Re: [stir] A few comments on the PASSporT Document
Russ Housley <housley@vigilsec.com> Thu, 21 April 2016 20:26 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFD0812DB47 for <stir@ietfa.amsl.com>; Thu, 21 Apr 2016 13:26:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDCOl3JaRmgx for <stir@ietfa.amsl.com>; Thu, 21 Apr 2016 13:26:22 -0700 (PDT)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 2145B12D8BF for <stir@ietf.org>; Thu, 21 Apr 2016 13:26:22 -0700 (PDT)
Received: from localhost (ronin.smetech.net [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 6FB0BF2401F; Thu, 21 Apr 2016 16:26:21 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id ru9ozWlDcosV; Thu, 21 Apr 2016 16:10:49 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id D9646F24013; Thu, 21 Apr 2016 16:26:20 -0400 (EDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <D33E61AD.187813%jon.peterson@neustar.biz>
Date: Thu, 21 Apr 2016 16:26:18 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <84B51A25-EBF9-48EA-8BFF-4D76647715CB@vigilsec.com>
References: <9D68E244-1E03-4FF1-8343-F661FF3D629D@vigilsec.com> <D33E61AD.187813%jon.peterson@neustar.biz>
To: Jon Peterson <jon.peterson@neustar.biz>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/cWm-haoM7OJ_zEpGg2VkeCmscrY>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] A few comments on the PASSporT Document
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 20:26:23 -0000
Jon: > Thanks for these notes Russ. > >> I needed to chase a bunch of references to figure out what really goes in >> the iat claim. This leads me to two comments. >> >> (1) Let¹s help the reader and tell them that the iat claim contains a >> JSON numeric value representing the number of seconds from 1970-01-01 >> 00:00:00 UTC. > > Sounds good to me. That claim is defined in baseline JWS/JWT, but agreed > it would be helpful to informationally reiterate its syntax in the > PASSporT spec. Thanks. >> (2) The iat claim carries the time that the token was issued. Section 7 >> tells that the token should be handled in a "reasonable for clock drift >> and transmission time.² This makes sense, but neither Section 3.2.1.1 >> nor Section 7 tells what ought to happen if it is determined to be stale. > > This is where the hand-off between RFC4474bis and PASSporT can be murky. > The behavior for SIP as a using protocol of PASSporT with regards to the > freshness of Date/iat is given in RFC4474bis. Other using protocols might > want to use other means to ascertain freshness; SIP behavior really comes > down to comparing iat with the Date header, and we don't want that > using-protocol-specific language to be in PASSporT. > > I can also imagine PASSporT tokens being evaluated historically, rather > than in real time, and the determination of "freshness" for those purposes > might be different, or even just irrelevant. > > What we can say about iat in PASSporT though is that using protocols are > required to specify how they determine freshness (like, what they compare > it to). Would that make sense as a way to approach this? Yes, that makes sense to me. >> The syntax of the mky claim seems to go against a JOSE design principle. >> JOSE used very compact representations for everything. However, the mky >> claim uses a whole lot of colons. This leads to a third comment. >> >> (3) To align with the JOSE principle, should the mky claim syntax use a >> hex string or a base64 string to carry the hash values. > > Jonathan Lennox provided some compelling reasons for us to move mky to a > JSON array format, similar to what WebRTC has done (so it's clear which > keys can match to which m= lines in SDP, say). That at least was my > take-away from the discussions around this in Buenos Aires. Would that be > satisfactory for you? I think so. Russ
- [stir] A few comments on the PASSporT Document Russ Housley
- Re: [stir] A few comments on the PASSporT Document Peterson, Jon
- Re: [stir] A few comments on the PASSporT Document Russ Housley
- Re: [stir] A few comments on the PASSporT Document Chris Wendt
- Re: [stir] A few comments on the PASSporT Document Richard Shockey
- Re: [stir] A few comments on the PASSporT Document Robert Sparks