IETF Logo Mail Archive

Re: [stir] draft-housley-stir-enhance-rfc8226-00

Jack Rickard <Jack.Rickard@metaswitch.com> Thu, 04 February 2021 16:21 UTC

Return-Path: <Jack.Rickard@metaswitch.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703843A162C for <stir@ietfa.amsl.com>; Thu, 4 Feb 2021 08:21:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=metaswitch.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZ0RRpv3wr7X for <stir@ietfa.amsl.com>; Thu, 4 Feb 2021 08:21:08 -0800 (PST)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-eopbgr700091.outbound.protection.outlook.com [40.107.70.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01463A1631 for <stir@ietf.org>; Thu, 4 Feb 2021 08:21:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RzXqYXXiWSuOM1sxGczVrLLj+CD2Ll2otAcYP6+4xT1De7AdOUPOk6yHFDlH6uJhWGGdHCipxphJCgnOZzJBiy+vV8gRzR37NUWw5UjLmD8VW1LXPeCVYU0Afo8IB3l0X6yW97L7A65NSR8lU7kpN8f8vXFCsP3bjE0pBjVj8Q2At+h+lsAY/kzjrquymr1Du95Z6cLcNhddHnK70rsvs9FUOhfFzA6aR4kX54SMKgJoEvTDK4+fB7jTKPGCT1a9HK10PqZkTnCYedZor+HSo9oAAZgMa9wc27Nh5uHUeP3LTqEKIzvYy5uNECqFOgZk1vGjQju5g0FZZnCqi0ClEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5fNIQr8qXmdImw+Nkj9bHUmkVQGoQzJXCbMf3Ec1ASE=; b=Yvuxbeev+D5yZWYCINr/vEbdhoMmSYdjhwd6/ChGXGsFaLCPIMwvAGfpaDlVPT/WFcTRPGKKvtUcwXKt6WJPWjpqzlIrJzdhZFoa2W/Z62MGD9xTVjwJV36WGCQ/CGvgiZLUw2PtWJdzcQlP8AmbpohC63JvVLWRun+iy92Yt16MthSsPRWGZi+Hr65xbaXqa/ooLvG1K+iskuwCJNvoYzDBdeWsUDkqsdFIAzXGzdnCI5bxwh+a/qxuhW41a07WqikVkfhne/O5KA8ngpl7Vb/bfHuROgGnM8ebT3yRlzBvEZvfSuScjShi0BhvPlfsteQ8UwSLhMF9qZ+kcDIgmg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=metaswitch.com; dmarc=pass action=none header.from=metaswitch.com; dkim=pass header.d=metaswitch.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metaswitch.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5fNIQr8qXmdImw+Nkj9bHUmkVQGoQzJXCbMf3Ec1ASE=; b=ZT6/Mh+lL3l4ldvob+jRdJo4Bssk/Dr0+RVjAemhb6kNvTgu7CUCE6NQrOglL/+4aH0Z0G/ocXMn021Tw8f7byXAPUTCTYwhK0/JYs4th9/3aE+X8wxZisi4YI5kZ2JSJyO3EkE6AVps2Am9a4mcmwvGsopIAM0UUzQmTtX2whE=
Received: from BYAPR02MB5189.namprd02.prod.outlook.com (2603:10b6:a03:62::29) by BY5PR02MB6549.namprd02.prod.outlook.com (2603:10b6:a03:1d9::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.17; Thu, 4 Feb 2021 16:21:04 +0000
Received: from BYAPR02MB5189.namprd02.prod.outlook.com ([fe80::5024:252e:5379:9b69]) by BYAPR02MB5189.namprd02.prod.outlook.com ([fe80::5024:252e:5379:9b69%7]) with mapi id 15.20.3805.029; Thu, 4 Feb 2021 16:21:04 +0000
From: Jack Rickard <Jack.Rickard@metaswitch.com>
To: Chris Wendt <chris-ietf@chriswendt.net>
CC: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [stir] draft-housley-stir-enhance-rfc8226-00
Thread-Index: AQHW8Dz1eJhoVZBSyE+XuTuDgalh1qpExUfAgABT6QCAAyc+QA==
Date: Thu, 04 Feb 2021 16:21:04 +0000
Message-ID: <BYAPR02MB51898A4BC8CE028D3FEC6FBAF3B39@BYAPR02MB5189.namprd02.prod.outlook.com>
References: <161126455434.3362.14572023954174036871@ietfa.amsl.com> <6515CC12-1A12-4524-9EB9-5C46D01855CF@vigilsec.com> <BYAPR02MB518990628D397B1CDB44839EF3B59@BYAPR02MB5189.namprd02.prod.outlook.com> <8A5A293C-F08E-453F-BF19-C3D2C48AEE54@chriswendt.net>
In-Reply-To: <8A5A293C-F08E-453F-BF19-C3D2C48AEE54@chriswendt.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: chriswendt.net; dkim=none (message not signed) header.d=none;chriswendt.net; dmarc=none action=none header.from=metaswitch.com;
x-originating-ip: [84.92.33.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d6b5feee-543d-4549-b6ee-08d8c928dea6
x-ms-traffictypediagnostic: BY5PR02MB6549:
x-microsoft-antispam-prvs: <BY5PR02MB6549331AA2AFF0F5AC791D03F3B39@BY5PR02MB6549.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WsXHv+Z+BboWxx1XjMy5E4td2uKXCLS1dRveHnocf+8lMKI2I5811jbCeA84chRZ4HwGFHRIvKZ0oRn3a5B80K83XwZ1uiYXApIn6kjnm1cwpc0U5sUrPotILJn6KUxsQtdKccHsFRM/uLPT92cir7gvfpTfe0g1PastTXaIPV/QzhdpzC27phAIUtASpcn+i1+AI7L7kWflONcN0Uh42Q34NOob0bfAzpjjB60u38jrR5I/o0FDApcdq7MG6AC79Rjjw5q1/+OyjrY4Qw2ZTNZnwO+PdD2VvVYI39aDBlW1InYRyogWz9mfyjfDdLMTjIWYOwZdzkoGfTPP/J/F+xT1kU6suLfiTFKztKGpKh2mMfyxJ6/xgfnCjkl/xV8wfHq73Wc7yqRRjNkyhaPAKHhhjBXlIBNdcr2eivMYdsbSQnkSM2r8LkVZfdNgQVZX0mPe5w154UL20pWnCvBktCetzfVNJNNgtnVj0FVFWUKQs8VdfZ4y+NkL2RwPg/lK2SRSI4fg2krPa4Aord/MKGqvNUhtESbaG59mm2nIdkIfK45n+ErHX3BI+ubwVyVO/rJZ72FJcElmjeDMJTWUg5DrHuhxmzzNK+TIlwzwUmI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR02MB5189.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(366004)(376002)(346002)(396003)(136003)(478600001)(66946007)(54906003)(71200400001)(33656002)(53546011)(186003)(8676002)(966005)(5660300002)(83380400001)(55016002)(52536014)(66476007)(66556008)(66574015)(66446008)(9686003)(64756008)(6916009)(166002)(76116006)(316002)(2906002)(6506007)(86362001)(26005)(8936002)(7696005)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: RKu3PKdjMmJo2z6K458atho+nf+q5Oz2ivMx0267GXym5NgnGA2HWzyD1GHxHOIC7QLMwDiGC6lmYHdvpRzqnA3j9MM/fPp2LvZjLSRbxL8oqzFOh7PKwofYyHEpCNEGidE4sx0mgtGYCsarI05cJmLwL74CSpPuHtPlXGCCGzhRUaQWrzCu4ydsUO+/ditvtnqh5ynWy8bfUd0zlafZkMyb+bIlBBzD1gA64IkAhRUJDjLiTX2YrO6F58Yy4g1NRoHsHdTOdATOoUmN6zsr02qUvmBKXPMzzvSc24PedldTQWc0nweAzqQwimFt2ukEYNSTS7Ku3HOt3vj2EaltW9s2adJhUHim9ORy7JNIoBmVSRq6kDyG4QlAeNCq+MAOTjhqYQFThQfBP43QWD5YCcBLhEPoLME+B/jNII6sg5+J8zXKGc5gz6IEwV5YxwOjPuSgCgAn6YlBo3vuBAH94phXcAhSPrSA+I8a0fLfBoDTDcynTkzE2dLFFg7qMdluTUowy2I59VoeMtv+/xFo+SjjJoMQga5xdKwd6+8x8ordyUbI7fG5XLkJgK/rfm9o/+3/LKTXniCIg9ZKgQpKdPSTsGOlNUB157+YIjsvB68vRuApLhvF6zcUYO6Z3CGNfOjibcBiMBTFXMM3TlgoRB4ejU5hIyG+88AMVbA8+d/Ic0BHTPJ1JEyUapfYUOHdw2i8amOcfWk0oq+WZDo4r7Ok9xd75FIlmb8Tyq65S7mcaB4g4YxW71aLpQchqS0/QXzNuiVRk16iq6uAhsDupG4v8DVJy6/P7rjGs0yhxOfcz+0vUSH+mBey4oNrsEHKPhnIkWk/vsK4b7co6hmwghbgrRbKyZLqlD1LvMfZWczoO1MMHknz74g+grYhhLKl3WoPWZFKymMNy7nkrymn3oaQ5URdeDsmh/PMO08b3eOz43ONNJRy1eGGCo/xF17RTiFp2mn+6ZZfDezdI9D6GxniCTPKG2O+90Qk+toDyMj9XAisVCb9X+pvtcvrzKiz/LSYKTftQp7j5os93raOe9+e//TWL4gX8tv4Zs503Yu8BDSkjpb6K/1Hv1f3v0LU2yoL7Wf4Cu1i6FOEAYfjAR+tKzHmbLqNq1ds6h4FMlvXXHRGt2PBXVTO0gYZoQqMkKH8Dj1qHH51VUwN4hqNoQmk5OoID38nzAidaiE9rXm3P6sil77AqbGhOamrGdsz59gow37kRWYJ5K3hCpi6IuVB8CPQhq04RgXPjzXqt88roWIjnb/JSReTe8DtDl9nszANZiP7P288gg1c6Z2vOC14f46cMCP2LqsSQ3rky7k=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR02MB51898A4BC8CE028D3FEC6FBAF3B39BYAPR02MB5189namp_"
MIME-Version: 1.0
X-OriginatorOrg: metaswitch.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR02MB5189.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d6b5feee-543d-4549-b6ee-08d8c928dea6
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2021 16:21:04.3468 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9d9e56eb-f613-4ddb-b27b-bfcdf14b2cdb
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IsLJJYgu6OqlHpDi1B2XdbOp0bgRUlP28kN46TV3Niiw5rkKIpD7IoKNAG3yR6sELhCVjOGHp5p/ahZl3cR1oA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR02MB6549
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/UEBCef173ozJXoKGPLkF1nFhDW4>
Subject: Re: [stir] draft-housley-stir-enhance-rfc8226-00
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 16:21:10 -0000

Thank you, that's really useful information.

Jack

From: stir <stir-bounces@ietf.org> On Behalf Of Chris Wendt
Sent: 02 February 2021 16:03
To: Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org>
Cc: IETF STIR Mail List <stir@ietf.org>; Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] draft-housley-stir-enhance-rfc8226-00

NOTE: Message is from an external sender
Hi Jack,

We want to make sure we can easily constrain the ability for someone to add claims they are not allowed to and make them look legit, in particular this becomes more relevant with delegation (or at least this is where we hit these requirements while going through the use-cases).  So rather than just constrain the fact that you must have a particular claim, constrain the fact that they shouldn't be there. There is techniques we discussed working with current mechanisms in 8226, but we thought it might be more clear and explicit to have these new constraints.

-Chris


On Feb 2, 2021, at 6:10 AM, Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org<mailto:Jack.Rickard=40metaswitch.com@dmarc.ietf.org>> wrote:

This looks fine from my point of view, however, what is the actual motivation behind this? I'd like to know why these extra constraint options need to be added before supporting it.

Thanks,
Jack

From: stir <stir-bounces@ietf.org<mailto:stir-bounces@ietf.org>> On Behalf Of Russ Housley
Sent: 21 January 2021 21:32
To: IETF STIR Mail List <stir@ietf.org<mailto:stir@ietf.org>>
Subject: [stir] draft-housley-stir-enhance-rfc8226-00

NOTE: Message is from an external sender
Please review and comment.  Christ Wendt has found some use cases where the JWT Claims Constraints in RFC 8226 are not adequate.  This I-D proposes an enhancement to make the constraints more rich.

Russ




From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-housley-stir-enhance-rfc8226-00.txt
Date: January 21, 2021 at 4:29:14 PM EST
To: "Russ Housley" <housley@vigilsec.com<mailto:housley@vigilsec.com>>


A new version of I-D, draft-housley-stir-enhance-rfc8226-00.txt
has been successfully submitted by Russ Housley and posted to the
IETF repository.

Name: draft-housley-stir-enhance-rfc8226
Revision: 00
Title: Enhanced JWT Claim Constraints for STIR Certificates
Document date: 2021-01-21
Group: Individual Submission
Pages: 8
URL:            https://www.ietf.org/archive/id/draft-housley-stir-enhance-rfc8226-00.txt<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-housley-stir-enhance-rfc8226-00.txt&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757165929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MCqf3m%2FXJKntDm3L9ycii13nJGcVp7Sur%2BGbWI5%2FGgU%3D&reserved=0>
Status:         https://datatracker.ietf.org/doc/draft-housley-stir-enhance-rfc8226/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-housley-stir-enhance-rfc8226%2F&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757165929%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6DHwyOSvkH96NbBkoVF2LHwpRWDE1s7Y0COAl8zXBrg%3D&reserved=0>
Htmlized:       https://datatracker.ietf.org/doc/html/draft-housley-stir-enhance-rfc8226<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-housley-stir-enhance-rfc8226&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757175923%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ix9dMxycNkm%2FJXikJ%2FOW5uGBFziKTMv%2Bt3NsMBnSpWs%3D&reserved=0>
Htmlized:       https://tools.ietf.org/html/draft-housley-stir-enhance-rfc8226-00<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-housley-stir-enhance-rfc8226-00&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757185916%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CFOQvZLtetRWJ9ME98GENm%2BLKRgO4ulEeU4vz4iYLjU%3D&reserved=0>


Abstract:
  RFC 8226 provides a certificate extension to constrain the JWT claims
  that can be included in the PASSporT as defined in RFC 8225.  If the
  signer includes a JWT claim outside the constraint boundaries, then
  the recipient will reject the entire PASSporT.  This document defines
  additional ways that the JWT claims can be constrained.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org%2F&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757185916%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rqc%2ByDpC3XnkF415v1%2FWsNw67MvVbY7oPcSHBPCdvJE%3D&reserved=0>.

The IETF Secretariat



_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=04%7C01%7Cjack.rickard%40metaswitch.com%7C9d522cd2662447c3112608d8c794000c%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637478785757195914%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4YcCBQDJqeYaGIcsn9DrJyOJZTBJ1apdB491N%2FYOUL8%3D&reserved=0>

v2.23.0 | Report a Bug | By Email