Re: [stir] A few comments on the PASSporT Document

"Peterson, Jon" <jon.peterson@neustar.biz> Thu, 21 April 2016 18:04 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0E6312D836 for <stir@ietfa.amsl.com>; Thu, 21 Apr 2016 11:04:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.601
X-Spam-Level:
X-Spam-Status: No, score=-102.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKku4IbpLcgz for <stir@ietfa.amsl.com>; Thu, 21 Apr 2016 11:04:57 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E26512D0C1 for <stir@ietf.org>; Thu, 21 Apr 2016 11:04:56 -0700 (PDT)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by m0049401.ppops.net-0018ba01. (8.16.0.11/8.16.0.11) with SMTP id u3LI3RGY023956; Thu, 21 Apr 2016 14:04:56 -0400
Received: from stntexhc12.cis.neustar.com ([156.154.17.216]) by m0049401.ppops.net-0018ba01. with ESMTP id 22bhqb27ma-1 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NOT); Thu, 21 Apr 2016 14:04:56 -0400
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.94]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0279.002; Thu, 21 Apr 2016 14:04:55 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] A few comments on the PASSporT Document
Thread-Index: AQHRm/WOXRE/mgQwJkOStxpBoVrKhZ+UhmQA
Date: Thu, 21 Apr 2016 18:04:54 +0000
Message-ID: <D33E61AD.187813%jon.peterson@neustar.biz>
References: <9D68E244-1E03-4FF1-8343-F661FF3D629D@vigilsec.com>
In-Reply-To: <9D68E244-1E03-4FF1-8343-F661FF3D629D@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-originating-ip: [10.96.12.148]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <8025029B73AC4A469E7921DBED07D33C@neustar.biz>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-04-21_13:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1604210285
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/g6zh45F7kkCbFRfG82JaUU6N_-8>
Subject: Re: [stir] A few comments on the PASSporT Document
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 18:04:59 -0000

Thanks for these notes Russ.

>I needed to chase a bunch of references to figure out what really goes in
>the iat claim.  This leads me to two comments.
>
>(1)  Let¹s help the reader and tell them that the iat claim contains a
>JSON numeric value representing the number of seconds from 1970-01-01
>00:00:00 UTC.

Sounds good to me. That claim is defined in baseline JWS/JWT, but agreed
it would be helpful to informationally reiterate its syntax in the
PASSporT spec.

>(2) The iat claim carries the time that the token was issued.  Section 7
>tells that the token should be handled in a "reasonable for clock drift
>and transmission time.²  This makes sense, but neither Section 3.2.1.1
>nor Section 7 tells what ought to happen if it is determined to be stale.

This is where the hand-off between RFC4474bis and PASSporT can be murky.
The behavior for SIP as a using protocol of PASSporT with regards to the
freshness of Date/iat is given in RFC4474bis. Other using protocols might
want to use other means to ascertain freshness; SIP behavior really comes
down to comparing iat with the Date header, and we don't want that
using-protocol-specific language to be in PASSporT.

I can also imagine PASSporT tokens being evaluated historically, rather
than in real time, and the determination of "freshness" for those purposes
might be different, or even just irrelevant.

What we can say about iat in PASSporT though is that using protocols are
required to specify how they determine freshness (like, what they compare
it to). Would that make sense as a way to approach this?

>The syntax of the mky claim seems to go against a JOSE design principle.
>JOSE used very compact representations for everything.  However, the mky
>claim uses a whole lot of colons.  This leads to a third comment.
>
>(3) To align with the JOSE principle, should the mky claim syntax use a
>hex string or a base64 string to carry the hash values.

Jonathan Lennox provided some compelling reasons for us to move mky to a
JSON array format, similar to what WebRTC has done (so it's clear which
keys can match to which m= lines in SDP, say). That at least was my
take-away from the discussions around this in Buenos Aires. Would that be
satisfactory for you?

Jon Peterson
Neustar, Inc.

>
>Thanks,
>  Russ
>
>
>_______________________________________________
>stir mailing list
>stir@ietf.org
>https://www.ietf.org/mailman/listinfo/stir