Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
Chris Wendt <chris-ietf@chriswendt.net> Wed, 24 January 2018 13:44 UTC
Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B579412422F for <stir@ietfa.amsl.com>; Wed, 24 Jan 2018 05:44:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10015jVU4oAP for <stir@ietfa.amsl.com>; Wed, 24 Jan 2018 05:44:44 -0800 (PST)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D77C91241F8 for <stir@ietf.org>; Wed, 24 Jan 2018 05:44:43 -0800 (PST)
Received: by mail-qt0-x22f.google.com with SMTP id l20so10308724qtj.11 for <stir@ietf.org>; Wed, 24 Jan 2018 05:44:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=L5EqWHfkBT/hKA7nlWs9meEgqGLhsHSkUD9qLrKhSF0=; b=LOmt4HdZPXUgkZZE5QDk8ZPu8DNCHTtSTQb/ofelkL6w29nyMiSnh18Gma8ltZdIIH ZAN+pNwQU+YWcj9N7ZYv5KzGL98J+F8EsFKx39kT/PSbDkDIkEQDaxR7esxDXGJGAoZU WuIa4qFgm4CRKgfjCiY8vVoT+erRz7ZWtTMQROaWymUzd+hiFyhu2ZHnu3dVnbEjErPN 96H1F2WQgLPDO5Tc2Xm1SUnd5/XCTMWIYGvhKujFaA+SpbOrTpP1A+X1qLvdQKt+IodD 83hMnkpqcvPukVBJPuSgFGFJH077BZ9Gch9sozGunisV33hnjpIsNg6yh53eIiWDX87b gtUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=L5EqWHfkBT/hKA7nlWs9meEgqGLhsHSkUD9qLrKhSF0=; b=cCmESF5+EaTB+wcrYnBRwGTtEI4B6R/EQFCbYdfBbEUcpGtSurfIv8tmxgD6ML2ewX MCMznOCj9QKnm0UgoVG54CUJ4tLFfEX0GZkzqAF5bWncw1HIILM0KBvh7ANDVGg4kLnU ZTxuZD+qVBfiA0oc7Ymh5A47D5MFC6xgTmG2umzg3irPn2bbg51YAyJ1esrOZshquADS oFuIqYRj8N/LGQtr6jkK8CmZHuFmDclZB+MSRGoId+xNnYsd/VO/FJQLEV1xbiY4t00U QH/p5r4rGLzSwpa7EUBxuTN6EtIAheuazdJ7LZp4Xr1s+OhElO9PbYsFGuQviZjbsiQ5 O4rQ==
X-Gm-Message-State: AKwxytf25qUhXeQMdt2moQMP1CMFq0aOv+wk7kpXv7oa2V+rXi4642zm 8gh2qMdjOTSDWCo5jqT4waA5K644oWU=
X-Google-Smtp-Source: AH8x226nOC0ILiyLNKZZ0Srd4UxrMu7HOwmh42ah9+Vhj8op9udUAkECFwucBYTD/7BHlqg1zTsRDQ==
X-Received: by 10.55.209.137 with SMTP id o9mr9235931qkl.234.1516801482992; Wed, 24 Jan 2018 05:44:42 -0800 (PST)
Received: from [10.8.0.6] (c-73-13-103-172.hsd1.pa.comcast.net. [73.13.103.172]) by smtp.gmail.com with ESMTPSA id 15sm2100302qtz.76.2018.01.24.05.44.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jan 2018 05:44:41 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B6C13B5EB@ESESSMB109.ericsson.se>
Date: Wed, 24 Jan 2018 06:44:39 -0700
Cc: "stir@ietf.org" <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <26D4A77C-8860-41A0-8608-2FCE10FE9942@chriswendt.net>
References: <7594FB04B1934943A5C02806D1A2204B6C13837A@ESESSMB109.ericsson.se> <41C6125A-C90A-4187-9B6E-267DAE44DF8B@chriswendt.net> <7594FB04B1934943A5C02806D1A2204B6C13B5EB@ESESSMB109.ericsson.se>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/uLBBY4VnJ96hM03L756N5mOcotc>
Subject: Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 13:44:46 -0000
Hi Christer, I guess i’m not following what’s not clear, if you MUST only have one orig claim and one identity in that claim, that seems to be pretty clear to me that you cannot either not have an orig claim or have more than one. I guess maybe i’m missing something subtle in your point. For extensions, and in general with any PASSporT, once the PASSporT is signed, that’s it, you cannot modify claims or "re-sign". If you want new PASSporT claim information that you want to sign, you must have a new PASSporT or new identity header. Currently for divert, the approach is to embed a PASSporT inside a new PASSporT, which is a valid technique also and result in a new identity header also (but you should remove the old identity header in this case). -Chris > On Jan 23, 2018, at 2:19 PM, Christer Holmberg <christer.holmberg@ericsson.com> wrote: > > Hi Chris, > >>> Question for clarification: >>> >>> Section 5.2.1 of draft-passport says: >>> >>> "There MUST be exactly one "orig" claim with exactly one identity claim object in a PASSporT object." >>> >>> Q1: Does the text above mean that >>> >>> a) a passport must always contain one, one only one, "orig" claim; or >>> b) that if a passport contains an "orig" claim, if can only contains one? >> >> It can only contain one key value pair with the key “orig” and the claim value can only be one identity. >> >> In other words you cannot claim to originate multiple identities with a single passport object. > > Correct. The question is whether "orig" is mandatory (alternative a) or not (alternative b). But, based on your reply to Q2 below, I assume the answer is alternative a). > > I think it would be good to make that more clear. > >>> Q2: If a), does it apply to passport extensions too? >> >> All extensions must include the base passport claims and follow all rules of the claims, so yes. > > I think it should be more clear whether a node can modify claims or not when adding an extension, or whether an extension needs to explicitly allow it. Currently the text only says (AFAIK) that claims cannot be removed. > > For example, if I have a base passport, and add an RPH passport, I assume I cannot change the value of the "dest" claim. I would need to use a divert claim for that. > > Also, as the passports may be added and signed by different authorities, and as each passport will contain the base claims, it means that the base claims will be signed multiple times, and they may be signed by different authorities. I assume that is ok. > > Regards, > > Christer >
- [stir] PASSPorT: "orig" and "dest" mandatory in a… Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Chris Wendt
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Chris Wendt
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Christer Holmberg
- Re: [stir] PASSPorT: "orig" and "dest" mandatory … Julio Martinez-Minguito
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Peterson, Jon
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Christer Holmberg
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Peterson, Jon
- Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "d… Christer Holmberg