IETF Logo Mail Archive

Re: [stir] draft-ietf-stir-passport-08

Chris Wendt <chris-ietf@chriswendt.net> Fri, 14 October 2016 02:33 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2988012940D for <stir@ietfa.amsl.com>; Thu, 13 Oct 2016 19:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjpweK8SNuy0 for <stir@ietfa.amsl.com>; Thu, 13 Oct 2016 19:33:35 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE8A71295A8 for <stir@ietf.org>; Thu, 13 Oct 2016 19:33:34 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id f128so117709741qkb.1 for <stir@ietf.org>; Thu, 13 Oct 2016 19:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=zvn2SIuP5Qfoff3vo8BpcT3DGudBkSkuju8j7/eVTpg=; b=TYzR7CCtuC+rxHqTy+KBKzDtwnqryL2QqSgH4edaLPooKE4XelqCplXmKaLAWB4ays HPYLXfv+WU6sSnGhwQOIlJ5wDVSKZrtDezWun+hvcuQQyTEQho5Ia8IwMHzFZSejaCud ZQ2icdQuTEzHEPcH4rMT0QiDqFnm2t7C7H4k8tdUGGCHrJLEAUjoALYYr0GrI6YS0H53 bRNTe9S+LAlfo3zt5d0qbLrXfPihKMJSV4GBBCSWikppXpjYSktIa74nZap+lXq41hcO DnMHZTGVdkfOjhVp4w0SyGUT5HIbWptMCJfc6qlDot2PZhe+n7VQNezNPKa8iUJOYJAe 9yTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=zvn2SIuP5Qfoff3vo8BpcT3DGudBkSkuju8j7/eVTpg=; b=lDyvZg0+0dbNWX/DjLChxGnRLs5h5fnGx7iYrHCUpSUuxRBREO87sRbqBnB9dQNrTj nkNs8C1yunWL3LzVf2UZ2Y76AO3NGpj+OZqyt2kfV43jzuNrNr/SDm8RK6A1VgRbb/pM zf3KvE8AZ7/YXyFnewfLaw0v7xEqhGn3a8AfBAWxA00ijDRjEuaCsC0wj4L/zytRUri/ 0bvwm3D/t6OjtzdRpsaDbU21S5S0erb4Fni1eKurhgXy+Z9T1QUpRmWMbIypSFYEZCii POedlTdJFFHzQDk3AGdx/OZixbFrgt++o1wple6Bp/gPxB9kS5qqOuvYOu2rLRMPGhU6 qeuQ==
X-Gm-Message-State: AA6/9RnugfLxt4bf3n7CMThOibeFmA1dsEP/xzazUh1YSgkQvXMG/WJQ7FREaLobmvsEKg==
X-Received: by 10.55.39.20 with SMTP id n20mr9395979qkn.252.1476412406237; Thu, 13 Oct 2016 19:33:26 -0700 (PDT)
Received: from ?IPv6:2601:41:c101:9364:c85d:e32b:717d:d299? ([2601:41:c101:9364:c85d:e32b:717d:d299]) by smtp.gmail.com with ESMTPSA id s16sm6443283qtc.25.2016.10.13.19.33.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Oct 2016 19:33:25 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <F3010F74-18A2-46A9-83AE-F0F93717AC99@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3E073E7E-DB7E-43BC-90D7-A0D8DEADE447"
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
Date: Thu, 13 Oct 2016 22:33:24 -0400
In-Reply-To: <00cb01d22593$fba8ce50$f2fa6af0$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
References: <065e01d2218f$fea323b0$fbe96b10$@augustcellars.com> <E93058D9-1507-4552-80B1-C019F2D75451@chriswendt.net> <00cb01d22593$fba8ce50$f2fa6af0$@augustcellars.com>
X-Mailer: Apple Mail (2.3226)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/uJa3awPXN0rqxZC_WKSj1_ZPTcE>
Cc: stir@ietf.org, draft-ietf-stir-passport@ietf.org
Subject: Re: [stir] draft-ietf-stir-passport-08
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 02:33:37 -0000

Hi Jim,

The certificate used for the signature does represent the issuer and is indicated in the x5u.

But i think i get your confusion about what ‘orig’ represents as stated in your last message and will see if there is any more clarity i can provide.

Thanks again!

-Chris


> On Oct 13, 2016, at 4:54 PM, Jim Schaad <ietf@augustcellars.com> wrote:
> 
> I went back to re-read the document and figure out where my confusion was on the issue of who the 'orig' and 'dest' referred to.  This is what I find.
>  
> Origination in the context of PASSporT and for a given application's use of PASSporT is the point in the network that has the authority to assert the caller identity.
>  
> The text then goes on to talk about certificates, which I made the assumption referred to the same certificate as appears in the JWT header under the ‘x5u’ name.
>  
> I think from this is it not unreasonable that I made the assumption that the ‘orig’ field referred not the caller originator but to the issuer of the PASSporT.
>  
> jim
>  
> > -----Original Message-----
> > From: Chris Wendt [mailto:chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>]
> > Sent: Wednesday, October 12, 2016 12:31 PM
> > To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>>
> > Cc: draft-ietf-stir-passport@ietf.org <mailto:draft-ietf-stir-passport@ietf.org>; stir@ietf.org <mailto:stir@ietf.org>
> > Subject: Re: draft-ietf-stir-passport-08
> >
> > HI Jim,
> >
> > Thanks for the comprehensive review.  I am working through some of the fixes
> > based on your comments.
> > Meanwhile i have the following responses inline.
> >
> > -Chris
> >
> >
> > > On Oct 8, 2016, at 2:15 PM, Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>> wrote:
> > >
> > > Here is a review of the document as a whole.
> > >
> > > * Section 4 - para 3 - The term "key values" is potentially ambiguous.
> > > This could refer either to the value of the key or the value the key
> > > is pointing to.  I would suggest making this clear.
> >
> > I will use the term  “claim value” which is a RFC 7519 term.  One additional
> > question is whether we say same thing for “claim name” as well?  I suppose we
> > allow it.
> >
> > >
> > > * Section 4 - para 3 - The form you are using for encoding of claims
> > > values has two problems.  The first is that this does not match what
> > > the JSON document says to use "\uXXXX".  The second is that as
> > > written, it is ambiguous.  If I have the US-ASCII string of "%ABCD"
> > > then it does not need to be percent encoded as the string is not outside of the
> > US-ASCII range.
> >
> > Could you provide a pointer to the use of “\uXXX" specifically, we had a working
> > group discussion on this text, but if there is something existing, i haven’t been
> > able to find it.
> >
> > >
> > >  * Section 4.2.1 - General - I am having a hard time with this section
> > > because it is not highlighting the last piece of information that I
> > > think I need to understand for this.  From what I read, I think that
> > > dest == aud in terms of JWT - that is the target of the statement.
> > > Orig == iss in terms of JWT - that is the entity that issued the
> > > statement.  I don't see anything that is telling me what the sub of the JWT is
> > supposed to be.
> > >
> > > It would also be good to say why different items are being defined
> > > that appear to be the same thing as already exist in JWT terms. (Yes,
> > > at the core it is because the types are different.)
> >
> > I don’t believe the mapping of aud and iss are appropriate here.  The “orig” and
> > “dest” claim is specifically the asserted identity, telephone number of caller and
> > callee, but may not correspond to the issuer/signer of the JWT, e.g. service
> > provider.
> >
> > I can explain this in the text if that is helpful.
> >
> > >
> > > * Section 4.2.X - you are not telling me that these are arrays of
> > > "some type" rather than the "some type”.
> >
> > sorry, i’m having trouble figuring out what you mean by this
> >
> > >
> > > * Section 4.2.2 - You are stating that things must occur in a specific
> > > order.  This is not "normal" JSON behavior and not all JSON
> > > serializers may be able to support this behavior.  I think you need
> > > some justification someplace.
> >
> > I plan to move this to the compact form section, since ordering is only really
> > needed for compact form now.
> >
> > >
> > > * Section 5 - I am having a hard time finding the lexicographic order
> > > and white space rules quickly.  A pointer might be reasonable.
> >
> > same answer as above.
> >
> > >
> > > * Section 7 - One issue that I think you need to address in the
> > > extension section is that signaling protocols need to identify what
> > > these new items are so that they can be picked up and placed into the
> > > PASSporT when it is reconstructed.  The destination does not have to
> > > understand the extension, but it does need to understand that the extension
> > exists.
> >
> > This will be defined in the “using protocol” specification, however i can make
> > that clearer
> >
> > >
> > > * Section 8 - You have a problem in that there are no rules in RFC
> > > 7638 for dealing with serialization of integers.  Given that some of
> > > the fields in the JWT are integers this needs to be addressed.  You
> > > might want to move this justification to the top of the document so
> > > that people are prepared for and look for this.
> >
> > wondering if the best way to solve this is to note it and make sure that for any
> > passport extensions that use compact form, they specify the handling integers.
> >
> > >
> > > * Section 8 - Wording problem with saying that "dest" and "mky" need
> > > to follow their OWN rules.  Are these really defined elsewhere or do
> > > you just use the standard rules recursively.
> >
> > will try to clarify
> >
> > >
> > > * Section 9.2 - Consider using a list structure for the asterisk
> > > leading list in this section.
> >
> > Yep, this was just a missed formatting problem
> >
> > >
> > > * Section 10.1.1 - Encoding Considerations - This could be 7 bit as
> > > the value is base64 encoded for normal values and would be UTF8 if you
> > > used the full JOSE signature structure which you do not.
> >
> > Ok, will look at changing this.
> >
> > >
> > > * General - I was really tired when I read through this and I kept
> > > getting tripped up on prose.  I did not write down all of the items
> > > which bothered me and now I have read it enough that it is harder for me to
> > locate them.
> > > However, I would request that the authors perform some method of
> > > detailed reading to check for this.  I frequently read the text aloud
> > > to myself for this purpose.  Alternatively, you can just wait for the copy
> > editors.
> > >
> > > Jim
> > >
> > >
> > >

v2.23.0 | Report a Bug | By Email