IETF Logo Mail Archive

Re: [stir] draft-housley-stir-enhance-rfc8226-00

Chris Wendt <chris-ietf@chriswendt.net> Tue, 02 February 2021 16:02 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58D2D3A1BE7 for <stir@ietfa.amsl.com>; Tue, 2 Feb 2021 08:02:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.796
X-Spam-Level:
X-Spam-Status: No, score=-1.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XUKhxp57P9hw for <stir@ietfa.amsl.com>; Tue, 2 Feb 2021 08:02:44 -0800 (PST)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33F0C3A1BE9 for <stir@ietf.org>; Tue, 2 Feb 2021 08:02:44 -0800 (PST)
Received: by mail-qt1-x833.google.com with SMTP id n8so6899299qtp.5 for <stir@ietf.org>; Tue, 02 Feb 2021 08:02:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Ay8+2Xn0bkUmlOrVzeN4A03wylxP6g6CR/HzjTJwPug=; b=j7dwdsVM2uI7KdV/SiXh7pRI+lUfDaKO9qwNzF5xJHpfpgEUMYVtwOQnM8XYMgf6/a YHEBOeyXDleXdIpaD/6X+fFVSaop+kJYUlzeGjdmKF8fmdC/QycjyOJGnJ0Im+/87r4d zfRy6yn0mgVlTCwKy/XmHOPAGe0qN46yVsLw/WYudwn8ZzlW1pazmB6qvlLbeG9yMhzW 70pv7Sf2DFVXPHjZklQnzOu8U5fQV/REOvP2hXrg21TbqXMf++Tdy875U12VYRFA0Str gG5IzMLHPqsdhnbDia/cePLo+BYjU36m2sDeL0Q+thMujqdXajJIv07ddZHE4KotI2ee fvMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Ay8+2Xn0bkUmlOrVzeN4A03wylxP6g6CR/HzjTJwPug=; b=HLmwE4FufbmHOWl1DLBAhWo5KUzxKHfyARL/8pE8aiizH/HYNSKfx3ToVQKZ6oDCpC ao+Q/UpQt/EAGlVEbpB9oBYbwa2AtiSP2yY/h2tldph91SlSeAPMc2dkdcXndaAJI5S/ /0UpJu5sTsPZZ/QsBaC4AV4NA7I+JgC7Xdn2AFSzHh4amQXBQsumsSQVbui0gHyQMG+6 WZggSNNpganaIfo8sB71l9rWOlimo91TOsuq/ifB4jILoiHeqeJ9BcCqU0mUiBxYP/wx ZLOdG52h5wqt/eJ/ozgc/IuG2Q1klM9cUhUj7EnIlOLk5Z5Vu1Gk0oqj+g//vDp98vDW rbjQ==
X-Gm-Message-State: AOAM531111k36DhekYbxJXoL45VXtymwmzrbiVKuBFQOftb3uY2Bk0Rb E6PfBsX4YYwZTc/4+VmbqvfU425lsstiXgr7MNQ=
X-Google-Smtp-Source: ABdhPJw7DMB2IcRtw+ItFclyalAlz/SDMsTQN4ftxLwdCzlCU7MpeaUQMQtUp/WKy86Zv6XAII+29A==
X-Received: by 2002:ac8:7599:: with SMTP id s25mr21032334qtq.89.1612281763070; Tue, 02 Feb 2021 08:02:43 -0800 (PST)
Received: from [192.168.0.163] (c-68-82-121-87.hsd1.pa.comcast.net. [68.82.121.87]) by smtp.gmail.com with ESMTPSA id h125sm17660590qke.49.2021.02.02.08.02.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Feb 2021 08:02:42 -0800 (PST)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <8A5A293C-F08E-453F-BF19-C3D2C48AEE54@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_69A772E1-CB65-4FD9-89ED-D8C276B9BFED"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
Date: Tue, 02 Feb 2021 11:02:40 -0500
In-Reply-To: <BYAPR02MB518990628D397B1CDB44839EF3B59@BYAPR02MB5189.namprd02.prod.outlook.com>
Cc: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
To: Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org>
References: <161126455434.3362.14572023954174036871@ietfa.amsl.com> <6515CC12-1A12-4524-9EB9-5C46D01855CF@vigilsec.com> <BYAPR02MB518990628D397B1CDB44839EF3B59@BYAPR02MB5189.namprd02.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/rS38M8ZTH-51Xh2RFJrZZb_BXJc>
Subject: Re: [stir] draft-housley-stir-enhance-rfc8226-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 16:02:46 -0000

Hi Jack,

We want to make sure we can easily constrain the ability for someone to add claims they are not allowed to and make them look legit, in particular this becomes more relevant with delegation (or at least this is where we hit these requirements while going through the use-cases).  So rather than just constrain the fact that you must have a particular claim, constrain the fact that they shouldn’t be there. There is techniques we discussed working with current mechanisms in 8226, but we thought it might be more clear and explicit to have these new constraints.

-Chris

> On Feb 2, 2021, at 6:10 AM, Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org> wrote:
> 
> This looks fine from my point of view, however, what is the actual motivation behind this? I'd like to know why these extra constraint options need to be added before supporting it.
>  
> Thanks,
> Jack
>  
> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> On Behalf Of Russ Housley
> Sent: 21 January 2021 21:32
> To: IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>
> Subject: [stir] draft-housley-stir-enhance-rfc8226-00
>  
> NOTE: Message is from an external sender
> Please review and comment.  Christ Wendt has found some use cases where the JWT Claims Constraints in RFC 8226 are not adequate.  This I-D proposes an enhancement to make the constraints more rich.
>  
> Russ
>  
> 
> 
> From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
> Subject: New Version Notification for draft-housley-stir-enhance-rfc8226-00.txt
> Date: January 21, 2021 at 4:29:14 PM EST
> To: "Russ Housley" <housley@vigilsec.com <mailto:housley@vigilsec.com>>
>  
> 
> A new version of I-D, draft-housley-stir-enhance-rfc8226-00.txt
> has been successfully submitted by Russ Housley and posted to the
> IETF repository.
> 
> Name: draft-housley-stir-enhance-rfc8226
> Revision: 00
> Title: Enhanced JWT Claim Constraints for STIR Certificates
> Document date: 2021-01-21
> Group: Individual Submission
> Pages: 8
> URL:            https://www.ietf.org/archive/id/draft-housley-stir-enhance-rfc8226-00.txt <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-housley-stir-enhance-rfc8226-00.txt&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663231466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Up1Zpc7Zdsels%2BIi4BDYQaOQBMHKdNvgIR4eYWkTuSE%3D&reserved=0>
> Status:         https://datatracker.ietf.org/doc/draft-housley-stir-enhance-rfc8226/ <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-housley-stir-enhance-rfc8226%2F&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663241455%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W7ymLZVcTnd%2FghnUexmB4P1x1KezM8I%2BdYGANBW0u0M%3D&reserved=0>
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-housley-stir-enhance-rfc8226 <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-housley-stir-enhance-rfc8226&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663241455%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zxAv5QKkbF3PsWFCEe5DLtNWORCv2Cs32t4heAFEWds%3D&reserved=0>
> Htmlized:       https://tools.ietf.org/html/draft-housley-stir-enhance-rfc8226-00 <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-housley-stir-enhance-rfc8226-00&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663251451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Pw7YnTkYETyXDYUEBarZ1zkBkP8fGPfG4uj3cp%2BRcfM%3D&reserved=0>
> 
> 
> Abstract:
>   RFC 8226 provides a certificate extension to constrain the JWT claims
>   that can be included in the PASSporT as defined in RFC 8225.  If the
>   signer includes a JWT claim outside the constraint boundaries, then
>   the recipient will reject the entire PASSporT.  This document defines
>   additional ways that the JWT claims can be constrained.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org%2F&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C41eae97dc9d843ee0dc208d8be5415db%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637468615663251451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Pfo8cYuP9pvWiy4AuNGEnXjsCLuqd5OrC%2FIw4UL0Sw4%3D&reserved=0>.
> 
> The IETF Secretariat
> 
> 
>  
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email