Re: [stir] Separation of JWS
"Peterson, Jon" <jon.peterson@neustar.biz> Sat, 16 July 2016 23:40 UTC
Return-Path: <prvs=00059cb0ff=jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72AC812D098 for <stir@ietfa.amsl.com>; Sat, 16 Jul 2016 16:40:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1d4-XpKbkRSG for <stir@ietfa.amsl.com>; Sat, 16 Jul 2016 16:40:02 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB8DD12D0F1 for <stir@ietf.org>; Sat, 16 Jul 2016 16:40:02 -0700 (PDT)
Received: from pps.filterd (m0078666.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u6GNWSTr013920; Sat, 16 Jul 2016 19:39:59 -0400
Received: from stntexhc12.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 247h1nrvbg-1 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NOT); Sat, 16 Jul 2016 19:39:59 -0400
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.94]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0279.002; Sat, 16 Jul 2016 19:39:57 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Thread-Topic: [stir] Separation of JWS
Thread-Index: AQHR3imlxQWCiaKHYkOkgu/OqfssD6AZMS/wgABGHqGAACXa4IABg0UAgACfpgD///pSDA==
Date: Sat, 16 Jul 2016 23:39:56 +0000
Message-ID: <CBC570D0-F048-48D7-9250-4B16C072619C@neustar.biz>
References: <D3AD6E75.1A6268%jon.peterson@neustar.biz> <7594FB04B1934943A5C02806D1A2204B476AB520@ESESSMB208.ericsson.se> <7B90D2FC-7142-4801-B84E-FB459A2339C9@neustar.biz> <7594FB04B1934943A5C02806D1A2204B476ABFD3@ESESSMB208.ericsson.se> <D55A29CA-A50E-478C-A39A-E28967FA75F9@shockey.us>, <7594FB04B1934943A5C02806D1A2204B476BD10C@ESESSMB209.ericsson.se>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B476BD10C@ESESSMB209.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_CBC570D0F04848D792504B16C072619Cneustarbiz_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-16_17:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607160292
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/blRlXx7og8RIbeA3hP3VRtaAwII>
Cc: IETF STIR Mail List <stir@ietf.org>, Richard Shockey <richard@shockey.us>
Subject: Re: [stir] Separation of JWS
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jul 2016 23:40:05 -0000
I asked some people about this at the IETF today, but I'm still not clear (and I am not sure RFC7515 is clear) if the intention of Appendix F is to omit both the headers and claims or just the claims. I'll continue asking around about it - the ambiguity is about what the "payload" there means exactly. I will say though that 4474bis is being implemented by a number of people at this point and I haven't heard this particular problem raised before. I don't think it is unclear what you're supposed to do with "canon". We can argue what is most optimal, but I hesitate to make yet another syntax change for the sake of something that doesn't really change the semantics. The spec doesn't need to be further delayed for purely cosmetic reasons. Frustratingly, I suspect that this is just a question of syntax, and that at the end of the day it sounds like we're trying to get to the same place. Sometimes it is hardest to choose between options when the differences are the slightest. Jon Peterson Neustar, Inc. Sent from my iPad On Jul 16, 2016, at 10:00 PM, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote: Hi, I am commenting with an implementer hat on, and I don’t think we should accept what we have now. In my opinion there would be interop issues from day one, because 1) we are “splitting” the encoded JWS string into different pieces, and 2) it is not clear how the encoding of that will look like. My suggestion is to send the whole encoded PassPORT JWS object string as the Identity header field value, according to the JWS standard, and drop the “canon” header field parameter. That was my assumption since the day we adopted JWS. I still allows not sending the claims in a standard manner. I also don’t think it should be allowed to drop the mandatory JWS headers. Doing the change in the draft should not be a big task. Regards, Christer From: Richard Shockey [mailto:richard@shockey.us] Sent: 16 July 2016 13:29 To: Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>>; Peterson, Jon <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>> Cc: IETF STIR Mail List <stir@ietf.org<mailto:stir@ietf.org>> Subject: Re: [stir] Separation of JWS Christer if you are frustrated I certainly understand. As I have read through v10 here I’m wondering how it can be successfully implemented by the vendor community. There is clearly strong, in fact overwhelming demand to implement this but the last thing we need are the kinds of baked in interoperability problems we have seen in VoLTE, for instance. I can assure you the NRA’s have been told we have a solution but we realistically need to give them some implementation timelines. The lack of actual full examples of a typical originating INVITE, is appalling. I have serious questions whether this document is ready for adoption. Should we just accept what we have now? Should the SIP Forum immediately look into some ongoing profile work here as we start down this road? I know Robert would like to see some examples of implementations at SIPit but is there enough time given the ongoing questions the document does not answer. — Richard Shockey Shockey Consulting LLC Chairman of the Board SIP Forum www.shockey.us<http://www.shockey.us> www.sipforum.org<http://www.sipforum.org> richard<at>shockey.us<http://shockey.us> Skype-Linkedin-Facebook rshockey101 PSTN +1 703-593-2683 From: stir <stir-bounces@ietf.org<mailto:stir-bounces@ietf.org>> on behalf of Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> Date: Friday, July 15, 2016 at 5:35 PM To: "Peterson, Jon" <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>> Cc: IETF STIR Mail List <stir@ietf.org<mailto:stir@ietf.org>> Subject: Re: [stir] Separation of JWS Hi, >Oh, you meant Appendix F of RFC7515. I had thought you said RFC7315 in your other mail, so perhaps you can understand my confusion. Sorry :) >My reading of that is that it can remove the claims but not the header. But it's also not super specific about how it works. What do you think is unclear? I am using it for a draft I’m working on, and I think it’s pretty clear :) I am also not sure why we should remove the headers. Don’t we need that information? >5.2.1 of rfc4474bis-10 contains the crispest statement of the syntax of canon, perhaps, but it is not the job of rfc4474bis to repeat the guidance of >PASSporT on how to construct the object. Perhaps a pointer to that specific section of PASSporT would help? My question is not how to construct the object, but how to construct the “canon” header field value, which seems to be only a part of the object string. Section 5.2.1 describes which components (headers and claims) are used to create the “canon” value, but now HOW it’s created. So, I’d like to suggest that we transport the PASSportT object string as the Identity header field value, and don’t use “canon”. I am happy to hear why we can’t do that, but so far I have not heard/read anything :) That would also allow people to use off-the-shelf JWS encoders/decoders, and we would avoid the confusion of transporting different parts of the object string in different places. Regards, Christer On Jul 15, 2016, at 2:09 AM, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote: Hi, > This is partly the same question as we are exploring in the "syntax change" thread discussion on whether or not "canon" will always be included. It’s not really the same. My question is: *IF* the claims are included, why do we put them in a separate place (the “canon” header field parameter)? Why don’t we use the standard JWS mechanism? >To answer your question, think about it as if SIP does not carry a JWS object, but instead it transports some data that allows a verification service >to generate a JWS object. So we're not "sending" the JWS object, and thus we're under no obligation to "send it as one string" or whatever. > >The rfc4474bis "canon" parameter optionally contains the encoded portion of the header and claims of the JWS object because the headers (and claims) in baseline PASSporT are usually redundant wth the contents of >a SIP request - we anticipate that any verification service can ordinarily regenerate those headers and claims itself, so, there's no ostensible value in carrying them. Generally speaking, we should bloating messages >with redundant fields if we can. I agree. But, Appendix F describes how to do that with JWS. >If you're asking why we chose to demarcate that with "canon" rather than just not including the JWS header and claims if we didn't >want to include the JWS header and claims, it is generally better to be explicit than to leave the verification service to infer what is going. In my opinion it’s better to follow the standard. And, again, Appendix F describes how to not included the claims in a standard way. Also, I am not sure (need to verify) whether it’s allowed to remove all headers. Also, *IF* we want to use the “canon” header field parameter, the draft doesn’t give enough information on how it is generated. We have the following syntax in Section 8: canonical-str = "canon" EQUAL *base64-char …and, in a few places of the document we have text like: “The syntax of "canon" is given in Section 8; essentially, it contains a base64 encoding of the JSON header and claims in the PASSporT object.” But, I cannot find text on how that base64-char string is generated. You have the base64 encoding of the JSON header, and the base64 encoding of the claims. How do you combine them into the base64 encoded “canon” value? Regards, Christer _______________________________________________ stir mailing list stir@ietf.org<mailto:stir@ietf.org> https://www.ietf.org/mailman/listinfo/stir
- Re: [stir] Separation of JWS DOLLY, MARTIN C
- Re: [stir] Separation of JWS Peterson, Jon
- Re: [stir] Separation of JWS Christer Holmberg
- Re: [stir] Separation of JWS Richard Shockey
- Re: [stir] Separation of JWS Christer Holmberg
- Re: [stir] Separation of JWS Peterson, Jon
- Re: [stir] Separation of JWS Christer Holmberg
- Re: [stir] Separation of JWS Peterson, Jon
- [stir] Separation of JWS Christer Holmberg