Re: [stir] A few comments on the PASSporT Document

Robert Sparks <rjsparks@nostrum.com> Fri, 22 April 2016 02:42 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DEAC12E9CE for <stir@ietfa.amsl.com>; Thu, 21 Apr 2016 19:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.895
X-Spam-Level:
X-Spam-Status: No, score=-2.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6Cr9Kwi0mKU for <stir@ietfa.amsl.com>; Thu, 21 Apr 2016 19:42:03 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 643C012E9CC for <stir@ietf.org>; Thu, 21 Apr 2016 19:42:03 -0700 (PDT)
Received: from unnumerable.local ([173.57.167.89]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id u3M2g1Tp098525 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=OK) for <stir@ietf.org>; Thu, 21 Apr 2016 21:42:02 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host [173.57.167.89] claimed to be unnumerable.local
To: stir@ietf.org
References: <9D68E244-1E03-4FF1-8343-F661FF3D629D@vigilsec.com> <D33E61AD.187813%jon.peterson@neustar.biz> <84B51A25-EBF9-48EA-8BFF-4D76647715CB@vigilsec.com> <6C7F922E-3472-423D-B430-AA87B36C239F@chriswendt.net> <8868AD90-74D6-4356-B540-816CB068BEDC@shockey.us>
From: Robert Sparks <rjsparks@nostrum.com>
Message-ID: <57198F7A.90405@nostrum.com>
Date: Thu, 21 Apr 2016 21:42:02 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <8868AD90-74D6-4356-B540-816CB068BEDC@shockey.us>
Content-Type: multipart/alternative; boundary="------------070009090806070600040307"
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/ZGOvyJnCX5WN5-cFrLF3FJOAJl4>
Subject: Re: [stir] A few comments on the PASSporT Document
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2016 02:42:05 -0000

Of course.

As I noted in the meeting at IETF95, I will produce some in the next 
month or so. I'm expecting implementations to produce even more.

That said, the text is there now, and the list conversation has been 
pretty clear about what's still in motion. I hope nobody is waiting on 
examples before commenting or beginning implementation.

RjS

On 4/21/16 8:21 PM, Richard Shockey wrote:
>
> And please more examples.  The vendor community is begining  to ask 
> serious questions about time tables and roadmaps.  The commitment to 
> deploy is very real.
>
> Where does this actually show up in the headers. What does or should 
> it look like?
>
> How this might show up on UA’s is another issue but totally out of 
> scope for this WG now and in the future.
>
> —
> Richard Shockey
> Shockey Consulting LLC
> Chairman of the Board SIP Forum
> www.shockey.us
> www.sipforum.org
> richard<at>shockey.us
> Skype-Linkedin-Facebook rshockey101
> PSTN +1 703-593-2683
>
>
> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> on 
> behalf of Chris Wendt <chris-ietf@chriswendt.net 
> <mailto:chris-ietf@chriswendt.net>>
> Date: Thursday, April 21, 2016 at 8:56 PM
> To: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> Cc: IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>, Jon 
> Peterson <jon.peterson@neustar.biz <mailto:jon.peterson@neustar.biz>>
> Subject: Re: [stir] A few comments on the PASSporT Document
>
>
>> On Apr 21, 2016, at 4:26 PM, Russ Housley <housley@vigilsec.com 
>> <mailto:housley@vigilsec.com>> wrote:
>>
>> Jon:
>>
>>> Thanks for these notes Russ.
>>>
>>>> I needed to chase a bunch of references to figure out what really 
>>>> goes in
>>>> the iat claim.  This leads me to two comments.
>>>>
>>>> (1)  Let¹s help the reader and tell them that the iat claim contains a
>>>> JSON numeric value representing the number of seconds from 1970-01-01
>>>> 00:00:00 UTC.
>>>
>>> Sounds good to me. That claim is defined in baseline JWS/JWT, but agreed
>>> it would be helpful to informationally reiterate its syntax in the
>>> PASSporT spec.
>>
>> Thanks.
>
> Agree.
>
>>
>>>> (2) The iat claim carries the time that the token was issued. 
>>>>  Section 7
>>>> tells that the token should be handled in a "reasonable for clock drift
>>>> and transmission time.²  This makes sense, but neither Section 3.2.1.1
>>>> nor Section 7 tells what ought to happen if it is determined to be 
>>>> stale.
>>>
>>> This is where the hand-off between RFC4474bis and PASSporT can be murky.
>>> The behavior for SIP as a using protocol of PASSporT with regards to the
>>> freshness of Date/iat is given in RFC4474bis. Other using protocols 
>>> might
>>> want to use other means to ascertain freshness; SIP behavior really 
>>> comes
>>> down to comparing iat with the Date header, and we don't want that
>>> using-protocol-specific language to be in PASSporT.
>>>
>>> I can also imagine PASSporT tokens being evaluated historically, rather
>>> than in real time, and the determination of "freshness" for those 
>>> purposes
>>> might be different, or even just irrelevant.
>>>
>>> What we can say about iat in PASSporT though is that using protocols are
>>> required to specify how they determine freshness (like, what they 
>>> compare
>>> it to). Would that make sense as a way to approach this?
>>
>> Yes, that makes sense to me.
>
> Agree.
>
>>
>>>> The syntax of the mky claim seems to go against a JOSE design 
>>>> principle.
>>>> JOSE used very compact representations for everything.  However, 
>>>> the mky
>>>> claim uses a whole lot of colons.  This leads to a third comment.
>>>>
>>>> (3) To align with the JOSE principle, should the mky claim syntax use a
>>>> hex string or a base64 string to carry the hash values.
>>>
>>> Jonathan Lennox provided some compelling reasons for us to move mky to a
>>> JSON array format, similar to what WebRTC has done (so it's clear which
>>> keys can match to which m= lines in SDP, say). That at least was my
>>> take-away from the discussions around this in Buenos Aires. Would 
>>> that be
>>> satisfactory for you?
>>
>> I think so.
>
> So, Jon, the idea is to use this format?
>
> {
>         "fingerprint": [ {
>           "algorithm": "sha-256",
>           "digest": "4A:AD:B9:B1:3F:...:E5:7C:AB"
>         }, {
>           "algorithm": "sha-1",
>           "digest": "74:E9:76:C8:19:...:F4:45:6B"
>         } ]
>       }
>
> (from 5.6.4) in draft-ietf-rtcweb-security-arch-11
>
> I’m not sure that addresses the size part, do we need the colon’s as 
> Russ suggests?
> Maybe use smaller key’s?
>
> {
>         "fp": [ {
>           "alg": "sha-256",
>           "dgst": "4AADB9B13F...E57CAB"
>         }, {
>           "alg": "sha-1",
>           "dgst": "74E976C819...F4456B"
>         } ]
>       }
>
>
> Could do even further encoding of fingerprint to reduce size as 
> suggested in https://webrtchacks.com/the-minimum-viable-sdp/
>
> Thoughts?
>
>
>
>
> _______________________________________________ stir mailing list 
> stir@ietf.org <mailto:stir@ietf.org> 
> https://www.ietf.org/mailman/listinfo/stir
>
>
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir