IETF Logo Mail Archive

Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 24 January 2018 14:05 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F9FF1242F7 for <stir@ietfa.amsl.com>; Wed, 24 Jan 2018 06:05:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFHMdS-EdaT7 for <stir@ietfa.amsl.com>; Wed, 24 Jan 2018 06:05:36 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21B481242EA for <stir@ietf.org>; Wed, 24 Jan 2018 06:05:35 -0800 (PST)
X-AuditID: c1b4fb30-11d5e9c000006bc7-2c-5a6892ae3da9
Received: from ESESSHC023.ericsson.se (Unknown_Domain [153.88.183.87]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id B0.E0.27591.EA2986A5; Wed, 24 Jan 2018 15:05:34 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.195]) by ESESSHC023.ericsson.se ([153.88.183.87]) with mapi id 14.03.0352.000; Wed, 24 Jan 2018 15:05:33 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Chris Wendt <chris-ietf@chriswendt.net>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
Thread-Index: AdOUD2Hs8xoe1g8QQdeomV5MKsy8iwAdEZuAAAJpSWAAIPLfgAAFUHqA
Date: Wed, 24 Jan 2018 14:05:33 +0000
Message-ID: <D68E5F00.29A79%christer.holmberg@ericsson.com>
References: <7594FB04B1934943A5C02806D1A2204B6C13837A@ESESSMB109.ericsson.se> <41C6125A-C90A-4187-9B6E-267DAE44DF8B@chriswendt.net> <7594FB04B1934943A5C02806D1A2204B6C13B5EB@ESESSMB109.ericsson.se> <26D4A77C-8860-41A0-8608-2FCE10FE9942@chriswendt.net>
In-Reply-To: <26D4A77C-8860-41A0-8608-2FCE10FE9942@chriswendt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
x-originating-ip: [153.88.183.146]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <87D6231F2801604A9A9B726F7BC21005@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLIsWRmVeSWpSXmKPExsUyM2J7uO66SRlRButuy1tM/7Sb2WL52m1M DkweE/rWsHosWfKTKYApissmJTUnsyy1SN8ugSvj65UtbAXrpCver2xka2C8LtrFyMEhIWAi cXx9ahcjJ4eQwGFGiRvTAiHsJYwSP1bUgJSwCVhIdP/TBgmLCGhLHD7TwAgSZhZQlvi32x4k LCzgLfHkxQ5WiBIfiQnf/zBD2G4S2/83MoHYLAKqEg9OfWMDsXkFrCWWT3kMFOcC2tTIJLGj qRWsgVPASeLE0ydgDYwCYhLfT60Bs5kFxCVuPZkPZksICEgs2XOeGcIWlXj5+B/YYlEBPYkN J26zQ8SVJH5suMQC0asncWPqFDYI21qid94rqJnaEssWvmaGOEhQ4uTMJywTGMVnIVk3C0n7 LCTts5C0z0LSvoCRdRWjaHFqcVJuupGRXmpRZnJxcX6eXl5qySZGYKQd3PLbYAfjy+eOhxgF OBiVeHjv9GZECbEmlhVX5h5ilOBgVhLhvdwOFOJNSaysSi3Kjy8qzUktPsQozcGiJM570pM3 SkggPbEkNTs1tSC1CCbLxMEp1cBYz7fwfW3jo4zVHHe3z9mndWubx0K/L2IWRe9sAsXTPp9h +L6rb9Jdtxfz+Uziv51cb84bU/2sSkX5lpClwKcPbRfKwiL57U+36TA3XbjHyx0SzHTDuWJ+ psAjy43r3214s4n3553Lp/i9Jmk823J8p/6rnmi1kHebGQX02Q6tOfNrnktif8ITJZbijERD Leai4kQAh30BTrACAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/d9xDY5X2tOQhV4O2xzKd9wWQoT8>
Subject: Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 14:05:38 -0000

Hi,

>I guess i¹m not following what¹s not clear, if you MUST only have one
>orig claim and one identity in that claim, that seems to be pretty clear
>to me that you cannot either not have an orig claim or have more than
>one.  I guess maybe i¹m missing something subtle in your point.

It is clear that you cannot have more than one claim, but I think it could
be made more clear that you always must have a claim to begin with :)

>For extensions, and in general with any PASSporT, once the PASSporT is
>signed, that¹s it, you cannot modify claims or "re-sign".  If you want
>new PASSporT claim information that you want to sign, you must have a new
>PASSporT or new identity header.

Correct, I should have made that clear.

So, if you have two (or more) Identity header fields, do they all have to
contain the same ³orig² value? Or, is one allowed to change it?

Does the same apply for ³dest²? And, if you want to change the ³dest² you
need to use the divert extension? You can¹t just add a new passport with a
new ³dest² value. Or?

>Currently for divert, the approach is to embed a PASSporT inside a new
>PASSporT, which is a valid technique also and result in a new identity
>header also (but you should remove the old identity header in this case).

My colleague Julio sent some questions and issues regarding the
³embedding²/³nesting² approach. I would be happy if you look at those :)

Regards,

Christer


>
>-Chris
>
>> On Jan 23, 2018, at 2:19 PM, Christer Holmberg
>><christer.holmberg@ericsson.com> wrote:
>> 
>> Hi Chris,
>> 
>>>> Question for clarification:
>>>> 
>>>> Section 5.2.1 of draft-passport says:
>>>> 
>>>>      "There MUST be exactly one "orig" claim with exactly one
>>>>identity claim object in a PASSporT object."
>>>> 
>>>> Q1: Does the text above mean that
>>>> 
>>>>      a) a passport must always contain one, one only one, "orig"
>>>>claim; or 
>>>>      b) that if a passport contains an "orig" claim, if can only
>>>>contains one?
>>> 
>>> It can only contain one key value pair with the key ³orig² and the
>>>claim value can only be one identity.
>>> 
>>> In other words you cannot claim to originate multiple identities with
>>>a single passport object.
>> 
>> Correct. The question is whether "orig" is mandatory (alternative a) or
>>not (alternative b). But, based on your reply to Q2 below, I assume the
>>answer is alternative a).
>> 
>> I think it would be good to make that more clear.
>> 
>>>> Q2: If a), does it apply to passport extensions too?
>>> 
>>> All extensions must include the base passport claims and follow all
>>>rules of the claims, so yes.
>> 
>> I think it should be more clear whether a node can modify claims or not
>>when adding an extension, or whether an extension needs to explicitly
>>allow it. Currently the text only says (AFAIK) that claims cannot be
>>removed.
>> 
>> For example, if I have a base passport, and add an RPH passport, I
>>assume I cannot change the value of the "dest" claim. I would need to
>>use a divert claim for that.
>> 
>> Also, as the passports may be added and signed by different
>>authorities, and as each passport will contain the base claims, it means
>>that the base claims will be signed multiple times, and they may be
>>signed by different authorities. I assume that is ok.
>> 
>> Regards,
>> 
>> Christer
>> 
>

v2.23.0 | Report a Bug | By Email