IETF Logo Mail Archive

Re: [stir] draft-housley-stir-enhance-rfc8226-00

"Peterson, Jon" <jon.peterson@team.neustar> Mon, 25 January 2021 16:04 UTC

Return-Path: <prvs=465905e06e=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B67FC3A14BF for <stir@ietfa.amsl.com>; Mon, 25 Jan 2021 08:04:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level:
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=kqV4NWlP; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=neustar.onmicrosoft.com header.b=Ur0pS3XB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Upae-ij7aJIA for <stir@ietfa.amsl.com>; Mon, 25 Jan 2021 08:04:53 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7C123A14BE for <stir@ietf.org>; Mon, 25 Jan 2021 08:04:53 -0800 (PST)
Received: from pps.filterd (m0078666.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 10PFZneq014221 for <stir@ietf.org>; Mon, 25 Jan 2021 11:04:53 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=team-neustar; bh=VTS33KJoHXCX9erVpU4YAm4qFVFTUO3JhoWIIP9kssc=; b=kqV4NWlPMCBbr1QkzB54YpD4ys2hqGmheAjxSpPPGYRfSxqPEsP/b+zUjyUEAjWyJBFF i98wEbP9PWdtebE0+TLIwNMf3hcK8WSq2ltb7oi8cydVNiTIUB8zdVm/gvuAVFu1oR1r AGwisI5yygN6DTW/+2VZFjaet8vtb7UUGp9g99FQN7L+yWW/kLMGM0RaACcZthuK97QJ QIL2yDRb3MBeq68lHwgQjmz1NBdfsnlhvU5GvuaA2C6HgfkWP4zCwgwgiI+0FwikyoVy DGarazrR6b/dk3CERCAGJr6f63olvcGSs6PJ5uqIsA+LgO9moj6j/lbbYQjveww7MK8Q 1Q==
Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-0018ba01.pphosted.com with ESMTP id 368gt14e09-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <stir@ietf.org>; Mon, 25 Jan 2021 11:04:53 -0500
Received: from m0078666.ppops.net (m0078666.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 10PFwr1r018459 for <stir@ietf.org>; Mon, 25 Jan 2021 11:04:53 -0500
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2173.outbound.protection.outlook.com [104.47.55.173]) by mx0a-0018ba01.pphosted.com with ESMTP id 368gt14e08-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 25 Jan 2021 11:04:52 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QTV8UpD1dexPJNtY3vDeMYKl116Ma1XfjtCbHQ5m5u9ImI/x8jfHVPfhMRq+ZyvyO/tlTa/Znmp1vTT4bXTl5Su3F8Ud8IFCwQzdO3MmkU4VR/LB/8yovxAZVZQ+Fe2Huo/0+FK+uufZicd+xkIEcsyamByznF95Rn6QzS7lgqTOHLxUx4/0A+diFTDJjxYSxkazezCQqMmXtvqtc9jc7ETnBwW1SWF2bPZvnggFSdRkY1IE+gxBuPp0/0tj1wVp47bcB412ajY0PtSsPVF+H7u2+v3GhIyYQouS1ubMkM/xCLtwPPvsO9VAtfYsONsHgZuH/20nmeKaNxlrgmcA1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I2Lrb2IyL1tWZhSTQ3cDxX0T8n+4qbf+sDIbnMPaDnI=; b=HgbjajGtBJ0+NtqJYJB+2H+yji25pPEPTqpW9tywAs0zndaG++mo8JVqevrmXyiD+haL1YUhVHC57nHRMf5i+lvErrFM0n1EMWMa4Rj1weTZzmnSmZGnGUGDo6wsWe5yRVWxrIjS3d4PeryCFIACP22Jywozco9Ko341UTJB3EsEtgk97xbT0sQQn8p0l9yQA705vPGRz7+ss1pORrMpSpsRRHBTq6BjmRwMY1I5KuUoLPyO61YOdh7mMW6iiU4c3+td2mB8jJT+sihZC3EyQV0Bpro3rli4phKVmHW760ucZEyGsWPYTXjnLBGGy3CFyXAwd5uMdNWXVYTQhjgrfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I2Lrb2IyL1tWZhSTQ3cDxX0T8n+4qbf+sDIbnMPaDnI=; b=Ur0pS3XBd2sDTkhTcrkzSMD7mRrj5iv/GAfz+RvEWSjgI6RVznf6tjVaTFPX5qYewEjOF/n/U0ikjL2kbQcgEWXaLgU5V/D6EUPF3zDqP7oP0vQDON53Xf1dSgYBPUs+1Jne+ptWyRisSWKAthzy61XEmq2r8Y7mdJSR2Xetxxk=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by BYAPR17MB2725.namprd17.prod.outlook.com (2603:10b6:a03:eb::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.15; Mon, 25 Jan 2021 16:04:51 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::58ae:852d:23b9:28b4]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::58ae:852d:23b9:28b4%6]) with mapi id 15.20.3784.017; Mon, 25 Jan 2021 16:04:50 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] draft-housley-stir-enhance-rfc8226-00
Thread-Index: AQHW8Dz4aLQGhkBt0UqLcFlP0eAZLqo4AQgA
Date: Mon, 25 Jan 2021 16:04:50 +0000
Message-ID: <806C9887-FAAC-4EDF-ADFB-A8B65AF41739@team.neustar>
References: <161126455434.3362.14572023954174036871@ietfa.amsl.com> <6515CC12-1A12-4524-9EB9-5C46D01855CF@vigilsec.com>
In-Reply-To: <6515CC12-1A12-4524-9EB9-5C46D01855CF@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=team.neustar;
x-originating-ip: [108.208.24.189]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6e2816b9-101e-4e48-3e06-08d8c14af246
x-ms-traffictypediagnostic: BYAPR17MB2725:
x-microsoft-antispam-prvs: <BYAPR17MB272500314979D31273C5D4A6E2BD9@BYAPR17MB2725.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 480VVoKx5rkoL17EFlynkwgnDmNbCFWAFsffrDTk59xwfvfLA59YdLiyaStY3XLRhiOK2na1WsigluffILMx+TYMOVLSK0QYnuuWARxPbhPWIDuCanTC+/EiOiMvXBsZi+LH4OhBC7AwusjEitn4o7oXiy46ADIpJLz+FdiZQQRI4XL4E1ojsBCnJKR1Q9SWAQWYafCjwMRptFYFUiZgtLZ/XTtk0TsOPPGY2I5cq1XUVpMenWPVQuNPj4xzHOz+GI2KycHI5nlBFS8ZLEEOumSCzIdjR1QzQ7n3IRS86uUzAoPVEJ0zUB/Mo7dE0H8GLXG+kEVdDPoLI8n7xp5XQTbyiPkoThhk9LKFlvNONhaIOH4IFkVI7YV4/XzB7OEmUe+fHacWnYRrkUVAQUfnRFy1T76LDAe2T2xr7v7/9pLSQ/gF6NX8wiZrIGF0aJ5OjEILILLb209BVTaNhO3MyjBx0OcjO9ej0FIWb9SGdzIwQz1/rVWXEieKzThw4VfPXf1ys5zIzUyI9Ykz2R5GjDgIcbcIbQ8uVDBIwjPcnp5+2q87n8qjqgvqPZ/zWZdMGMPuO0+aLRnmrotWZKdsZg9emiWNFWIXICG0KzzINO3kUzLKRmKoCIlueYrzqvED7RNHSjVy3AuzUnT2ZXhf9j6g1iMxYyBDP5fED8KaFTc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(376002)(366004)(396003)(39860400002)(53546011)(76116006)(71200400001)(6486002)(2616005)(66446008)(66556008)(83380400001)(316002)(166002)(110136005)(966005)(186003)(478600001)(64756008)(66476007)(8676002)(66946007)(86362001)(66574015)(5660300002)(6506007)(6512007)(26005)(8936002)(2906002)(33656002)(46492008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?aGY1L3ZsUm1TUUN6dWthSTA2cGp1MllrMGdiT3d5SHVSSWZ2bk1Rd2RwcnZz?= =?utf-8?B?QTBVT3Mrbk1KbHJSdXdNVHFvaWFHNWlmSjlZSktRRDlRb1QvV0tyVzR4cC9t?= =?utf-8?B?NHp1OTV1TGh1OExXMzAwNkZMYVlqbkFyRHZNa3lJWERpYzAxaU4zSUR2Kzhx?= =?utf-8?B?NmVHc1BRQVN5OW81KzkyWGt2aEhaVzk2NlJSeTg1ZnpQUFlnNFNSRUpVMU5s?= =?utf-8?B?VllMK1pyVlYrc3N5alZESGFDNm1LTWhpVVR3QkZKNlpYZFVDUmFTSWtsS1lx?= =?utf-8?B?WW9PNGpFd1lQVWVCWEg3azBia1k4V2R0Q25EU21JSjJic0ZSc2NEVHRYaGhi?= =?utf-8?B?c1p6S0hVc08ySytXUTVWa0IrUGJ4dDZ1MW9FOU9UM05Wb1lHV2RlbVo1Y1lJ?= =?utf-8?B?T1A4eUdHb1puUWdIYzVTaW0xZ29uUDk0NjFFTE03THJEWkhmTVU1WlhSS1dM?= =?utf-8?B?NVJTbHdheTU1K2RvUDR3UWZjTWI5azVvdFpWa2NqVnJLajE4U1dabUlEMU5M?= =?utf-8?B?T0paZ2xsRTd6WWU0SktvT0l4c2ppR2huamxORjZkYW5tU1BsMWdCTEp4WGVa?= =?utf-8?B?Ti96S0hxb1QzdzE1Ujk5dmkxK2xHRzc4d01ZSkM4Q1lkLzU2SkRMZEVkY3ZV?= =?utf-8?B?L3d6YUZLd1huZmIyV1J0NWk3cG9JaDU1M3BPNEhCRmVYOXJIcDFVSmNGdWVN?= =?utf-8?B?SVJtVGhzTEJiR0wyOHZHTWVjV0Y4bjYvZDdWSGtsbjRGT3VKaU82WjF0R2lM?= =?utf-8?B?TjIydTZSbzZoTnFhdzdaNkVwL1B2SDB3Q004STZjN0hnVlFpM1IyUVgxTElK?= =?utf-8?B?Q2JzVUR6RmQ5L1NCTXcxK0NORmpJTndXY3lHWCthL1k3ZDFyd2lSaXIwSXM5?= =?utf-8?B?Q1BlWDBvNVorczNCbmlQMXFqckg4djIrNnNUMHphdjdaNDhVdjNac3FJcnlt?= =?utf-8?B?anI0Z1RPSERqU3gvQTNtVndTOXR5ZHJzVUlsVDNoQ0Q0Sk9VMDRUMkxyeW9p?= =?utf-8?B?OTZEUlVBMXRocDlyNTlvWEIzNmQ0d2dIYVp4Y09lc0NCQmtWajJNZWtTNGF5?= =?utf-8?B?MDEzejE5WHpHVXgvZm5DMVM3S2FtOXF5b09OMnkreEdScVA1SkkzZFlvdnNo?= =?utf-8?B?aGNFVi9Zd1l0L2lvd3ZNNkFaV3hOaXpXcVAxMmJGNTlWbG5Yejk2R3J0K1dN?= =?utf-8?B?ZHRjREhrclNWTzJCdkd6TFo2WEFYaUJDZUw5MHpQZVdPa0NXZlZJRnNoTWV2?= =?utf-8?B?dld0emU0bXU3cENiWDRTaUJOV3U0VmZzZ3BnMEY5cnZ1OFIvSmcyNDIrVTR5?= =?utf-8?Q?2WhQJx635MJ/O7czDGdojEvtJIPXAMSASv?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_806C9887FAAC4EDFADFBA8B65AF41739teamneustar_"
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e2816b9-101e-4e48-3e06-08d8c14af246
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jan 2021 16:04:50.8406 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AiWBZ5OKu7boMG60mmkBgTLUEu4y2xst+sXMj8uwAiqD6keHiGy/Kk7WU8dgQhskIeLqlhrtMlc/GAhHiG6fn8Z95y8OVBTJ9viCScdbNVg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR17MB2725
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2021-01-25_06:2021-01-25, 2021-01-25 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 phishscore=0 mlxscore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 malwarescore=0 spamscore=0 mlxlogscore=956 clxscore=1011 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=2 engine=8.12.0-2009150000 definitions=main-2101250090
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/WZJtC7OkIF7TGxT8OGuHmpbfN0g>
Subject: Re: [stir] draft-housley-stir-enhance-rfc8226-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 16:04:57 -0000

I think this is a helpful and pretty simple patch – can we get a call for adoption?

Jon Peterson
Neustar, Inc.

From: stir <stir-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com>
Date: Thursday, January 21, 2021 at 1:32 PM
To: IETF STIR Mail List <stir@ietf.org>
Subject: [stir] draft-housley-stir-enhance-rfc8226-00

Please review and comment.  Christ Wendt has found some use cases where the JWT Claims Constraints in RFC 8226 are not adequate.  This I-D proposes an enhancement to make the constraints more rich.

Russ



From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-housley-stir-enhance-rfc8226-00.txt
Date: January 21, 2021 at 4:29:14 PM EST
To: "Russ Housley" <housley@vigilsec.com<mailto:housley@vigilsec.com>>


A new version of I-D, draft-housley-stir-enhance-rfc8226-00.txt
has been successfully submitted by Russ Housley and posted to the
IETF repository.

Name: draft-housley-stir-enhance-rfc8226
Revision: 00
Title: Enhanced JWT Claim Constraints for STIR Certificates
Document date: 2021-01-21
Group: Individual Submission
Pages: 8
URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-housley-stir-enhance-rfc8226-00.txt__;!!N14HnBHF!rT7l4j2npZze97iP564UAYWWZ3nA3V85whav8RbkGEB53gVm1H1_54KhBGI$ 
Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-housley-stir-enhance-rfc8226/__;!!N14HnBHF!rT7l4j2npZze97iP564UAYWWZ3nA3V85whav8RbkGEB53gVm1H1_ccfXMAo$ 
Htmlized:       https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-housley-stir-enhance-rfc8226__;!!N14HnBHF!rT7l4j2npZze97iP564UAYWWZ3nA3V85whav8RbkGEB53gVm1H1_7fCdqZE$ 
Htmlized:       https://urldefense.com/v3/__https://tools.ietf.org/html/draft-housley-stir-enhance-rfc8226-00__;!!N14HnBHF!rT7l4j2npZze97iP564UAYWWZ3nA3V85whav8RbkGEB53gVm1H1_vRWkKsM$ 


Abstract:
  RFC 8226 provides a certificate extension to constrain the JWT claims
  that can be included in the PASSporT as defined in RFC 8225.  If the
  signer includes a JWT claim outside the constraint boundaries, then
  the recipient will reject the entire PASSporT.  This document defines
  additional ways that the JWT claims can be constrained.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<https://urldefense.com/v3/__http://tools.ietf.org__;!!N14HnBHF!rT7l4j2npZze97iP564UAYWWZ3nA3V85whav8RbkGEB53gVm1H1_KHn1gbQ$ >.

The IETF Secretariat

v2.8.7 | Report a Bug | By Email