[stir] certificates draft - JWT claim constraints question

Chris Wendt <chris-ietf@chriswendt.net> Tue, 21 February 2017 12:15 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35B9D129969 for <stir@ietfa.amsl.com>; Tue, 21 Feb 2017 04:15:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7vzQMspYIoi for <stir@ietfa.amsl.com>; Tue, 21 Feb 2017 04:15:32 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 410E3129964 for <stir@ietf.org>; Tue, 21 Feb 2017 04:15:32 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id u188so44083271qkc.2 for <stir@ietf.org>; Tue, 21 Feb 2017 04:15:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=QbeDhgDY+zkYPRjrplf/UvA4hETZMq48wQOauv0E8eQ=; b=zBvqyiJlLjwgBtaPrck+3AAQVyxw9+ZOPs2d41cRHur5Nlknd62NqmcElptR/TaBTe DuivLp/bH3ZCPRiOexj+1dVLDXDL1wIJLDhAgLUt0zVEx7ulV0TJfWTFxeuf7zseko9V ebk2cB7yZ8mjtkBOTOfYy5V9rDZVUJCgvCieIqKNo0Z0QcfJC8vALFydp5LPwixy8YTC lGiK2/ut5CQlFXCxwZYYr41wi1jHf7glGuM/DJTkpG7XduZY94fFLBfs73YxIn34qOFs j6NQFb74z+LzID2x592A7F93P0pAjNLeoxfC/g4i4h4WMbnghCEoplVwTGeZ7spNWAD1 C+tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=QbeDhgDY+zkYPRjrplf/UvA4hETZMq48wQOauv0E8eQ=; b=AeyvkCGs3faWGzACQg2hd20SqaL/RC+5gnKolW5pf5TxTohZlcqOjGr0HwvBDfs1of b33xPzdg/QDqcLxOnZmUKiUiXIQhu0PsHMYAWLGB/gAHLbeQr6XCJc4r2VlKx0Q9ECQU haa+e2RDKiXtvAHwHZRmkxPAWoPuc1vOI9JxA4Twpbb16+DdogNjaWd9zFo5a1m23Vom xs9l8dqZwpm6kllItNZfvA91IMLuVa5feSDXo+Y0cyzllegg9Bi0jTHVlM4qrXDEWXMy u+FhVfXnN8b4ZM0AVReSP98jVGMlIZGL4ImzPDpDZ4GHPzo5qUEs3z39RYQmxhPgdVlV xyww==
X-Gm-Message-State: AMke39nEwZh+jsnewZOVIxhVH4VP5i8gQEIoJ+tB4gjK0UD/cDD9YyS/r/pm61JMtPzDOQ==
X-Received: by 10.55.105.131 with SMTP id e125mr26264984qkc.174.1487679330966; Tue, 21 Feb 2017 04:15:30 -0800 (PST)
Received: from [10.20.46.215] (ip-64-134-242-245.public.wayport.net. [64.134.242.245]) by smtp.gmail.com with ESMTPSA id p70sm13864547qke.48.2017.02.21.04.15.29 for <stir@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Feb 2017 04:15:30 -0800 (PST)
From: Chris Wendt <chris-ietf@chriswendt.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Message-Id: <F084B297-D7F3-41EE-893E-838253041DDE@chriswendt.net>
Date: Tue, 21 Feb 2017 07:15:20 -0500
To: IETF STIR Mail List <stir@ietf.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/y40ccth-P3elSx9EQNtZEEbdgJI>
Subject: [stir] certificates draft - JWT claim constraints question
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2017 12:15:33 -0000

Just wanted to verify my understanding of the JWT Claim Constraints.  

My reading of the text is that JWT Claim constraints is not mandatory, but can be used as an enforcement mechanism to explicitly make sure that any Passport object is signed with a specific set of claims, or explicitly does not contain certain claims.

I’m also assuming that in general practice you wouldn’t include any base claims (otherwise the Passport validation would fail in either case) and likely only include extensions that are mandatory/mandatory to NOT be there from the signers perspective.

Does this match the intention?