Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
Christer Holmberg <christer.holmberg@ericsson.com> Wed, 24 January 2018 14:05 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F9FF1242F7 for <stir@ietfa.amsl.com>; Wed, 24 Jan 2018 06:05:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFHMdS-EdaT7 for <stir@ietfa.amsl.com>; Wed, 24 Jan 2018 06:05:36 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21B481242EA for <stir@ietf.org>; Wed, 24 Jan 2018 06:05:35 -0800 (PST)
X-AuditID: c1b4fb30-11d5e9c000006bc7-2c-5a6892ae3da9
Received: from ESESSHC023.ericsson.se (Unknown_Domain [153.88.183.87]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id B0.E0.27591.EA2986A5; Wed, 24 Jan 2018 15:05:34 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.195]) by ESESSHC023.ericsson.se ([153.88.183.87]) with mapi id 14.03.0352.000; Wed, 24 Jan 2018 15:05:33 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Chris Wendt <chris-ietf@chriswendt.net>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
Thread-Index: AdOUD2Hs8xoe1g8QQdeomV5MKsy8iwAdEZuAAAJpSWAAIPLfgAAFUHqA
Date: Wed, 24 Jan 2018 14:05:33 +0000
Message-ID: <D68E5F00.29A79%christer.holmberg@ericsson.com>
References: <7594FB04B1934943A5C02806D1A2204B6C13837A@ESESSMB109.ericsson.se> <41C6125A-C90A-4187-9B6E-267DAE44DF8B@chriswendt.net> <7594FB04B1934943A5C02806D1A2204B6C13B5EB@ESESSMB109.ericsson.se> <26D4A77C-8860-41A0-8608-2FCE10FE9942@chriswendt.net>
In-Reply-To: <26D4A77C-8860-41A0-8608-2FCE10FE9942@chriswendt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
x-originating-ip: [153.88.183.146]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <87D6231F2801604A9A9B726F7BC21005@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLIsWRmVeSWpSXmKPExsUyM2J7uO66SRlRButuy1tM/7Sb2WL52m1M DkweE/rWsHosWfKTKYApissmJTUnsyy1SN8ugSvj65UtbAXrpCver2xka2C8LtrFyMEhIWAi cXx9ahcjJ4eQwGFGiRvTAiHsJYwSP1bUgJSwCVhIdP/TBgmLCGhLHD7TwAgSZhZQlvi32x4k LCzgLfHkxQ5WiBIfiQnf/zBD2G4S2/83MoHYLAKqEg9OfWMDsXkFrCWWT3kMFOcC2tTIJLGj qRWsgVPASeLE0ydgDYwCYhLfT60Bs5kFxCVuPZkPZksICEgs2XOeGcIWlXj5+B/YYlEBPYkN J26zQ8SVJH5suMQC0asncWPqFDYI21qid94rqJnaEssWvmaGOEhQ4uTMJywTGMVnIVk3C0n7 LCTts5C0z0LSvoCRdRWjaHFqcVJuupGRXmpRZnJxcX6eXl5qySZGYKQd3PLbYAfjy+eOhxgF OBiVeHjv9GZECbEmlhVX5h5ilOBgVhLhvdwOFOJNSaysSi3Kjy8qzUktPsQozcGiJM570pM3 SkggPbEkNTs1tSC1CCbLxMEp1cBYz7fwfW3jo4zVHHe3z9mndWubx0K/L2IWRe9sAsXTPp9h +L6rb9Jdtxfz+Uziv51cb84bU/2sSkX5lpClwKcPbRfKwiL57U+36TA3XbjHyx0SzHTDuWJ+ psAjy43r3214s4n3553Lp/i9Jmk823J8p/6rnmi1kHebGQX02Q6tOfNrnktif8ITJZbijERD Leai4kQAh30BTrACAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/d9xDY5X2tOQhV4O2xzKd9wWQoT8>
Subject: Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 14:05:38 -0000
Hi, >I guess i¹m not following what¹s not clear, if you MUST only have one >orig claim and one identity in that claim, that seems to be pretty clear >to me that you cannot either not have an orig claim or have more than >one. I guess maybe i¹m missing something subtle in your point. It is clear that you cannot have more than one claim, but I think it could be made more clear that you always must have a claim to begin with :) >For extensions, and in general with any PASSporT, once the PASSporT is >signed, that¹s it, you cannot modify claims or "re-sign". If you want >new PASSporT claim information that you want to sign, you must have a new >PASSporT or new identity header. Correct, I should have made that clear. So, if you have two (or more) Identity header fields, do they all have to contain the same ³orig² value? Or, is one allowed to change it? Does the same apply for ³dest²? And, if you want to change the ³dest² you need to use the divert extension? You can¹t just add a new passport with a new ³dest² value. Or? >Currently for divert, the approach is to embed a PASSporT inside a new >PASSporT, which is a valid technique also and result in a new identity >header also (but you should remove the old identity header in this case). My colleague Julio sent some questions and issues regarding the ³embedding²/³nesting² approach. I would be happy if you look at those :) Regards, Christer > >-Chris > >> On Jan 23, 2018, at 2:19 PM, Christer Holmberg >><christer.holmberg@ericsson.com> wrote: >> >> Hi Chris, >> >>>> Question for clarification: >>>> >>>> Section 5.2.1 of draft-passport says: >>>> >>>> "There MUST be exactly one "orig" claim with exactly one >>>>identity claim object in a PASSporT object." >>>> >>>> Q1: Does the text above mean that >>>> >>>> a) a passport must always contain one, one only one, "orig" >>>>claim; or >>>> b) that if a passport contains an "orig" claim, if can only >>>>contains one? >>> >>> It can only contain one key value pair with the key ³orig² and the >>>claim value can only be one identity. >>> >>> In other words you cannot claim to originate multiple identities with >>>a single passport object. >> >> Correct. The question is whether "orig" is mandatory (alternative a) or >>not (alternative b). But, based on your reply to Q2 below, I assume the >>answer is alternative a). >> >> I think it would be good to make that more clear. >> >>>> Q2: If a), does it apply to passport extensions too? >>> >>> All extensions must include the base passport claims and follow all >>>rules of the claims, so yes. >> >> I think it should be more clear whether a node can modify claims or not >>when adding an extension, or whether an extension needs to explicitly >>allow it. Currently the text only says (AFAIK) that claims cannot be >>removed. >> >> For example, if I have a base passport, and add an RPH passport, I >>assume I cannot change the value of the "dest" claim. I would need to >>use a divert claim for that. >> >> Also, as the passports may be added and signed by different >>authorities, and as each passport will contain the base claims, it means >>that the base claims will be signed multiple times, and they may be >>signed by different authorities. I assume that is ok. >> >> Regards, >> >> Christer >> >
- [stir] PASSPorT: "orig" and "dest" mandatory in a… Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Chris Wendt
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Chris Wendt
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Julio Martinez-Minguito
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Peterson, Jon
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Christer Holmberg
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Peterson, Jon
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Christer Holmberg