IETF Logo Mail Archive

Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)

Dave Crocker <dhc@dcrocker.net> Fri, 05 August 2016 14:20 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7652212D86D for <stir@ietfa.amsl.com>; Fri, 5 Aug 2016 07:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aU7S3ajAyOER for <stir@ietfa.amsl.com>; Fri, 5 Aug 2016 07:20:35 -0700 (PDT)
Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ACC612D86A for <stir@ietf.org>; Fri, 5 Aug 2016 07:20:35 -0700 (PDT)
Received: from [192.168.1.168] (76-218-8-128.lightspeed.sntcca.sbcglobal.net [76.218.8.128]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u75EKU6b031871 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Fri, 5 Aug 2016 07:20:30 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1470406831; bh=JkqRDMMMzN1L6AsH4hozWjrV01PcJsimqXndTGELVqE=; h=Subject:To:References:Cc:From:Reply-To:Date:In-Reply-To:From; b=c3dF9qxvqxUEp1oVHsd6AHeLl18zfErcd6SkyrLjrVfOKKBsk9dgLTEFwiDJJHtCG AL/Wp8DeQgt5XexM6piNtQrm8dAXRW16rJWLMx2PO04Qeid5kCAbxy452ZjDIjErEo ULXF4JOnmQCP0jB0ZsX8jXA5mC/eRmpVCFNImcbU=
To: Christer Holmberg <christer.holmberg@ericsson.com>, Paul Kyzivat <pkyzivat@alum.mit.edu>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <cfd714ce-6145-1b60-aca2-ae702a8c133d@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B4771FF73@ESESSMB209.ericsson.se> <5fdf4ad3-1528-3d79-6bdb-b5eb350e5c2a@alum.mit.edu> <dbb24381-55fd-fa64-d32b-fcc50265ccab@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B47723C55@ESESSMB209.ericsson.se>
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
Message-ID: <503738d8-c166-dfc1-d153-338d56b844c1@dcrocker.net>
Date: Fri, 05 Aug 2016 07:20:12 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B47723C55@ESESSMB209.ericsson.se>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/gGpHW35OvQIYz7poBr9eU8mxiCM>
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] JWT/JSON (was - Re: Review of: draft-ietf-stir-passport-05)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2016 14:20:36 -0000

Christer,


On 8/4/2016 11:45 PM, Christer Holmberg wrote:
>
> The receiver needs to be able to parse JSON if the sender includes the
> claims, in order to verify the signature.

Alternatives and options make specifications more complex and often 
introduce potential non-determinacies.  So the 'if' that you cite is not 
a small matter.

In practical terms, the 'if' means that verifiers must be able to parse 
json as well as encode it.


> Also, whatever headers we include, I assume the receiver should be able
> to parse them.
>
> But, parsing JSON is not a difficult thing to do, and there are
> available libraries for those who don't want to implement the parser
> themselves.

Just to make sure this sub-thread retains its context:  I did not 
comment on the choice of JSON/JWT in the actual review.  It's not an 
irrational or horrible choice.

But it does add overhead.  It adds it to the effort needed to understand 
the specifications.  And it adds it to the software.  (It might also add 
it to the execution of the software, but I suspect that is, at worst, a 
negligible difference here.)

One of the more deceptive parts of writing standards is the seduction of 
"is not a difficult thing to do".  In most cases where that sort of 
comment is offered, it is quite true.  The problem is with incremental 
complexities.  A not-difficult here; a not-difficult there... They 
really do mount up.

By way of example, having to send the reader off to become proficient in 
two additional specifications is not a small increment in developmental 
overhead, especially when those specification have no natural -- ie, 
pre-occurring -- relevance to the current work.

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

v2.23.0 | Report a Bug | By Email