IETF Logo Mail Archive

Re: [stir] Alexey Melnikov's Discuss on draft-ietf-stir-certificates-11: (with DISCUSS and COMMENT)

Russ Housley <housley@vigilsec.com> Wed, 02 November 2016 15:54 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E1AD128874 for <stir@ietfa.amsl.com>; Wed, 2 Nov 2016 08:54:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7WBb5591yDpI for <stir@ietfa.amsl.com>; Wed, 2 Nov 2016 08:54:18 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C8EB12950D for <stir@ietf.org>; Wed, 2 Nov 2016 08:54:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 53753300A42 for <stir@ietf.org>; Wed, 2 Nov 2016 11:54:17 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6EVlW0RJIwKq for <stir@ietf.org>; Wed, 2 Nov 2016 11:54:15 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id BBE09300259; Wed, 2 Nov 2016 11:54:14 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <1478101725.216255.775166569.1BD2E379@webmail.messagingengine.com>
Date: Wed, 02 Nov 2016 11:54:21 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <58F5F6BD-02E0-4DC9-8A69-D918AB5A4B65@vigilsec.com>
References: <147800730286.23932.1515952198717955239.idtracker@ietfa.amsl.com> <BE53511C-3C37-4C94-8C01-681EB413C670@sn3rd.com> <1478101725.216255.775166569.1BD2E379@webmail.messagingengine.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/b8D7RdXDLI7aPw9AqlrAqNFSQno>
Cc: draft-ietf-stir-certificates@ietf.org, stir-chairs@ietf.org, IESG <iesg@ietf.org>, IETF STIR Mail List <stir@ietf.org>, Robert Sparks <rjsparks@nostrum.com>
Subject: Re: [stir] Alexey Melnikov's Discuss on draft-ietf-stir-certificates-11: (with DISCUSS and COMMENT)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 15:54:23 -0000

On Nov 2, 2016, at 11:48 AM, Alexey Melnikov <aamelnikov@fastmail.fm> wrote:

> Hi Sean,
> 
> On Tue, Nov 1, 2016, at 03:15 PM, Sean Turner wrote:
>> 
>>> On Nov 01, 2016, at 09:35, Alexey Melnikov <aamelnikov@fastmail.fm> wrote:
> 
> (snip)
> 
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>> 
>>> I have one small issue that I would like to discuss before recommending
>>> approval of this document:
>>> 
>>> Reading Section 8 I was unable to figure out what are "claim",
>>> "permitted" and "excluded" and what exact syntaxes they use. I think this
>>> is underspecified.
>>> You are probably missing some references, examples or both.
>> 
>> From s5.1:
>> 
>>   The public key in the certificate is used to validate the signature
>>   on a JSON Web Token (JWT) [RFC7519] that conforms to the conventions
>>   specified in PASSporT [I-D.ietf-stir-passport].  This specification
>>   supports constraints on the JWT claims, which allows the CA to
>>   differentiate those enrolled from proof-of-possession versus
>>   delegation.
>> 
>> the JWT claims for STIR are found in s5 of [I-D.ietf-stir-passport].  We
>> define our own but also use some existing ones so we could add a
>> reference as follows to clear this up:
>> 
>>   …, This specification
>>   supports constraints on the JWT claims [I-D.ietf-stir-passport],
>>   which allows the CA to differentiate those enrolled from
>>   proof-of-possession versus delegation.
> 
> Adding this somewhere in section 8 would help.
> 
>> Permitted and excluded are in s8 (they’re just IA5Strings):
>> 
>> JWTClaimConstraint ::= SEQUENCE {
>>      claim IA5String,
>> ->      permitted [1] SEQUENCE OF IA5String OPTIONAL,
>> ->      excluded  [2] SEQUENCE OF IA5String OPTIONAL }
>>       ( WITH COMPONENTS { ..., permitted PRESENT } |
>>       WITH COMPONENTS { ..., excluded PRESENT } )
>> 
>> These are analogous to the permitted and excluded name and policy
>> constraints in X.509/RFC 5280.
> 
> I am sorry if I am being thick, but I still don't get what is this all
> about. Doing a quick scan of RFC 5280 I only found permittedSubtrees.
> Can you give me an example or two on how this is going to be used?

Alexey:

For a named claim, the extension limits the possible values that can appear.

If the permitted SEQUENCE is populated, then the listed claim MUST contain one of the listed values.

If the excluded SEQUENCE is populated, then the listed claim MUST NOT contain one of the listed values.

Russ

v2.23.0 | Report a Bug | By Email