Re: [stir] Review of: draft-ietf-stir-passport-05
Christer Holmberg <christer.holmberg@ericsson.com> Mon, 01 August 2016 09:41 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93C2B12D0BE for <stir@ietfa.amsl.com>; Mon, 1 Aug 2016 02:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ToPZi4XbDf-d for <stir@ietfa.amsl.com>; Mon, 1 Aug 2016 02:41:20 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1135B12B063 for <stir@ietf.org>; Mon, 1 Aug 2016 02:41:19 -0700 (PDT)
X-AuditID: c1b4fb3a-0618b980000009bd-a7-579f193ddc21
Received: from ESESSHC004.ericsson.se (Unknown_Domain [153.88.183.30]) by (Symantec Mail Security) with SMTP id 2B.CA.02493.D391F975; Mon, 1 Aug 2016 11:41:17 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.142]) by ESESSHC004.ericsson.se ([153.88.183.30]) with mapi id 14.03.0301.000; Mon, 1 Aug 2016 11:40:59 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Richard Shockey <richard@shockey.us>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] Review of: draft-ietf-stir-passport-05
Thread-Index: AQHR6Pa8IhcNFBWCX0CjWpL6ATcrHqAvhU6AgAAES4CAAAVOAIAAOSgAgAAMsQCAACJJAIAA4os4///4oACAAIdwgIABfXdE///slQCAADZcAIAA5aTu
Date: Mon, 01 Aug 2016 09:40:59 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B47709A51@ESESSMB209.ericsson.se>
References: <07e0eb16-6758-cdf1-c571-1f1ed768e741@dcrocker.net> <D3C152B2.1A69BA%jon.peterson@neustar.biz> <b096b541-c8af-9617-c9d7-5a1beb5230e8@dcrocker.net> <D3C16040.1A6A09%jon.peterson@neustar.biz> <d66d91f0-9ea2-6295-e749-e48ea37b4892@dcrocker.net> <D3C19686.1A6A4E%jon.peterson@neustar.biz> <dd60178b-fa24-5099-166c-f8a0093cb668@dcrocker.net> <7594FB04B1934943A5C02806D1A2204B476FE6CB@ESESSMB209.ericsson.se> <7f35b810-0eca-5140-060e-4aef03449c21@dcrocker.net> <D9F5ECF9-3ED0-478A-9261-2892AF9EAB8F@chriswendt.net> <7594FB04B1934943A5C02806D1A2204B477074D5@ESESSMB209.ericsson.se>, <F60B6C32-7424-487E-B582-CD2E30DBDFEF@shockey.us>
In-Reply-To: <F60B6C32-7424-487E-B582-CD2E30DBDFEF@shockey.us>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B47709A51ESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLLMWRmVeSWpSXmKPExsUyM2K7nK6t5Pxwgz29EhYzfhhYLF+7jcmB yWPJkp9MHhM/nmEOYIrisklJzcksSy3St0vgyrj+u5Wp4O5ZxoqOeV3sDYzn1zF2MXJySAiY SLy5NYW5i5GLQ0hgPaPEwkvr2UASQgKLGSV+L6zpYuTgYBOwkOj+pw0SFhHwlNj34jkziC0s YCWxd9UxNpASEQFrifszJUHGiAg0MUoc7LrNClLDIqAi8e/xArB6XgFfiUuvHzFC7JrAKvH9 0wSwIzgF7CR6HrWCNTAKiEl8P7WGCcRmFhCXaPqykhXiUAGJJXvOM0PYohIvH/9jhajJl/h2 5hvUAkGJkzOfsExgFJqFpH0WkrJZSMog4gYSX97fhrK1JZYtfM0MYetLdL8/zYQsvoCRfRWj aHFqcXFuupGRXmpRZnJxcX6eXl5qySZGYKQc3PLbagfjweeOhxgFOBiVeHgTWOaFC7EmlhVX 5h5ilOBgVhLhfSQ6P1yINyWxsiq1KD++qDQntfgQozQHi5I4r/9LxXAhgfTEktTs1NSC1CKY LBMHp1QD4+zNObF5rodnpFepMy7Nm7GgfPWh0BLW5uvdn8uYn96r7Hd/OVer8+rpa5FW5wq3 9lryvWu7tOUKR/heDbMJLMVf7IJ3Rklu9y6Xn71JKSRsz/p3bt21k9v+spiZGHbtKA2Ysr4q Yadz4ok1Ksx8P28xVpznsbktkb4vdvGc57M3i+007lCbp8RSnJFoqMVcVJwIAAbvYvmQAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/w8_pcL-MEEIM1jNQKWoElyOUOaI>
Subject: Re: [stir] Review of: draft-ietf-stir-passport-05
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2016 09:41:24 -0000
Hi, As Richard said, there is still work to do related to how things look in the wire, especially since we are not going to include the encoded JWT object string in one piece. But, again, I think that is more an 4474bis issue. I do not, however, think that other "bodies" shall have to clarify the encoding on the wire - that needs to be clear in the core spec (other bodies might profile exactly what information is used to calculate the signature etc). Regards, Christer Sent from my Windows Phone ________________________________ From: Richard Shockey<mailto:richard@shockey.us> Sent: 01/08/2016 01:04 To: stir@ietf.org<mailto:stir@ietf.org> Subject: Re: [stir] Review of: draft-ietf-stir-passport-05 Yep… +1 Dave whats the problem here? What do you want? We choose JWT for a perfectly rational and technically elegant reasons. We do know what data we want assert and sign. On one point we totally agree. I have been less than satisified on how this actually looks on the wire. Examples. Jon has acknoledged this in his presentation in Berlin. Fine picture from my presentation to the Genband conference BTW. Where do the claims go in the INVITE. I’m prepared to accept less than perfect since I know there are other bodies ready to provide guidence in order to accelerate adoption among the vendor community. We think it will work and we have virturilly the entire US voice communicaitons industry using E164 addressing, as well at the NRA in the US and elsewhere lined up ready to GO. I support the last call I have trust the authors can provide revisions that can address some of the issues raised. Richard Shockey Shockey Consulting LLC Chairman of the Board SIP Forum www.shockey.us www.sipforum.org richard<at>shockey.us Skype-Linkedin-Facebook rshockey101 PSTN +1 703-593-2683 From: stir <stir-bounces@ietf.org> on behalf of Victor Pascual <victor.pascual.avila@oracle.com> Date: Sunday, July 31, 2016 at 2:44 PM To: Christer Holmberg <christer.holmberg@ericsson.com> Cc: Chris Wendt <chris-ietf@chriswendt.net>, "dcrocker@bbiw.net" <dcrocker@bbiw.net>, "Peterson, Jon" <jon.peterson@neustar.biz>, IETF STIR Mail List <stir@ietf.org> Subject: Re: [stir] Review of: draft-ietf-stir-passport-05 Fully agree On 31 Jul 2016, at 19:54, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote: Hi, I agree with Chris. JWT is NOT a mechanism to sign any arbitrary JSON structure. JWT is a mechanism to sign data, and it uses a specific JSON structure (header, claims etc) for doing so. In addition, it provides a mechanism to signal what data/algorithm is used to calculate the signature. Regards, Christer Sent from my Windows Phone ________________________________ From: Chris Wendt<mailto:chris-ietf@chriswendt.net> Sent: 31/07/2016 00:08 To: dcrocker@bbiw.net<mailto:dcrocker@bbiw.net> Cc: Christer Holmberg<mailto:christer.holmberg@ericsson.com>; Peterson, Jon<mailto:jon.peterson@neustar.biz>; IETF STIR Mail List<mailto:stir@ietf.org> Subject: Re: [stir] Review of: draft-ietf-stir-passport-05 Hi Dave, I’m not following your argument that because there isn’t a JSON object to sign, we can’t use JWT? In general, most/all uses of JWT don’t sign an existing object, a set of claims are constructed into a JSON payload that is signed. There are JWT defined claims precisely defined to create a secure token intentionally meant to be only signed in a JWT. So to me, we are more than appropriately using JSON and JWT. It is in 4474bis, we define the exact information to construct the JSON payload object to be signed, so please refer to that. There are many advantages to using the JWT construct both for STIR charter specifically and elsewhere. Is that a bad thing? -Chris > On Jul 30, 2016, at 9:03 AM, Dave Crocker <dhc@dcrocker.net<mailto:dhc@dcrocker.net>> wrote: > > Christer, > > Thanks for the background... > > On 7/30/2016 4:30 AM, Christer Holmberg wrote: >> I am the one who originally suggested the usage of JWT. I don't >> understand the claim that JWT is "outside the context of SIP". JWT is a >> generic/standardized mechanism how to calculate and encode a signature, > > Actually, it isn't. > > It's own opening text [RFC 7519] says it is "a compact, URL-safe means of representing claims to be transferred between two parties" but more importantly for this issue, it goes on to say: > > "encoded as a JSON object that is used as the payload of a JSON > Web Signature (JWS) structure or as the plaintext of a JSON Web > Encryption (JWE) structure" > > That is, it provides value-added functions... to a JSON object (structure). However SIP doesn't have a JSON object to sign. So the working group has had to invent a JSON-based abstraction of SIP header information and then sign it. > > Now it has to invent an encoding for the resulting signature. It would have to do that for a SIP call, no matter the signature's computational abstraction, but because that abstraction is actually an independent format, it wound up distracting the wg from doing a complete job -- so far, after 3 years -- of defining all the details for a complete authentication mechanism. > > From what I can tell of the email record for the wg, the unfortunate part of the discussion about choices here was to count JSON/JWT as something other than an abstraction. > > Signing an object requires defining the data over which the signature will be made, and how that data will be fed into the signing algorithm. Necessarily, that defines an abstraction of the data. (Canonicalization seems to be a common component of that abstraction, for example.) > > There might be nothing different or better (or, probably, worse) about JWT in those terms; I haven't tried to evaluate it in those terms. The problem is that its existence as a distinct format has caused the working group to worry about that new and independent object as distinct from the SIP data being signed, rather than as a computational result that then needs to be stored into the SIP header. So all of the discussion about what to do with the JWT object is additional wg overhead and, IMO, a complete distraction for the primary task of the working group. (My guess is that there is also added overall system complexity, but I won't press that concern, at this point.) > > Arguments that it's a general mechanism for use in other aspects of this space are always appealing. However they are, so far, without merit in the working group context: There are no specifications for any of those other uses. > > And the wg still hasn't resolved the very basic and very essential step of putting the signature into the SIP header. > > > >> If we would NOT use JWT we would >> probably have to define more STIR-specific procedures regarding the >> calculating/encoding of the signature ourselves. It's better to use a >> standardized mechanism in my opinion. > > Well, yeah, I thought/think that too, which was why I originally suggested adapting DKIM. (DANE might be another relevant choice.) DKIM offers an extremely high point of departure for SIP header signing. The continued lack of complete specification details about use with SIP demonstrates that JWT doesn't. > > >> I am also the one who raised the encoding issue in Berlin. But that was >> not related to the usage of JWT as such, but to the fact that we don't >> carry the encoded JWT object in one piece in the SIP message. We "split" >> the object into two pieces, and carry one piece as the Identity header >> field value, and the other piece as the canon header field parameter >> value. > > Right. And the point I'm raising is not about the details of that choice but the fact that it still hasn't been made at this very late stage. > > Besides merely being a missing, essential bit of system specification, it suggests that the wg is still not completely clear about the concrete use of this capability. > > > d/ > -- > > Dave Crocker > Brandenburg InternetWorking > bbiw.net<http://bbiw.net> > > _______________________________________________ > stir mailing list > stir@ietf.org<mailto:stir@ietf.org> > https://www.ietf.org/mailman/listinfo/stir _______________________________________________ stir mailing list stir@ietf.org<mailto:stir@ietf.org> https://www.ietf.org/mailman/listinfo/stir _______________________________________________ stir mailing list stir@ietf.org https://www.ietf.org/mailman/listinfo/stir
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… DOLLY, MARTIN C
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Tony Rutkowski
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Brian Rosen
- [stir] Setting Direction for the STIR WG Last Call Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Richard Shockey
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Paul Kyzivat
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- [stir] JWT/JSON (was - Re: Review of: draft-ietf-… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Victor Pascual
- Re: [stir] Review of: draft-ietf-stir-passport-05 Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Peterson, Jon
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Richard Shockey
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Burger
- [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force Dave Crocker
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Tony Rutkowski
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] Robocall Strike Force Richard Shockey
- Re: [stir] Robocall Strike Force Paul Kyzivat
- Re: [stir] Robocall Strike Force DOLLY, MARTIN C
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] Setting Direction for the STIR WG Last… Russ Housley
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] Setting Direction for the STIR WG Last… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Eric Rescorla
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Dave Crocker
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Peterson, Jon
- Re: [stir] JWT/JSON (was - Re: Review of: draft-i… Christer Holmberg
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Michael Hammer
- Re: [stir] Review of: draft-ietf-stir-passport-05 Eric Rescorla
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt
- Re: [stir] Review of: draft-ietf-stir-passport-05 Alex Bobotek
- Re: [stir] Review of: draft-ietf-stir-passport-05 Stephen Farrell
- Re: [stir] Review of: draft-ietf-stir-passport-05 Dave Crocker
- Re: [stir] Review of: draft-ietf-stir-passport-05 Chris Wendt