Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
Dave Crocker <dhc@dcrocker.net> Mon, 22 August 2016 16:28 UTC
Return-Path: <dhc@dcrocker.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2327012D731 for <stir@ietfa.amsl.com>; Mon, 22 Aug 2016 09:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.988
X-Spam-Level:
X-Spam-Status: No, score=-0.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L5=0.001, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B0tV10F03U8g for <stir@ietfa.amsl.com>; Mon, 22 Aug 2016 09:28:24 -0700 (PDT)
Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1995B12D552 for <stir@ietf.org>; Mon, 22 Aug 2016 09:28:24 -0700 (PDT)
Received: from [192.168.1.168] (76-218-8-128.lightspeed.sntcca.sbcglobal.net [76.218.8.128]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u7MGSUxC028126 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Mon, 22 Aug 2016 09:28:31 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1471883311; bh=sQUmqQmi7p84g6ZyCKpXGnUMLsVb6bb2ril5Sk9VRfY=; h=Subject:To:References:Cc:From:Reply-To:Date:In-Reply-To:From; b=ogJb0IiLY/mTIWGqQN5uQiYR9dLuU4YWLVknSaot1fKO3YE7dQvddJ2iH6mQ18HwT I/6hWHWbgAvGbzJmjN8p2OpW9CkVis2FouIpFXGCAWXcUEjqlmeFmdOD51K0dyBSM2 sg2G6YbkNC/tZVcGFn/WjCWTGjJpC459a1dT1ank=
To: Christer Holmberg <christer.holmberg@ericsson.com>, Eric Rescorla <ekr@rtfm.com>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <cfd714ce-6145-1b60-aca2-ae702a8c133d@dcrocker.net> <CABcZeBNQgsjDOrW2k4WOucTVXSMHjEUjKgGkhYT119Z3yoUv1g@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B4BC29AD9@ESESSMB209.ericsson.se>
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
Message-ID: <72ca2036-610e-2226-ed4f-34efbf0e9552@dcrocker.net>
Date: Mon, 22 Aug 2016 09:28:03 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B4BC29AD9@ESESSMB209.ericsson.se>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/ZRz88vt33XX3EhKB_k-gerX3u18>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2016 16:28:25 -0000
On 8/21/2016 9:03 AM, Christer Holmberg wrote: > I agree with Ekr, and being able to use something pre-existing is the > reason I asked the passport authors to consider JWT. If you think there > is something better pre-existing, please say so, but if you want to do > something from scratch I think we’d need some really good justification > for that. I don’t agree with your earlier statements that JWT is > complex, and there are tons of tools to test and verify JWTs. Christer, Just to be thorough, I'll repeat that I agree with the goal of using existing solutions, where they represent a high-enough point of departure (if they aren't a perfect match), preferably with enough track record to establish efficacy. And I'll repeat that my view of the passport draft did not criticize the use of JWT. (By the way, is it only JWT or is it actually JOSE, and if it isn't why not?) It's not that I didn't question the use, it's that I didn't indulge in that questioning at that point. This came later, as I watched the documentation efforts to integrate use of JWT. > In Berlin I did raise an issue on how STIR uses JWT in SIP (the encoded > object is “split up”, and different pieces are placed in different SIP > elements), but Jon promised to make sure it’s clarified and well > explained in the next version of the bis draft, so I think we should > give him a chance to do that. There are at least two major problems here. The technical one is that the current approach requires doing encoding and packaging twice, from what I can tell. Once in a JSON context and the second in a SIP header context. By itself, that should be worrying. That the latter hasn't been fully documented and agreed to, yet, raises a question about how anyone thought the documents were ready for last call. The other major problem is that the introduction of JSON/JWT has produced levels of indirection in the documentation that made it essentially impossible for me to understand and analyze the specification details. And I tried pretty hard. So this does not bode well for other new readers of the specifications. (More generally, the documents make cross-references and indulge in cross-dependencies that defeat the benefits of modularity and create really serious reading complexity.) And now, yes, I'll indulge in the dreaded "DKIM" reference... DKIM is another existing mechanism that provides exactly the needed functionality, with more than 10 years of field experience (counting the predecessor Yahoo's Domainkeys) and a relatively simple design. As I've noted before, the list of 'topics' for the STIR work is not long. I'll do an abbreviated listing here: 1. Calling value acquisition -- getting the string to validate 2. Key management --getting the key and validating that it is authorized for use with the calling value. 3. A bunch of crypto-related computation -- including canonicalization of the data of course 4. Packaging the result -- for use by the validation mechanism. Step 1 is not part of the crypto work, but it is of course fundamental, as well as being specific to STIR. The crypto subsystem just uses it as input. The choice of JSON/JWT, DKIM, or whatever is irrelevant to this step. Step 2: a) For non-telephone URIs, DKIM's DNS model can be used directly. b) I'm unclear about the role of the domain name in the URIs that have a phone number in the left-hand side. In any event, as I've noted repeatedly, number-based key management is an open issue, with demonstrated high risk, given that the previous effort failed. Step 3 can use DKIM almost directly. Step 4 can use DKIM almost directly. So the DKIM approach is dramatically simpler and offers by far the highest point of departure for STIR. In particular, the hard parts of doing STIR aren't solved by this choice -- JSON/JWT don't help either. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… DOLLY, MARTIN C
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- [stir] Setting Direction for the STIR WG Last Call Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Richard Shockey
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Paul Kyzivat
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- [stir] JWT/JSON (was - Re: Review of: draft-ietf-… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Victor Pascual
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Burger
- [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Michael Hammer
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Alex Bobotek
- Re: [stir] Review of: draft-ietf-stir-passport-05 Stephen Farrell
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt