draft-ietf-stir-passport-10.txt   draft-ietf-stir-passport-11.txt 
STIR C. Wendt STIR C. Wendt
Internet-Draft Comcast Internet-Draft Comcast
Intended status: Standards Track J. Peterson Intended status: Standards Track J. Peterson
Expires: May 4, 2017 Neustar Inc. Expires: August 13, 2017 Neustar Inc.
October 31, 2016 February 09, 2017
Personal Assertion Token (PASSporT) Personal Assertion Token (PASSporT)
draft-ietf-stir-passport-10 draft-ietf-stir-passport-11
Abstract Abstract
This document defines a method for creating and validating a token This document defines a method for creating and validating a token
that cryptographically verifies an originating identity, or more that cryptographically verifies an originating identity, or more
generally a URI or telephone number representing the originator of generally a URI or telephone number representing the originator of
personal communications. The PASSporT token is cryptographically personal communications. The PASSporT token is cryptographically
signed to protect the integrity of the identity the originator and to signed to protect the integrity of the identity the originator and to
verify the assertion of the identity information at the destination. verify the assertion of the identity information at the destination.
The cryptographic signature is defined with the intention that it can The cryptographic signature is defined with the intention that it can
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 4, 2017. This Internet-Draft will expire on August 13, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 29 skipping to change at page 2, line 29
3. PASSporT Token Overview . . . . . . . . . . . . . . . . . . . 4 3. PASSporT Token Overview . . . . . . . . . . . . . . . . . . . 4
4. PASSporT Header . . . . . . . . . . . . . . . . . . . . . . . 5 4. PASSporT Header . . . . . . . . . . . . . . . . . . . . . . . 5
4.1. "typ" (Type) Header Parameter . . . . . . . . . . . . . . 5 4.1. "typ" (Type) Header Parameter . . . . . . . . . . . . . . 5
4.2. "alg" (Algorithm) Header Parameter . . . . . . . . . . . 5 4.2. "alg" (Algorithm) Header Parameter . . . . . . . . . . . 5
4.3. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . . 5 4.3. "x5u" (X.509 URL) Header Parameter . . . . . . . . . . . 5
4.4. Example PASSporT header . . . . . . . . . . . . . . . . . 6 4.4. Example PASSporT header . . . . . . . . . . . . . . . . . 6
5. PASSporT Payload . . . . . . . . . . . . . . . . . . . . . . 6 5. PASSporT Payload . . . . . . . . . . . . . . . . . . . . . . 6
5.1. JWT defined claims . . . . . . . . . . . . . . . . . . . 6 5.1. JWT defined claims . . . . . . . . . . . . . . . . . . . 6
5.1.1. "iat" - Issued At claim . . . . . . . . . . . . . . . 6 5.1.1. "iat" - Issued At claim . . . . . . . . . . . . . . . 6
5.2. PASSporT specific claims . . . . . . . . . . . . . . . . 6 5.2. PASSporT specific claims . . . . . . . . . . . . . . . . 6
5.2.1. Originating and Destination Identity Claims . . . . . 6 5.2.1. Originating and Destination Identity Claims . . . . . 7
5.2.2. "mky" - Media Key claim . . . . . . . . . . . . . . . 8 5.2.2. "mky" - Media Key claim . . . . . . . . . . . . . . . 8
6. PASSporT Signature . . . . . . . . . . . . . . . . . . . . . 10 6. PASSporT Signature . . . . . . . . . . . . . . . . . . . . . 10
7. Compact form of PASSporT . . . . . . . . . . . . . . . . . . 10 7. Compact form of PASSporT . . . . . . . . . . . . . . . . . . 10
7.1. Example Compact form PASSporT Token . . . . . . . . . . . 11 7.1. Example Compact form PASSporT Token . . . . . . . . . . . 11
8. Extending PASSporT . . . . . . . . . . . . . . . . . . . . . 11 8. Extending PASSporT . . . . . . . . . . . . . . . . . . . . . 11
8.1. "ppt" (PASSporT) header parameter . . . . . . . . . . . . 12 8.1. "ppt" (PASSporT) header parameter . . . . . . . . . . . . 12
8.2. Example extended PASSporT header . . . . . . . . . . . . 12 8.2. Example extended PASSporT header . . . . . . . . . . . . 12
8.3. Extended PASSporT Claims . . . . . . . . . . . . . . . . 13 8.3. Extended PASSporT Claims . . . . . . . . . . . . . . . . 13
9. Deterministic JSON Serialization . . . . . . . . . . . . . . 13 9. Deterministic JSON Serialization . . . . . . . . . . . . . . 13
9.1. Example PASSport deterministic JSON form . . . . . . . . 14 9.1. Example PASSport deterministic JSON form . . . . . . . . 14
skipping to change at page 5, line 40 skipping to change at page 5, line 40
For the creation and verification of PASSporT tokens and their For the creation and verification of PASSporT tokens and their
digital signatures, implementations MUST support ES256 as defined in digital signatures, implementations MUST support ES256 as defined in
JWA [RFC7518] Section 3.4. Implementations MAY support other JWA [RFC7518] Section 3.4. Implementations MAY support other
algorithms registered in the JSON Web Signature and Encryption algorithms registered in the JSON Web Signature and Encryption
Algorithms registry created by [RFC7518]. The contents of that Algorithms registry created by [RFC7518]. The contents of that
registry may be updated in the future depending on cryptographic registry may be updated in the future depending on cryptographic
strength requirements guided by current security best practice. The strength requirements guided by current security best practice. The
mandatory-to-support algorithm for PASSporT tokens may likewise be mandatory-to-support algorithm for PASSporT tokens may likewise be
updated in future updates to this document. updated in future updates to this document.
Implementations of PASSporT digital signatures using ES256 as defined
above SHOULD use deterministic ECDSA if/when supported for the
reasons stated in [RFC6979].
4.3. "x5u" (X.509 URL) Header Parameter 4.3. "x5u" (X.509 URL) Header Parameter
As defined in JWS [RFC7515] Section 4.1.5., the "x5u" header As defined in JWS [RFC7515] Section 4.1.5., the "x5u" header
parameter defines a URI [RFC3986] referring to the resource for the parameter defines a URI [RFC3986] referring to the resource for the
X.509 public key certificate or certificate chain [RFC5280] X.509 public key certificate or certificate chain [RFC5280]
corresponding to the key used to digitally sign the JWS. Generally, corresponding to the key used to digitally sign the JWS. Generally,
as defined in JWS [RFC7515] section 4.1.5, this would correspond to as defined in JWS [RFC7515] section 4.1.5, this would correspond to
an HTTPS or DNSSEC resource using integrity protection. an HTTPS or DNSSEC resource using integrity protection.
4.4. Example PASSporT header 4.4. Example PASSporT header
skipping to change at page 6, line 30 skipping to change at page 6, line 30
The token claims consist of the information which needs to be The token claims consist of the information which needs to be
verified at the destination party. These claims follow the verified at the destination party. These claims follow the
definition of a JWT claim [RFC7519] Section 4 and are encoded as definition of a JWT claim [RFC7519] Section 4 and are encoded as
defined by the JWS Payload [RFC7515] Section 3. defined by the JWS Payload [RFC7515] Section 3.
PASSporT defines the use of a standard JWT defined claim as well as PASSporT defines the use of a standard JWT defined claim as well as
custom claims corresponding to the two parties associated with custom claims corresponding to the two parties associated with
personal communications, the originator and destination as detailed personal communications, the originator and destination as detailed
below. below.
Any claim names or claim values outside the US-ASCII range should Any claim names MUST use the US-ASCII character set. Any claim
follow the default JSON serialization defined in [RFC7519] Section 7. values can container characters that are outside the US-ASCII range,
however MUST follow the default JSON serialization defined in
[RFC7519] Section 7.
5.1. JWT defined claims 5.1. JWT defined claims
5.1.1. "iat" - Issued At claim 5.1.1. "iat" - Issued At claim
The JSON claim MUST include the "iat" [RFC7519] Section 4.1.6 defined The JSON claim MUST include the "iat" [RFC7519] Section 4.1.6 defined
claim Issued At. As defined the "iat" should be set to the date and claim Issued At. As defined the "iat" should be set to the date and
time of issuance of the JWT and MUST the origination of the personal time of issuance of the JWT and MUST the origination of the personal
communications. The time value should be of the format defined in communications. The time value should be of the format defined in
[RFC7519] Section 2 NumericDate. This is included for securing the [RFC7519] Section 2 NumericDate. This is included for securing the
skipping to change at page 18, line 47 skipping to change at page 18, line 47
Miller, Ted Hardie, Dave Crocker, Robert Sparks, Jim Schaad for Miller, Ted Hardie, Dave Crocker, Robert Sparks, Jim Schaad for
valuable feedback on the technical and security aspects of the valuable feedback on the technical and security aspects of the
document. Additional thanks to Harsha Bellur for assistance in document. Additional thanks to Harsha Bellur for assistance in
coding the example tokens. coding the example tokens.
13. References 13. References
13.1. Normative References 13.1. Normative References
[I-D.ietf-mmusic-4572-update] [I-D.ietf-mmusic-4572-update]
Holmberg, C., "SDP Fingerprint Attribute Usage Lennox, J. and C. Holmberg, "Connection-Oriented Media
Clarifications", draft-ietf-mmusic-4572-update-07 (work in Transport over TLS in SDP", draft-ietf-mmusic-
progress), September 2016. 4572-update-13 (work in progress), February 2017.
[I-D.ietf-stir-rfc4474bis] [I-D.ietf-stir-rfc4474bis]
Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, Peterson, J., Jennings, C., Rescorla, E., and C. Wendt,
"Authenticated Identity Management in the Session "Authenticated Identity Management in the Session
Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-14 Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-15
(work in progress), October 2016. (work in progress), October 2016.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, Extensions (MIME) Part Two: Media Types", RFC 2046,
DOI 10.17487/RFC2046, November 1996, DOI 10.17487/RFC2046, November 1996,
<http://www.rfc-editor.org/info/rfc2046>. <http://www.rfc-editor.org/info/rfc2046>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
skipping to change at page 19, line 41 skipping to change at page 19, line 41
Transport Layer Security (TLS) Protocol in the Session Transport Layer Security (TLS) Protocol in the Session
Description Protocol (SDP)", RFC 4572, Description Protocol (SDP)", RFC 4572,
DOI 10.17487/RFC4572, July 2006, DOI 10.17487/RFC4572, July 2006,
<http://www.rfc-editor.org/info/rfc4572>. <http://www.rfc-editor.org/info/rfc4572>.
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13, Specifications and Registration Procedures", BCP 13,
RFC 6838, DOI 10.17487/RFC6838, January 2013, RFC 6838, DOI 10.17487/RFC6838, January 2013,
<http://www.rfc-editor.org/info/rfc6838>. <http://www.rfc-editor.org/info/rfc6838>.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
Algorithm (DSA) and Elliptic Curve Digital Signature
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
2013, <http://www.rfc-editor.org/info/rfc6979>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <http://www.rfc-editor.org/info/rfc7515>. 2015, <http://www.rfc-editor.org/info/rfc7515>.
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015, DOI 10.17487/RFC7518, May 2015,
<http://www.rfc-editor.org/info/rfc7518>. <http://www.rfc-editor.org/info/rfc7518>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
 End of changes. 10 change blocks. 
12 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/