Re: [stir] draft-housley-stir-enhance-rfc8226-00
Jack Rickard <Jack.Rickard@metaswitch.com> Thu, 04 February 2021 16:21 UTC
Return-Path: <Jack.Rickard@metaswitch.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703843A162C for <stir@ietfa.amsl.com>; Thu, 4 Feb 2021 08:21:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=metaswitch.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZ0RRpv3wr7X for <stir@ietfa.amsl.com>; Thu, 4 Feb 2021 08:21:08 -0800 (PST)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-eopbgr700091.outbound.protection.outlook.com [40.107.70.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01463A1631 for <stir@ietf.org>; Thu, 4 Feb 2021 08:21:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RzXqYXXiWSuOM1sxGczVrLLj+CD2Ll2otAcYP6+4xT1De7AdOUPOk6yHFDlH6uJhWGGdHCipxphJCgnOZzJBiy+vV8gRzR37NUWw5UjLmD8VW1LXPeCVYU0Afo8IB3l0X6yW97L7A65NSR8lU7kpN8f8vXFCsP3bjE0pBjVj8Q2At+h+lsAY/kzjrquymr1Du95Z6cLcNhddHnK70rsvs9FUOhfFzA6aR4kX54SMKgJoEvTDK4+fB7jTKPGCT1a9HK10PqZkTnCYedZor+HSo9oAAZgMa9wc27Nh5uHUeP3LTqEKIzvYy5uNECqFOgZk1vGjQju5g0FZZnCqi0ClEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5fNIQr8qXmdImw+Nkj9bHUmkVQGoQzJXCbMf3Ec1ASE=; b=Yvuxbeev+D5yZWYCINr/vEbdhoMmSYdjhwd6/ChGXGsFaLCPIMwvAGfpaDlVPT/WFcTRPGKKvtUcwXKt6WJPWjpqzlIrJzdhZFoa2W/Z62MGD9xTVjwJV36WGCQ/CGvgiZLUw2PtWJdzcQlP8AmbpohC63JvVLWRun+iy92Yt16MthSsPRWGZi+Hr65xbaXqa/ooLvG1K+iskuwCJNvoYzDBdeWsUDkqsdFIAzXGzdnCI5bxwh+a/qxuhW41a07WqikVkfhne/O5KA8ngpl7Vb/bfHuROgGnM8ebT3yRlzBvEZvfSuScjShi0BhvPlfsteQ8UwSLhMF9qZ+kcDIgmg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=metaswitch.com; dmarc=pass action=none header.from=metaswitch.com; dkim=pass header.d=metaswitch.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metaswitch.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5fNIQr8qXmdImw+Nkj9bHUmkVQGoQzJXCbMf3Ec1ASE=; b=ZT6/Mh+lL3l4ldvob+jRdJo4Bssk/Dr0+RVjAemhb6kNvTgu7CUCE6NQrOglL/+4aH0Z0G/ocXMn021Tw8f7byXAPUTCTYwhK0/JYs4th9/3aE+X8wxZisi4YI5kZ2JSJyO3EkE6AVps2Am9a4mcmwvGsopIAM0UUzQmTtX2whE=
Received: from BYAPR02MB5189.namprd02.prod.outlook.com (2603:10b6:a03:62::29) by BY5PR02MB6549.namprd02.prod.outlook.com (2603:10b6:a03:1d9::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.17; Thu, 4 Feb 2021 16:21:04 +0000
Received: from BYAPR02MB5189.namprd02.prod.outlook.com ([fe80::5024:252e:5379:9b69]) by BYAPR02MB5189.namprd02.prod.outlook.com ([fe80::5024:252e:5379:9b69%7]) with mapi id 15.20.3805.029; Thu, 4 Feb 2021 16:21:04 +0000
From: Jack Rickard <Jack.Rickard@metaswitch.com>
To: Chris Wendt <chris-ietf@chriswendt.net>
CC: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [stir] draft-housley-stir-enhance-rfc8226-00
Thread-Index: AQHW8Dz1eJhoVZBSyE+XuTuDgalh1qpExUfAgABT6QCAAyc+QA==
Date: Thu, 04 Feb 2021 16:21:04 +0000
Message-ID: <BYAPR02MB51898A4BC8CE028D3FEC6FBAF3B39@BYAPR02MB5189.namprd02.prod.outlook.com>
References: <161126455434.3362.14572023954174036871@ietfa.amsl.com> <6515CC12-1A12-4524-9EB9-5C46D01855CF@vigilsec.com> <BYAPR02MB518990628D397B1CDB44839EF3B59@BYAPR02MB5189.namprd02.prod.outlook.com> <8A5A293C-F08E-453F-BF19-C3D2C48AEE54@chriswendt.net>
In-Reply-To: <8A5A293C-F08E-453F-BF19-C3D2C48AEE54@chriswendt.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: chriswendt.net; dkim=none (message not signed) header.d=none;chriswendt.net; dmarc=none action=none header.from=metaswitch.com;
x-originating-ip: [84.92.33.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d6b5feee-543d-4549-b6ee-08d8c928dea6
x-ms-traffictypediagnostic: BY5PR02MB6549:
x-microsoft-antispam-prvs: <BY5PR02MB6549331AA2AFF0F5AC791D03F3B39@BY5PR02MB6549.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WsXHv+Z+BboWxx1XjMy5E4td2uKXCLS1dRveHnocf+8lMKI2I5811jbCeA84chRZ4HwGFHRIvKZ0oRn3a5B80K83XwZ1uiYXApIn6kjnm1cwpc0U5sUrPotILJn6KUxsQtdKccHsFRM/uLPT92cir7gvfpTfe0g1PastTXaIPV/QzhdpzC27phAIUtASpcn+i1+AI7L7kWflONcN0Uh42Q34NOob0bfAzpjjB60u38jrR5I/o0FDApcdq7MG6AC79Rjjw5q1/+OyjrY4Qw2ZTNZnwO+PdD2VvVYI39aDBlW1InYRyogWz9mfyjfDdLMTjIWYOwZdzkoGfTPP/J/F+xT1kU6suLfiTFKztKGpKh2mMfyxJ6/xgfnCjkl/xV8wfHq73Wc7yqRRjNkyhaPAKHhhjBXlIBNdcr2eivMYdsbSQnkSM2r8LkVZfdNgQVZX0mPe5w154UL20pWnCvBktCetzfVNJNNgtnVj0FVFWUKQs8VdfZ4y+NkL2RwPg/lK2SRSI4fg2krPa4Aord/MKGqvNUhtESbaG59mm2nIdkIfK45n+ErHX3BI+ubwVyVO/rJZ72FJcElmjeDMJTWUg5DrHuhxmzzNK+TIlwzwUmI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR02MB5189.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(366004)(376002)(346002)(396003)(136003)(478600001)(66946007)(54906003)(71200400001)(33656002)(53546011)(186003)(8676002)(966005)(5660300002)(83380400001)(55016002)(52536014)(66476007)(66556008)(66574015)(66446008)(9686003)(64756008)(6916009)(166002)(76116006)(316002)(2906002)(6506007)(86362001)(26005)(8936002)(7696005)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: RKu3PKdjMmJo2z6K458atho+nf+q5Oz2ivMx0267GXym5NgnGA2HWzyD1GHxHOIC7QLMwDiGC6lmYHdvpRzqnA3j9MM/fPp2LvZjLSRbxL8oqzFOh7PKwofYyHEpCNEGidE4sx0mgtGYCsarI05cJmLwL74CSpPuHtPlXGCCGzhRUaQWrzCu4ydsUO+/ditvtnqh5ynWy8bfUd0zlafZkMyb+bIlBBzD1gA64IkAhRUJDjLiTX2YrO6F58Yy4g1NRoHsHdTOdATOoUmN6zsr02qUvmBKXPMzzvSc24PedldTQWc0nweAzqQwimFt2ukEYNSTS7Ku3HOt3vj2EaltW9s2adJhUHim9ORy7JNIoBmVSRq6kDyG4QlAeNCq+MAOTjhqYQFThQfBP43QWD5YCcBLhEPoLME+B/jNII6sg5+J8zXKGc5gz6IEwV5YxwOjPuSgCgAn6YlBo3vuBAH94phXcAhSPrSA+I8a0fLfBoDTDcynTkzE2dLFFg7qMdluTUowy2I59VoeMtv+/xFo+SjjJoMQga5xdKwd6+8x8ordyUbI7fG5XLkJgK/rfm9o/+3/LKTXniCIg9ZKgQpKdPSTsGOlNUB157+YIjsvB68vRuApLhvF6zcUYO6Z3CGNfOjibcBiMBTFXMM3TlgoRB4ejU5hIyG+88AMVbA8+d/Ic0BHTPJ1JEyUapfYUOHdw2i8amOcfWk0oq+WZDo4r7Ok9xd75FIlmb8Tyq65S7mcaB4g4YxW71aLpQchqS0/QXzNuiVRk16iq6uAhsDupG4v8DVJy6/P7rjGs0yhxOfcz+0vUSH+mBey4oNrsEHKPhnIkWk/vsK4b7co6hmwghbgrRbKyZLqlD1LvMfZWczoO1MMHknz74g+grYhhLKl3WoPWZFKymMNy7nkrymn3oaQ5URdeDsmh/PMO08b3eOz43ONNJRy1eGGCo/xF17RTiFp2mn+6ZZfDezdI9D6GxniCTPKG2O+90Qk+toDyMj9XAisVCb9X+pvtcvrzKiz/LSYKTftQp7j5os93raOe9+e//TWL4gX8tv4Zs503Yu8BDSkjpb6K/1Hv1f3v0LU2yoL7Wf4Cu1i6FOEAYfjAR+tKzHmbLqNq1ds6h4FMlvXXHRGt2PBXVTO0gYZoQqMkKH8Dj1qHH51VUwN4hqNoQmk5OoID38nzAidaiE9rXm3P6sil77AqbGhOamrGdsz59gow37kRWYJ5K3hCpi6IuVB8CPQhq04RgXPjzXqt88roWIjnb/JSReTe8DtDl9nszANZiP7P288gg1c6Z2vOC14f46cMCP2LqsSQ3rky7k=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR02MB51898A4BC8CE028D3FEC6FBAF3B39BYAPR02MB5189namp_"
MIME-Version: 1.0
X-OriginatorOrg: metaswitch.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR02MB5189.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d6b5feee-543d-4549-b6ee-08d8c928dea6
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2021 16:21:04.3468 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9d9e56eb-f613-4ddb-b27b-bfcdf14b2cdb
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IsLJJYgu6OqlHpDi1B2XdbOp0bgRUlP28kN46TV3Niiw5rkKIpD7IoKNAG3yR6sELhCVjOGHp5p/ahZl3cR1oA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR02MB6549
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/UEBCef173ozJXoKGPLkF1nFhDW4>
Subject: Re: [stir] draft-housley-stir-enhance-rfc8226-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 16:21:10 -0000
Thank you, that's really useful information. Jack From: stir <stir-bounces@ietf.org> On Behalf Of Chris Wendt Sent: 02 February 2021 16:03 To: Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org> Cc: IETF STIR Mail List <stir@ietf.org>; Russ Housley <housley@vigilsec.com> Subject: Re: [stir] draft-housley-stir-enhance-rfc8226-00 NOTE: Message is from an external sender Hi Jack, We want to make sure we can easily constrain the ability for someone to add claims they are not allowed to and make them look legit, in particular this becomes more relevant with delegation (or at least this is where we hit these requirements while going through the use-cases). So rather than just constrain the fact that you must have a particular claim, constrain the fact that they shouldn't be there. There is techniques we discussed working with current mechanisms in 8226, but we thought it might be more clear and explicit to have these new constraints. -Chris On Feb 2, 2021, at 6:10 AM, Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org<mailto:Jack.Rickard=40metaswitch.com@dmarc.ietf.org>> wrote: This looks fine from my point of view, however, what is the actual motivation behind this? I'd like to know why these extra constraint options need to be added before supporting it. Thanks, Jack From: stir <stir-bounces@ietf.org<mailto:stir-bounces@ietf.org>> On Behalf Of Russ Housley Sent: 21 January 2021 21:32 To: IETF STIR Mail List <stir@ietf.org<mailto:stir@ietf.org>> Subject: [stir] draft-housley-stir-enhance-rfc8226-00 NOTE: Message is from an external sender Please review and comment. Christ Wendt has found some use cases where the JWT Claims Constraints in RFC 8226 are not adequate. This I-D proposes an enhancement to make the constraints more rich. Russ From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> Subject: New Version Notification for draft-housley-stir-enhance-rfc8226-00.txt Date: January 21, 2021 at 4:29:14 PM EST To: "Russ Housley" <housley@vigilsec.com<mailto:housley@vigilsec.com>> A new version of I-D, draft-housley-stir-enhance-rfc8226-00.txt has been successfully submitted by Russ Housley and posted to the IETF repository. Name: draft-housley-stir-enhance-rfc8226 Revision: 00 Title: Enhanced JWT Claim Constraints for STIR Certificates Document date: 2021-01-21 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-housley-stir-enhance-rfc8226-00.txt<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-housley-stir-enhance-rfc8226-00.txt&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757165929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MCqf3m%2FXJKntDm3L9ycii13nJGcVp7Sur%2BGbWI5%2FGgU%3D&reserved=0> Status: https://datatracker.ietf.org/doc/draft-housley-stir-enhance-rfc8226/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-housley-stir-enhance-rfc8226%2F&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757165929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6DHwyOSvkH96NbBkoVF2LHwpRWDE1s7Y0COAl8zXBrg%3D&reserved=0> Htmlized: https://datatracker.ietf.org/doc/html/draft-housley-stir-enhance-rfc8226<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-housley-stir-enhance-rfc8226&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757175923%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ix9dMxycNkm%2FJXikJ%2FOW5uGBFziKTMv%2Bt3NsMBnSpWs%3D&reserved=0> Htmlized: https://tools.ietf.org/html/draft-housley-stir-enhance-rfc8226-00<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-housley-stir-enhance-rfc8226-00&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757185916%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CFOQvZLtetRWJ9ME98GENm%2BLKRgO4ulEeU4vz4iYLjU%3D&reserved=0> Abstract: RFC 8226 provides a certificate extension to constrain the JWT claims that can be included in the PASSporT as defined in RFC 8225. If the signer includes a JWT claim outside the constraint boundaries, then the recipient will reject the entire PASSporT. This document defines additional ways that the JWT claims can be constrained. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org%2F&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757185916%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rqc%2ByDpC3XnkF415v1%2FWsNw67MvVbY7oPcSHBPCdvJE%3D&reserved=0>. The IETF Secretariat _______________________________________________ stir mailing list stir@ietf.org<mailto:stir@ietf.org> https://www.ietf.org/mailman/listinfo/stir<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757195914%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4YcCBQDJqeYaGIcsn9DrJyOJZTBJ1apdB491N%2FYOUL8%3D&reserved=0>
- [stir] draft-housley-stir-enhance-rfc8226-00 Russ Housley
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Peterson, Jon
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Chris Wendt
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Jack Rickard
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Chris Wendt
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Jack Rickard
- Re: [stir] draft-housley-stir-enhance-rfc8226-00 Sean Turner