IETF Logo Mail Archive

Re: [stir] Review of: draft-ietf-stir-passport-05

Richard Shockey <richard@shockey.us> Sun, 31 July 2016 22:04 UTC

Return-Path: <richard@shockey.us>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EAFC128B44 for <stir@ietfa.amsl.com>; Sun, 31 Jul 2016 15:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=shockey.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0e2hlqFnB7vv for <stir@ietfa.amsl.com>; Sun, 31 Jul 2016 15:04:13 -0700 (PDT)
Received: from qproxy4-pub.mail.unifiedlayer.com (qproxy4-pub.mail.unifiedlayer.com [66.147.248.250]) by ietfa.amsl.com (Postfix) with SMTP id E92C0120727 for <stir@ietf.org>; Sun, 31 Jul 2016 15:04:12 -0700 (PDT)
Received: (qmail 21612 invoked by uid 0); 31 Jul 2016 22:04:11 -0000
Received: from unknown (HELO cmgw4) (10.0.90.85) by qproxy4.mail.unifiedlayer.com with SMTP; 31 Jul 2016 22:04:11 -0000
Received: from box462.bluehost.com ([74.220.219.62]) by cmgw4 with id RZz51t00N1MNPNq01Zz8qS; Sun, 31 Jul 2016 15:59:11 -0600
X-Authority-Analysis: v=2.1 cv=TIHWFTVa c=1 sm=1 tr=0 a=jTEj1adHphCQ5SwrTAOQMg==:117 a=jTEj1adHphCQ5SwrTAOQMg==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=ZZnuYtJkoWoA:10 a=8WrITzYgnNwA:10 a=fGh7L_e3oJcA:10 a=cAmyUtKerLwA:10 a=jqBRFv0mrdUA:10 a=PeFO9FbFhS32YxYntvkA:9 a=ll-iCDY8AAAA:8 a=M0OflfRGAAAA:8 a=48vgC7mUAAAA:8 a=yPCof4ZbAAAA:8 a=0FD05c-RAAAA:8 a=w1VtefKfAAAA:8 a=k7Ga1wGzAAAA:8 a=hGBaWAWWAAAA:8 a=b8OvNEjoAAAA:8 a=H6a27rHQTCv8QhYuVLcA:9 a=R1q4_3SKjNb_OP2e:21 a=jVfCNFjSKRsXVbyd:21 a=QEXdDO2ut3YA:10 a=ivbTfD_dPm4A:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=k-VgjUayQLU6O5rn:21 a=U0lq39m2DQiiobeZ:21 a=vSxtA0s0qwrdJr8q:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=vECW0zx54cF425OfbGUA:9 a=n3BslyFRqc0A:10 a=NWVoK91CQySWRX1oVYDe:22 a=VpyrLIdO_Ztbr3SWPBuH:22 a=6yl0mh0s51TKORVA8GqK:22 a=w1C3t2QeGrPiZgrLijVG:22 a=2lfDSYhZ3Z6b8uxcDO-Z:22 a=l1rpMCqCXRGZwUSuRcM3:22 a=xm8PXHvXF9WL09pmvKgj:22 a=ijMaxGghyylP-n2pFjDB:22 a=Q-ofuW86YyylptHqTH-7:22 a=xfJ8-ueq0pyqlCF7aVox:22 a=BKKCjISod1eDJeS0ORpz:22 a=zjWhRoSqWz9hl55Hdlzg:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shockey.us; s=default; h=Content-type:Mime-version:In-Reply-To:References:Message-ID:To: From:Subject:Date; bh=LrBKAC2Wj2x40uFTgrGg8aeuMOKus9sS7zfIZVSSU88=; b=isF2fZi cmhoF+iHzSydwSMrw1J/eatbkBknaV3ur5GbKHM9CIxyhoPG/Tt4pI+xf42Z28AB69ZgYcrmNgHKO 9atpQF+u47uIopY4J8lS1x2D0d6mn6QPYedjlSptw0+U;
Received: from [100.36.21.178] (port=65131 helo=[192.168.1.152]) by box462.bluehost.com with esmtpa (Exim 4.86_2) (envelope-from <richard@shockey.us>) id 1bTylE-0001J4-Vu for stir@ietf.org; Sun, 31 Jul 2016 15:59:05 -0600
User-Agent: Microsoft-MacOutlook/f.18.0.160709
Date: Sun, 31 Jul 2016 17:59:04 -0400
From: Richard Shockey <richard@shockey.us>
To: "stir@ietf.org" <stir@ietf.org>
Message-ID: <F60B6C32-7424-487E-B582-CD2E30DBDFEF@shockey.us>
Thread-Topic: [stir] Review of: draft-ietf-stir-passport-05
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <D3C19686.1A6A4E%jon.peterson@neustar.biz> <dd60178b-fa24-5099-166c-f8a0093cb668@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B476FE6CB@ESESSMB209.ericsson.se> <7f35b810-0eca-5140-060e-4aef03449c21@dcrocker.net> <D9F5ECF9-3ED0-478A-9261-2892AF9EAB8F@chriswendt.net> <7594FB04B1934943A5C02806D1A2204B477074D5@ESESSMB209.ericsson.se>
In-Reply-To: <BC7D5760-CFAB-491C-94AC-BA37C976DF6D@oracle.com>
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3552832744_1985436438"
X-Identified-User: {3286:box462.bluehost.com:shockeyu:shockey.us} {sentby:smtp auth 100.36.21.178 authed with richard+shockey.us}
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box462.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - shockey.us
X-Source-IP: 100.36.21.178
X-Exim-ID: 1bTylE-0001J4-Vu
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([192.168.1.152]) [100.36.21.178]:65131
X-Source-Auth: richard+shockey.us
X-Email-Count: 0
X-Source-Cap: c2hvY2tleXU7c2hvY2tleXU7Ym94NDYyLmJsdWVob3N0LmNvbQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/jt6_Xg8TviU6MExMcMwjJhFAauU>
Subject: Re: [stir] Review of: draft-ietf-stir-passport-05
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jul 2016 22:04:16 -0000

Yep… +1 

 

Dave whats the problem here? What do you want?  

 

We choose JWT for a perfectly rational and technically elegant reasons.  We do know what data we want assert and sign. 

 

On one point we totally agree. I have been less than satisified on how this actually looks on the wire. Examples. Jon has acknoledged this in his presentation in Berlin.  

 

Fine picture from my presentation to the Genband conference BTW. 

 

Where do the claims go in the INVITE.  I’m prepared to accept less than perfect since I know there are other bodies ready to provide guidence in order to accelerate adoption among the vendor community. 

 

We think it will work and we have virturilly the entire US voice communicaitons industry using E164 addressing,  as well at the NRA in the US and elsewhere lined up ready to GO. 

 

I support the last call I have trust the authors can provide revisions that can address some of the issues raised. 

 

 

Richard Shockey

Shockey Consulting LLC

Chairman of the Board SIP Forum

www.shockey.us

www.sipforum.org

richard<at>shockey.us

Skype-Linkedin-Facebook rshockey101

PSTN +1 703-593-2683

 

 

 

 

From: stir <stir-bounces@ietf.org> on behalf of Victor Pascual <victor.pascual.avila@oracle.com>
Date: Sunday, July 31, 2016 at 2:44 PM
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Chris Wendt <chris-ietf@chriswendt.net>, "dcrocker@bbiw.net" <dcrocker@bbiw.net>, "Peterson, Jon" <jon.peterson@neustar.biz>, IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] Review of: draft-ietf-stir-passport-05

 

Fully agree


On 31 Jul 2016, at 19:54, Christer Holmberg <christer.holmberg@ericsson.com> wrote:

Hi,

I agree with Chris. JWT is NOT a mechanism to sign any arbitrary JSON structure. JWT is a mechanism to sign data, and it uses a specific JSON structure (header, claims etc) for doing so. In addition, it provides a mechanism to signal what data/algorithm is used to calculate the signature.

Regards,

Christer

Sent from my Windows Phone

From: Chris Wendt
Sent: ‎31/‎07/‎2016 00:08
To: dcrocker@bbiw.net
Cc: Christer Holmberg; Peterson, Jon; IETF STIR Mail List
Subject: Re: [stir] Review of: draft-ietf-stir-passport-05

Hi Dave,

I’m not following your argument that because there isn’t a JSON object to sign, we can’t use JWT?
In general, most/all uses of JWT don’t sign an existing object, a set of claims are constructed into a JSON payload that is signed.
There are JWT defined claims precisely defined to create a secure token intentionally meant to be only signed in a JWT.

So to me, we are more than appropriately using JSON and JWT.

It is in 4474bis, we define the exact information to construct the JSON payload object to be signed, so please refer to that.

There are many advantages to using the JWT construct both for STIR charter specifically and elsewhere.

Is that a bad thing?

-Chris

> On Jul 30, 2016, at 9:03 AM, Dave Crocker <dhc@dcrocker.net> wrote:
> 
> Christer,
> 
> Thanks for the background...
> 
> On 7/30/2016 4:30 AM, Christer Holmberg wrote:
>> I am the one who originally suggested the usage of JWT. I don't
>> understand the claim that JWT is "outside the context of SIP". JWT is a
>> generic/standardized mechanism how to calculate and encode a signature,
> 
> Actually, it isn't.
> 
> It's own opening text [RFC 7519] says it is "a compact, URL-safe means of representing claims to be transferred between two parties" but more importantly for this issue, it goes on to say:
> 
>   "encoded as a JSON object that is used as the payload of a JSON
>   Web Signature (JWS) structure or as the plaintext of a JSON Web
>   Encryption (JWE) structure"
> 
> That is, it provides value-added functions... to a JSON object (structure).  However SIP doesn't have a JSON object to sign.  So the working group has had to invent a JSON-based abstraction of SIP header information and then sign it.
> 
> Now it has to invent an encoding for the resulting signature.  It would have to do that for a SIP call, no matter the signature's computational abstraction, but because that abstraction is actually an independent format, it wound up distracting the wg from doing a complete job -- so far, after 3 years -- of defining all the details for a complete authentication mechanism.
> 
> From what I can tell of the email record for the wg, the unfortunate part of the discussion about choices here was to count JSON/JWT as something other than an abstraction.
> 
> Signing an object requires defining the data over which the signature will be made, and how that data will be fed into the signing algorithm. Necessarily, that defines an abstraction of the data.  (Canonicalization seems to be a common component of that abstraction, for example.)
> 
> There might be nothing different or better (or, probably, worse) about JWT in those terms; I haven't tried to evaluate it in those terms.  The problem is that its existence as a distinct format has caused the working group to worry about that new and independent object as distinct from the SIP data being signed, rather than as a computational result that then needs to be stored into the SIP header.  So all of the discussion about what to do with the JWT object is additional wg overhead and, IMO, a complete distraction for the primary task of the working group.  (My guess is that there is also added overall system complexity, but I won't press that concern, at this point.)
> 
> Arguments that it's a general mechanism for use in other aspects of this space are always appealing. However they are, so far, without merit in the working group context: There are no specifications for any of those other uses.
> 
> And the wg still hasn't resolved the very basic and very essential step of putting the signature into the SIP header.
> 
> 
> 
>>     If we would NOT use JWT we would
>> probably have to define more STIR-specific procedures regarding the
>> calculating/encoding of the signature ourselves. It's better to use a
>> standardized mechanism in my opinion.
> 
> Well, yeah, I thought/think that too, which was why I originally suggested adapting DKIM. (DANE might be another relevant choice.)  DKIM offers an extremely high point of departure for SIP header signing.  The continued lack of complete specification details about use with SIP demonstrates that JWT doesn't.
> 
> 
>> I am also the one who raised the encoding issue in Berlin. But that was
>> not related to the usage of JWT as such, but to the fact that we don't
>> carry the encoded JWT object in one piece in the SIP message. We "split"
>> the object into two pieces, and carry one piece as the Identity header
>> field value, and the other piece as the canon header field parameter
>> value.
> 
> Right.  And the point I'm raising is not about the details of that choice but the fact that it still hasn't been made at this very late stage.
> 
> Besides merely being a missing, essential bit of system specification, it suggests that the wg is still not completely clear about the concrete use of this capability.
> 
> 
> d/
> -- 
> 
>  Dave Crocker
>  Brandenburg InternetWorking
>  bbiw.net
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

_______________________________________________
stir mailing list
stir@ietf.org
https://www.ietf.org/mailman/listinfo/stir

_______________________________________________ stir mailing list stir@ietf.org https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email