Re: [stir] certificates draft - JWT claim constraints question

Russ Housley <housley@vigilsec.com> Tue, 21 February 2017 15:45 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B6BF129491 for <stir@ietfa.amsl.com>; Tue, 21 Feb 2017 07:45:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yoDadbQt5zDm for <stir@ietfa.amsl.com>; Tue, 21 Feb 2017 07:45:50 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FA99129498 for <stir@ietf.org>; Tue, 21 Feb 2017 07:45:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id D597930041F for <stir@ietf.org>; Tue, 21 Feb 2017 10:45:49 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6LHIIRbPcUC3 for <stir@ietf.org>; Tue, 21 Feb 2017 10:45:49 -0500 (EST)
Received: from [10.5.245.234] (wsip-98-172-24-238.dc.dc.cox.net [98.172.24.238]) by mail.smeinc.net (Postfix) with ESMTPSA id 99545300222; Tue, 21 Feb 2017 10:45:46 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <F084B297-D7F3-41EE-893E-838253041DDE@chriswendt.net>
Date: Tue, 21 Feb 2017 10:45:41 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <C887D3AA-A8F8-4959-8469-497F8003385F@vigilsec.com>
References: <F084B297-D7F3-41EE-893E-838253041DDE@chriswendt.net>
To: Chris Wendt <chris-ietf@chriswendt.net>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/m4fUXZUEkKRehldUSw1uU9GrDYg>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] certificates draft - JWT claim constraints question
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2017 15:45:51 -0000

Chris:

Yes, the inclusion of JWT Claim Constraints is OPTIONAL.

I can think ion reasons that a top-level CA might want to constrain an intermediate CA to a set of telephone numbers.  In this case, the permitted part of the extension would be used to name the set of telephone numbers.  The signature validation would fail is the intermediate CA issued a certificate outside of that set.

Russ


> On Feb 21, 2017, at 7:15 AM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
> 
> Just wanted to verify my understanding of the JWT Claim Constraints.  
> 
> My reading of the text is that JWT Claim constraints is not mandatory, but can be used as an enforcement mechanism to explicitly make sure that any Passport object is signed with a specific set of claims, or explicitly does not contain certain claims.
> 
> I’m also assuming that in general practice you wouldn’t include any base claims (otherwise the Passport validation would fail in either case) and likely only include extensions that are mandatory/mandatory to NOT be there from the signers perspective.
> 
> Does this match the intention?
>