Re: [stir] Alexey Melnikov's Discuss on draft-ietf-stir-certificates-11: (with DISCUSS and COMMENT)

"Peterson, Jon" <> Thu, 03 November 2016 13:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9F73B12944D; Thu, 3 Nov 2016 06:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.701
X-Spam-Status: No, score=-102.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QWkB73SRW2AV; Thu, 3 Nov 2016 06:12:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CCAAD129552; Thu, 3 Nov 2016 06:12:40 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id uA3D5FK3023725; Thu, 3 Nov 2016 09:12:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=neustar-biz; bh=RuHsWV8LH+y2QTX890dxRhrKKwDIjbdAt9UU4hLpRaQ=; b=dib4oDQrOYgWq4spVz9CrsNVQXo7tN1o0RcQGmVFPGD3ikH+KnG+3E+bx/d6uRVipiyb zkUe6gQI2OJIjmewMxs+K5Sxqd1GVpQKowJYyIm63d/Ua224pjbNnyYwVVi3PtxjJ4vw JNwb8QqJQmDwc0kg35bu1wiIXVEhhUCaVA/4Qejil7GbAZ03ZK77WX1g8xK80xrtoPsJ pJtF1QQ0Y3dZaIVjOEQBRz3VsI163nP4xZ+MFiM96cs6ueMK07VT4AKkbNiD7Q9IhErR yS1ADkpr7qCke+XWWLRigH/9Iq1ogNhZMqaCkStCbUNO2oV93Q6a17rNtZ8oGPe+FJ6l 3g==
Received: from ([]) by with ESMTP id 26crse0cgs-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 03 Nov 2016 09:12:38 -0400
Received: from ([]) by ([::1]) with mapi id 14.03.0279.002; Thu, 3 Nov 2016 09:12:36 -0400
From: "Peterson, Jon" <>
To: Alexey Melnikov <>, Alissa Cooper <>
Thread-Topic: [stir] Alexey Melnikov's Discuss on draft-ietf-stir-certificates-11: (with DISCUSS and COMMENT)
Date: Thu, 03 Nov 2016 13:12:36 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-11-03_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609300000 definitions=main-1611030247
Archived-At: <>
Cc: Russ Housley <>, IETF STIR Mail List <>, IESG <>, "" <>, "" <>, Robert Sparks <>
Subject: Re: [stir] Alexey Melnikov's Discuss on draft-ietf-stir-certificates-11: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Nov 2016 13:12:52 -0000

>A followup question: what is the syntax of claim name? (I understand
>that IA5String provides a restriction, but I am wondering if many people
>outside of Security area actually know what these restrictions are).

PASSporT claim names are simply JWT claim names (per stir-passport Section
5), and...

>Are claim tokens likely to be allocated by IANA?

... PASSporT simply reuses the IANA allocation method of JWT, so yes, the
claims are allocated by IANA. This is the registry.

To your more recent question, "I was also wondering if any of these value
can possible contain non ASCII Unicode characters, and if they do, how can
they be encoded as IA5String." If the question is "can possibly" then I'm
not sure JWS/JWT specifically bars it (someone likely knows better than
me, this may just devolve back to how JSON member strings are defined).
However, I don't think any of the existing or planned registered values
fall outside of ASCII ranges. I don't think I'd lose much sleep over it,
given what the review processes are like and what the likely constraints
are CAs would want to apply.

Jon Peterson
Neustar, Inc.