I'm working on simplifying this in a way similar to what Hannes proposed, and
in a way also previously promised to Jim (removing "normally", etc.), but also
in a way that makes it clear that the exactly claims to be used are an
application-specific choice.
-- Mike
-----Original Message-----
From: Ace <[email protected]> On Behalf Of Hannes Tschofenig
Sent: Friday, June 22, 2018 6:36 AM
To: Roman Danyliw <[email protected]>; [email protected]
Subject: [Ace] "sub" and "iss" ... RE: WGLC feedback on
draft-ietf-ace-cwt-proof-of-possession-02
Hi Roman,
this is also a good question:
> (3) (Editorial) Page 4, Section 3.0, I read to the end of this section by
> which point there has been discussion of "sub" or "iss". I was left
> wondering about how to interpret the case where both are present and none are.
Here is the text from the draft:
"
The presenter can be identified in one of several ways by the CWT
depending upon the application requirements. If the CWT contains a
"sub" (subject) claim [CWT], the presenter is normally the subject
identified by the CWT. (In some applications, the subject identifier
will be relative to the issuer identified by the "iss" (issuer) claim
[CWT].) If the CWT contains no "sub" claim, the presenter is
normally the issuer identified by the CWT using the "iss" claim. The
case in which the presenter is the subject of the CWT is analogous to
Security Assertion Markup Language (SAML) 2.0
[OASIS.saml-core-2.0-os] SubjectConfirmation usage. At least one of
the "sub" and "iss" claims is typically present in the CWT and some
use cases may require that both be present.
"
The CWT PoP document does not define the subject or issuer claims.
The document also not mandate a specific set of claims to be included in a CWT
since this is application profile specific.
Hence, I am wondering whether we could shorten the paragraph above, which is
actually a bit confusing.
"
This specification adds a new claim to offer the proof-of-possession
functionality.
There are various claims already defined and the IANA claims registry [REF]
contains the most up-to-date list of standardized claims. Application using the
CWT functionality define what claims have to be used.
The presenter can, if necessary, be identified in one of several ways by the
CWT
depending upon the application requirements. If the CWT contains a
"sub" (subject) claim [CWT], the presenter is the subject
identified by the CWT. In some cases, there CWT may not include a "sub"
claim, which allows the presenter to remain anonymous.
"
Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended recipient,
please notify the sender immediately and do not disclose the contents to any
other person, use it for any purpose, or store or copy the information in any
medium. Thank you.
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
