Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt
On Ben's (2): "The only things that were removed that I wanted to check if we should think about keeping was the note that the same key might be referred to by different key IDs in messages directed to different recipients. What do people think about that?" I'm fine restoring that text. Could you also do that, Ludwig? Thanks all, -- Mike -Original Message- From: Ludwig Seitz Sent: Wednesday, September 25, 2019 2:34 AM To: Mike Jones ; Samuel Erdtman Cc: Benjamin Kaduk ; draft-ietf-ace-cwt-proof-of-possession@ietf.org; ace@ietf.org Subject: Re: New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt On 25/09/2019 10:13, Mike Jones wrote: > Does one of you have the time to create a PR today making the two > changes? I’ll then be able to review it and publish sometime in the > next 24 hours. Or if not, I’ll plan to do it myself while flying back > from Korea to the US tomorrow. > > Thanks all, > > -- Mike > > *From:* Samuel Erdtman > *Sent:* Wednesday, September 25, 2019 12:18 AM > *To:* Ludwig Seitz > *Cc:* Mike Jones ; Benjamin Kaduk > ; draft-ietf-ace-cwt-proof-of-possession@ietf.org; > ace@ietf.org > *Subject:* Re: New Version Notification - > draft-ietf-ace-cwt-proof-of-possession-07.txt > > +1 > > On Wed, Sep 25, 2019 at 8:31 AM Ludwig Seitz <mailto:ludwig.se...@ri.se>> wrote: > > On 25/09/2019 02:23, Mike Jones wrote: > > I'm fine with us making both of the proposed changes. > > > > Thanks, > > -- Mike > > > > +1 > > -- > Ludwig Seitz, PhD > Security Lab, RISE > Phone +46(0)70-349 92 51 > I'm in the process of doing the PR, but I noticed that I can only address Ben's (1) and (3). For (2) Ben was asking for our opinion. I think we could take the note about different key IDs referring to the same key and reintroduce it in the text as it is a useful reminder. (I mean that chunk: " Note that the value of a Key ID is not always the same for different parties. When sending a COSE encrypted message with a shared key, the Key ID may be different on both sides of the conversation, with the appropriate one being included in the message based on the recipient of the message.") /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51 ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt
On 25/09/2019 10:13, Mike Jones wrote: Does one of you have the time to create a PR today making the two changes? I’ll then be able to review it and publish sometime in the next 24 hours. Or if not, I’ll plan to do it myself while flying back from Korea to the US tomorrow. Thanks all, -- Mike *From:* Samuel Erdtman *Sent:* Wednesday, September 25, 2019 12:18 AM *To:* Ludwig Seitz *Cc:* Mike Jones ; Benjamin Kaduk ; draft-ietf-ace-cwt-proof-of-possession@ietf.org; ace@ietf.org *Subject:* Re: New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt +1 On Wed, Sep 25, 2019 at 8:31 AM Ludwig Seitz <mailto:ludwig.se...@ri.se>> wrote: On 25/09/2019 02:23, Mike Jones wrote: > I'm fine with us making both of the proposed changes. > > Thanks, > -- Mike > +1 -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51 I'm in the process of doing the PR, but I noticed that I can only address Ben's (1) and (3). For (2) Ben was asking for our opinion. I think we could take the note about different key IDs referring to the same key and reintroduce it in the text as it is a useful reminder. (I mean that chunk: " Note that the value of a Key ID is not always the same for different parties. When sending a COSE encrypted message with a shared key, the Key ID may be different on both sides of the conversation, with the appropriate one being included in the message based on the recipient of the message.") /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51 smime.p7s Description: S/MIME Cryptographic Signature ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt
Does one of you have the time to create a PR today making the two changes? I’ll then be able to review it and publish sometime in the next 24 hours. Or if not, I’ll plan to do it myself while flying back from Korea to the US tomorrow. Thanks all, -- Mike From: Samuel Erdtman Sent: Wednesday, September 25, 2019 12:18 AM To: Ludwig Seitz Cc: Mike Jones ; Benjamin Kaduk ; draft-ietf-ace-cwt-proof-of-possession@ietf.org; ace@ietf.org Subject: Re: New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt +1 On Wed, Sep 25, 2019 at 8:31 AM Ludwig Seitz mailto:ludwig.se...@ri.se>> wrote: On 25/09/2019 02:23, Mike Jones wrote: > I'm fine with us making both of the proposed changes. > > Thanks, > -- Mike > +1 -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51 ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt
On 25/09/2019 02:23, Mike Jones wrote: I'm fine with us making both of the proposed changes. Thanks, -- Mike +1 -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51 smime.p7s Description: S/MIME Cryptographic Signature ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt
I'm fine with us making both of the proposed changes. Thanks, -- Mike -Original Message- From: Benjamin Kaduk Sent: Tuesday, September 24, 2019 4:35 PM To: draft-ietf-ace-cwt-proof-of-possession@ietf.org Cc: ace@ietf.org Subject: Re: New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt On Tue, Sep 24, 2019 at 04:33:18PM -0700, Benjamin Kaduk wrote: > Hi all, > > Thanks for the updates; they look good! > > Before I kick off the IETF LC, I just have two things I wanted to > double-check (we may not need a new rev before the LC): > > (1) In Section 3.2 (Representation of an Asymmetric > Proof-of-Possession Key), the last paragraph is a somewhat different > from the main content, in that it mentions using "COSE_Key" for an > encrypted symmetric key, analogous to the last paragraph of Section > 3.2 of RFC 7800. I had wanted to see some additional discussion, but > we agreed that this was analogous to RFC 7800 and we did not need to > go "out of parity" with it on this point. So we should be able to go > ahead without new text here, but did we want to explicitly refer back > to that portion of RFC 7800 to make the connection clear? > > (2) In > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fcwt-cnf%2Fi-d%2Fpull%2F27%2Ffilesdata=02%7C01%7CMichael. > Jones%40microsoft.com%7C3db4c9b38e6a4b2a13e408d74147db9e%7C72f988bf86f > 141af91ab2d7cd011db47%7C1%7C1%7C637049649201375862sdata=vAL0NqVzv > sqDAt5JYv0HdtUomFc5ldKJQtla3dtL%2BuM%3Dreserved=0 we removed a large > chunk of text since it contained several things that are inaccurate. The > only things that were removed that I wanted to check if we should think about > keeping was the note that the same key might be referred to by different key > IDs in messages directed to different recipients. What do people think about > that? Oops, and my notes were unfortunately misalgined to the terminal window size: (3) I think we were going to change the [JWT] reference to [CWT], in Section 4: Applications utilizing proof of possession SHOULD also utilize audience restriction, as described in Section 4.1.3 of [JWT], as it provides additional protections. Audience restriction can be used by recipients to reject messages intended for different recipients. That way we won't get asked to make [JWT] a normative reference. -Ben ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt
On Tue, Sep 24, 2019 at 04:33:18PM -0700, Benjamin Kaduk wrote: > Hi all, > > Thanks for the updates; they look good! > > Before I kick off the IETF LC, I just have two things I wanted to > double-check (we may not need a new rev before the LC): > > (1) In Section 3.2 (Representation of an Asymmetric Proof-of-Possession > Key), the last paragraph is a somewhat different from the main content, in > that it mentions using "COSE_Key" for an encrypted symmetric key, analogous > to the last paragraph of Section 3.2 of RFC 7800. I had wanted to see some > additional discussion, but we agreed that this was analogous to RFC 7800 > and we did not need to go "out of parity" with it on this point. So we > should be able to go ahead without new text here, but did we want to > explicitly refer back to that portion of RFC 7800 to make the connection > clear? > > (2) In https://github.com/cwt-cnf/i-d/pull/27/files we removed a large > chunk of text since it contained several things that are inaccurate. The > only things that were removed that I wanted to check if we should think > about keeping was the note that the same key might be referred to by > different key IDs in messages directed to different recipients. What do > people think about that? Oops, and my notes were unfortunately misalgined to the terminal window size: (3) I think we were going to change the [JWT] reference to [CWT], in Section 4: Applications utilizing proof of possession SHOULD also utilize audience restriction, as described in Section 4.1.3 of [JWT], as it provides additional protections. Audience restriction can be used by recipients to reject messages intended for different recipients. That way we won't get asked to make [JWT] a normative reference. -Ben ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace