyX NB4aLyht4KgUDQnypafK+2yJ+iS0vmLsa6kIoE7f3JoP8xipvDmsroImw/LIcWyay5An faxyPcRq+XzaPQ6z6++fjMN42ShBf6dwfRy/6gZjuyXNFRZ43Am68yu/SD/yeY1RNVQ+ ZbW9bSSlKN8WPv/TdqQWcIk1YG0PRfmv6K/46S4KCKWoEqYu/8z5WTdZCTa2XcXJxdsd mYbHo8FQscynW5a33B97+e08ZMx+HiwB353l/cfOANabgqT71lUof9+GgK/okFTm8Hw5 wPTQ==
X-Gm-Message-State: APjAAAU0FnwqB5zml4sAfsoW+g58O0cawAV43a5P5t0Dcqg5cuc3Iqkf /Rgg0LlxpqwJZxOhrOyIxLQVBKm2vg0=
X-Google-Smtp-Source: APXvYqwoPfIk65umHv2LaSBLnTXun3a80yG7zPx7wd/4PAr/KHTgp1ygQN5sl4Nb6AnRjs6oIug9JQ==
X-Received: by 2002:ac8:2f81:: with SMTP id l1mr25004235qta.269.1568055885983; Mon, 09 Sep 2019 12:04:45 -0700 (PDT)
Received: from ?IPv6:2001:558:6009::7093:88bf:8b39:9be9? ([2001:558:6009:0:7093:88bf:8b39:9be9]) by smtp.gmail.com with ESMTPSA id s23sm8276475qte.72.2019.09.09.12.04.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Sep 2019 12:04:45 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <66D86147-1823-433A-9316-1116834F438A@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CF390F6D-24F0-4864-8D24-4257556D469C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 09 Sep 2019 15:04:44 -0400
In-Reply-To: <EE8FEF3A-3752-4E22-8121-3AB59F4727CF@vigilsec.com>
Cc: IETF STIR Mail List <stir@ietf.org>
To: Russ Housley <housley@vigilsec.com>
References: <D0D57997-56AC-4E68-BC12-2CE07C52B711@nostrum.com> <0CCCD3F6-B0A5-4B0C-B563-2E85AC3E3B3A@nostrum.com> <549EB9C4-A4AA-4C8F-976A-FA3E442072C9@nostrum.com> <EE8FEF3A-3752-4E22-8121-3AB59F4727CF@vigilsec.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/UyXrrp7ZC_O0Hl1q2LHcP7f5Cn8>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-04
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 19:04:50 -0000
Hi Russ, I may have not included ordering of claim, but intended to or maybe assumed that default PASSporT serialization rules applied in either case, let me review again. I plan to provide a cleaned up version and go through Eric’s comments provided at last meeting hopefully by end of week and can updated that. -Chris > On Sep 9, 2019, at 2:45 PM, Russ Housley <housley@vigilsec.com> wrote: > > Based on Ben's recent questions, I read draft-ietf-stir-passport-rcd-04, and I am concerned about the integrity mechanism. > > First, as silly editorial comment. The example at the end of Section 4.1.1 is: > > "rcd": { "nam" : "James Bond", > "icon" : "https://example.org/james_bond.jpg <https://example.org/james_bond.jpg>" > } > > Based on Section 3.2, I think this should be "icn". > > Now, my more substantive concern. > > What order must the claims appear? > > Consider this example: > > "rcd": { "nam" : "James Bond", > "icn" : "https://example.org/james_bond.jpg <https://example.org/james_bond.jpg>", > "jcl" : "https://example.org/james_bond.jcard <https://example.org/james_bond.jcard>" > } > > This will produce an rcdi that contains the hash of: > > {"nam":"James Bond","icon":"https://example.org/james_bond.jpg <https://example.org/james_bond.jpg>", "jcl":"https://example.org/james_bond.jcard <https://example.org/james_bond.jcard>"}; > BASE64(WGET(https://example.org/james_bond.jpg <https://example.org/james_bond.jpg>));BASE64(WGET(https://example.org/james_bond.jcard <https://example.org/james_bond.jcard>)) > > On the other hand, this rcd: > > "rcd": { "nam" : "James Bond", > "jcl" : "https://example.org/james_bond.jcard <https://example.org/james_bond.jcard>", > "icn" : "https://example.org/james_bond.jpg <https://example.org/james_bond.jpg>" > } > > This will produce an rcdi that contains the hash of: > > {"nam":"James Bond","icon":"https://example.org/james_bond.jpg <https://example.org/james_bond.jpg>", "jcl":"https://example.org/james_bond.jcard <https://example.org/james_bond.jcard>"}; > BASE64(WGET(https://example.org/james_bond.jcard <https://example.org/james_bond.jcard>));BASE64(WGET(https://example.org/james_bond.jpg <https://example.org/james_bond.jpg>)) > > I think it would be cleaner if there were a specific ordering (maybe alphabetical by the claim key) to eliminate any possibility surprises. > > >>>> >>>> 1) Do I understand correctly that the certificate used to sign a PASSporT with an rcdi claim MUST include a constraint for the _value_ of the digest? That is, if someone makes any change to any of the information they would normally include in an rcd claim, the signing party must get a new cert? > > I think that Ben is talking about this text: > > 4.2. JWT Constraint for "rcdi" claim > > Once both the contents of the "rcd" claim is certified and the > construction of the "rcdi" claim is complete, the "rcdi" digest is > linked to the STIR certificate associated with the signature in the > PASSporT via JWT Constraints as defined in [RFC8226] Section 8. > > The certificate JWT Constraint MUST include both of the following: > > o a "mustInclude" for the "rcd" claim > > o a "mustInclude" for the "rcdi" claim and a "permittedValues" equal > to the created "rcdi" claim value string. > > The "permittedValues" part of the last bullet seems like overkill. I like the a "mustInclude" for the "rcdi" claim, but signing over the digest as computed in Section 4.1.1 should eliminate any surprises. Putting those have values into the certificate seems like the lifespan of the certificate will be greatly reduced. > > Russ > > _______________________________________________ > stir mailing list > stir@ietf.org > https://www.ietf.org/mailman/listinfo/stir
![Bond","icon":"https://example.org/james_bond.jpg](http://Bond","icon":"https://example.org/james_bond.jpg){kind=link}
- [stir] Questions on the draft-ietf-stir-passport-… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- [stir] draft-ietf-stir-passport-rcd-04 Russ Housley
- Re: [stir] Questions on the draft-ietf-stir-passp… Chris Wendt
- Re: [stir] draft-ietf-stir-passport-rcd-04 Chris Wendt
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Peterson, Jon
- Re: [stir] Questions on the draft-ietf-stir-passp… Ben Campbell
- Re: [stir] Questions on the draft-ietf-stir-passp… Chris Wendt
- Re: [stir] Questions on the draft-ietf-stir-passp… Eric Burger