►
From YouTube: IETF-STIR-20210913-1900
Description
STIR meeting session at IETF
2021/09/13 1900
https://datatracker.ietf.org/meeting//proceedings/
B
B
D
B
Thanks
everyone
for
taking
a
chunk
out
of
their
day
to
join
for
an
interim
meeting
of
the
stir
working
group.
Our
session
is,
as
usual,
held
under
the
note.
Well,
I
believe
everyone
here
is
already
familiar
with
the
note
well,
but
if
you're
not
please
take
a
moment
to
go,
become
familiar
with
it
before
you
contribute
to
this
session
in
any
way.
B
Our
agenda
today
looks
as
follows:
we're
currently
planning
to
start
with
talking
about
the
identity,
header
errors,
handling
draft
that
chris
has
been
working
on,
followed
by
a
discussion
of
rcd
and
then
the
connected
identity
for
stir
updates
and
the
potential
charter
discussion
that
comes
along
with
that.
Does
anybody
have
any
adjustments
to
the
agenda
that
they
want
to
make.
F
B
G
C
F
B
B
F
E
E
E
We
also
talked
about
privacy
implications
of
the
passport.
You
know
going
in
the
backward
direction
that
it
might
expose
things
to
beyond
the
authentication
service
that
sent
it.
So
I
integrated
specific
text
to
say
that
it's
a
must
for
the
authentication
service
to
re,
remove
the
corresponding
reason
header
for
the
passport
it
authored.
H
E
Then
I
talked
a
little
bit
about
compact
form
in
the
document.
While
we
we
had
a
discussion
about
compact
form
and
putting
that
explicit
explicitly
in
there
to
potentially
save
some
bits,
and
also
people
felt
like
that,
provided
some
level
of
privacy
protection
as
well.
So
I
think
that's
reasonable.
So
we
put
where
you
could
just
include
the
signature
similar
to
compact
form
of
passport
and
then
use
that
as
the
key
that
the
authentication
service
would
look
at
next
slide.
E
E
Rc
33
3326
has
this
statement
in
it.
A
set
message
may
contain
more
more
than
one
reason
value,
but
all
of
them
must
have
different
protocol
values.
An
implementation
is
free
to
ignore
reason,
values
that
it
doesn't
understand.
So
in
order
to
implement
the
way
that
we
talked
about
it
last
time
we
sort
of
have
to
ignore
that
rule.
D
John
looks
good
to
me.
I
mean
just
looking
at
this
now
and
I
know
we've
talked
about
this
before
you
know
I
mean,
even
if
it
does
give
people
heartburn,
I
could
imagine
ways
that
we
could.
I
mean
I
don't
know
how
strictly
protocol
values
are
defined,
but
if
we
did
protocol
values,
as
you
know,
stir
and
then
like
with
the
dash
for
different
ppt
types,
even
right
like
as
if
to
suggest
that
what
the
actual
protocol
is,
this
reason
is
being
given
for
is
not
just
sip.
D
It's
first
stir
and
I
need
to
go
back
and
look
at
you
know
if
they
have
any
language
around
what
protocol
values
means
there.
That
would
preclude
that.
But
this
could
let
you
be
like
well,
you
know.
This
reason
is
why
I
rejected
you
know
the
shaken
passport.
This
is
the
reason
why
I
rejected
this
rcd
passport
right.
If
you
could
like
split
it
up
even
by
ppt
types,
that
right
anybody
think
that's
crazy.
E
C
D
D
I
mean
you
should
be
able
to
figure
it
out
from
the
compact
form,
but,
like
you
know,
I
could
also
imagine
you
know
if,
for
example,
we
have
these
rcd
third-party
use
cases
where
it's
actually
like
an
intermediary
that
inserted
the
that
one,
and
so
you
wouldn't
recognize
necessarily
the
compact
form
as
it
got
back
to
you.
You
know
I
I
I
could
at
least
imagine
it
being
semantically
useful
to
communicate
that
like
this,
you
know
it
was
a
passport
of
this
type
that
caused
it.
D
E
D
B
Have
you
tried
taking
a
message
that
would
have
multiple
reason,
headers
and
run
it
through
the
stack
and
see
if
it
cared?
Has
anybody
taken
one
of
these
things
and
like
showed
it
through?
Whatever
the
current
good
packet
decoding
graphical
inspectors
are
and
see
if
they
are
upset
or
not
wireshark
like
things
and
yeah,
it
doesn't
matter
if
they
do
or
not
other
than
just
having
an
early
indication.
If
there's
going
to
be
lifting
that
would
have
to
be
done
afterwards
or
if
it
would
just
sail
through
right.
D
You
know
this
and
for
other
ppt
types
like
whatever
you
know,
rfc2b
is
for
rcd,
you
know,
could
have
its
own
reference
from
that.
So
it
looks
like
it's
pretty
pluggable
if
we
want
to
put
in
things
with
finer
granularity,
whether
that
would
make
anything
barf
whatever
it
is,
is
a
completely
different.
Empirical
question.
E
H
H
C
I
I
guess
I
just
want
to
clarify
the
fact
that
if
we
had
like
a
fixed
set
of
protocols,
if
we
were
going
to
go
down
that
route,
I
don't.
I
still
can't
see
how
that
would
quite
work,
because,
because
of
the
fact
you
can
have
like
an
arbitrary
number
of
identities
with
the
same
passport
type
like
there's.
No
nothing
else
blocks
that.
So
if
we
had
like
a
separate
protocol
registered
for
each
passport
type,
you
would
still
have
the
same
problem.
If
someone
put
two
divs,
for
example,.
B
Well,
it's
if
we're
seeing
multiple
reason
headers
in
the
wild
anyhow,
a
small
document
going
through
zip
core
that
just
relaxes
the
one
per
the
one
restriction
should
be
something
that
should
seal
through
easily
enough.
Then
we
could
still
pursue
having
the
separate
identifiers,
but
we
could
just
get
the
the
spec
part
of
the
multiple
header
fuel
part
out
of
the
way
yeah
and.
A
E
Reasons
per
protocol-
I
think
that's
what
we
sort
of
temporarily
concluded.
You
know,
based
on
what
russ
was
saying
that
we
wouldn't
have.
We
wouldn't
have
to
update
rc
3326.
We
could
define
a
new
protocol
and
then
sort
of
let
the
multiple
thing
go
by,
but
you
know,
I
think
robert
robert's
suggestion
is
good
too.
If
that's
a
quick
thing
to
defend,
send
through
sip
core.
D
John,
you
want
to
go
and
I
think
you
know
the
reason
why
I
was
barking
down
the
tree
of
let's
register
separate
ones
for
separate
things
is
that
I
thought
it
would
make
it
more
palatable
if
there
were
multiplicity
of
them
right
and
that
it
just
it's
likely
that
if
there
are
multiple
passports,
they're
going
to
have
multiple
passport
types,
did
jack's
point
div.
The
perfect
example
of
one
that
violates
that,
but
like
that
that
doesn't
mean
that
there
wouldn't
be
cases
where
it
would
disinfigurate
it.
D
But
I
I
think,
I'm
relatively
persuaded
by
jack's
point
that,
like
yeah,
you
need
to
bite
the
bullet
and
say
that
there
can
be
multiple,
multiple
reason
headers
of
the
same
type
present.
I'm
still
not
sure
that
completely
obviates
the
utility
of
doing
separate
registrations
for
separate
powerpoint
types.
But
like
it's
a
registry
like
we
can,
we
can
do
that
and
if
people
want
to
use
it,
they
can
use
it
and
if
people
think
it's
useless
and
implementation,
you
know
all
we're
costing.
E
D
Register
sir
stir
separately
from
sip
just
to
be
clear:
it's
not
a
simple
failure
right
and
like
if
we
feel
like
sub
registrations,
are
going
to
have
a
value
for
some
use
cases.
We
can
do
that,
but
I
I
do
think
jack's
argument
that
you
can.
You
know
maybe
15
divs
right.
It's
really
not
clear
and
how
much
insight
is
you
know
our
relying
parties
are
receiving
this
and
backwards
direction
really
going
to
have.
D
If
there's
like
you
know,
divs
that
they
didn't
create,
you
know
if
they're
looking
at
compact
forums,
those
things
got
to
be
peeled
off
by
these
entities
they
go
by
and
like
I'm
confident
those
entities
can
peel
those
things
off
they
go
by,
but
I
mean
for
a
case
where
it's
really
the
originating
ais
that
is
generating,
for
example,
a
shaken
passport
and
an
rcd
password
separately.
For
whatever
reason
like
that,
that's
the
case
we're
getting
those
both
back.
E
F
C
Just
to
clarify,
I
think
it
does
still
require
an
update
to
that
rfc,
because
that
does
very
specific,
explicitly
state
that
you
have
to
have
one
reason:
header
per
protocol
and
even
if
we
register
stir
we'd,
still
be
doing
multiple
reason
headers
for
the
stir
protocol.
So
I
think
you
still
need
to
update
that.
E
F
E
E
So
thank
you
to
all
those
review
comments.
I
one
change
that
we
did
make
at
the
last
minute
here.
Just
so
everyone
everyone
is
aware,
is
added
a
new
claim
value
for
apn,
alternate
presentation,
number,
something
that
has
been
sort
of
been
thought
about
for
a
while
and
I
think
has
come
back
to
more
relevance.
So
we
thought
I
mean
it's
a
fairly
straightforward
one,
so
hopefully
everyone's
okay
with
that
one,
but
I
thought
it'd
be.
It
was
important
enough
to
add.
F
E
D
Are
people
asking
for
this
man?
I
I
got
worn
down
on
this
because,
like
the
the
party
line,
I
was
trying
to
tell
on
this.
So
we
when
we
did
our
cd.
We
made
this
like
one
off
for
nam
right.
That
is
like
separate
from
what
you
do
in
a
j
cart
that
can
contain
the
display
name
that
is
shown
in
the
from
ever
field
and,
like
you
know,
the
the
story
for
alternate
presentation
number
that
I
was
trying
to
tell
anyway
was
well.
You
do
a
very
simple
j
card.
D
You
put
a
tell
field
in
the
j
card
and
you
have
the
telephone
number
in
it
and
you're
done,
but
I
mean
I
think
I've
been
gradually
worn
down
to
the
point
that
this
is
a
common
enough
use
case
enough.
People
are
clamoring
for
it
that
this
is
worth
having
a
one-off
like
now.
That's
really
what
this
says.
This
is
just
saying:
there's
going
to
be
one
more
thing:
that's
like
them!
You
know
I.
I
would
rather
do
this
than
you
know
to
describe
one
presentation.
D
C
D
The
must
not
for
if
you're,
using
apn,
you
must
not
have
a
tell
on
the
j
card
yeah
yeah
yeah.
I
mean
that
that
was
just
to
make
it
clear
that
if
you're
already
doing
a
j
card
for
some
other
reason
like
you
should
just
have
to
do
apn,
if
you
believe
we
should
apply
the
same
to
nam,
I
guess
in
principle.
I
wouldn't
object
like
that.
D
If,
if
you're
having
a
g
card
at
all,
let's
not
have
any
of
the
shortcuts,
like
all
that
stuff
should
appear
in
the
j
card,
rather
than
being
fields
that
you
have
to
parse
separately
because
yeah
like
what,
if
there's
a
conflict
or
like
I
mean
I
just
want
to
get
into
that,
I
hadn't
thought
about.
You
know
that
really
the
same
arguments
making
for
apn
applies
to
nam.
I
I
would
be
okay,
if
that's
the
restriction,
you're
suggesting.
D
D
E
D
I
totally
agree,
I
mean,
I
wonder:
if
there
couldn't
be,
you
know
I
mean,
is
there
any
similar
ambiguity,
even
with
tell
I
was
just
trying
to
think?
If
there
is,
I
mean
I
know
you
can
have
multiple
tells
and
they
can
have
you
arise
and
stuff.
They
can
be
like
fancy
in
a
j
card,
and
so
it
might
actually
be
ambiguous,
like
which
one
you
intend
to
be
the
presentation
number
if
you're
doing
it
intel.
D
I
mean
there
probably
are
some
ambiguities
that
surround
all
this,
and
I
I
don't
want
to
undersell
that.
But
I
your
your
point-
is
taking
alec
that,
like
that,
that
does
make
this
semantically
different,
because
people
use
the
display
name
in
the
front
header
field
to
contain
a
variety
of
information
that
could
be
personal
names
could
be
organizational
and
you
know
do
we
want
to
say
if
there's
a
noun
present,
you
can't
you
know
you
can't
have
organization
in
jay
card
right
like
that.
J
Yeah,
so
I
mean
like
today,
we'll
put
our
cd
information
in
a
shaken
passport
and
it
could
contain
a
j
card
with
a
first
name,
a
last
name
and
an
organization
name,
and
when
we,
when
we
verify
a
call
we'll
we'll
take
out
the
name,
claim
and
set
that
as
the
pai
header,
if
there
was
a
first
name,
a
last
name
in
an
organization,
what
would
we
set?
You
know
that
may
exceed
character
lengths,
the
combination.
J
How
would
you
merge
them
into
one
you
know
displaying
because
we're
trying
to
make
it
work
for
a
dumb
handset?
It
could
be
a
pots
line
right.
It's
just
you
know,
setting
the
cnam
so
that
it
it's
not
much,
but
at
least
it's
a
little
bit
of
rcd
information.
That's
sent
to
it,
so
the
name
provides
a
nice
ambiguous.
If
all
I
can
do
is
a
you
know,
pretty
plain
text,
I'm
just
going
to
use
this
yeah.
I
think
now
that
I
think
about
it.
J
The
same
thing
could
happen
with
the
tell
uri
right,
because
you
could
have
a
work
phone,
a
mobile
phone,
a
home
phone
right
in
the
j
card,
and
it
would
be
unclear
which
one
you
were
using
for
the
alternate
display
or
alternate
presentation
number.
But
if
you
have
a
specific
field
for
apn,
then
like
this
is
what
you
use.
It's
very
clearly
telling
you.
E
E
F
D
But
you
know
jack
can
probably
speak
to
the
uk
case
better
than
I
can
to
the
distinction
between
the
five
types
of
presentation
numbers
and,
like
the
network
number
and
so
on,
and
the
ways
that
those
things
are
allocated
in
uk
but
like
yeah,
and
I
I
mean
I
think
I
am
increasingly
persuaded,
because
this
is
one
of
the
issues
that
came
up
with
tell
as
well
like
if
you
were
going
to
use.
Tell
for
this,
are
we
sure
the
semantics
of
town
are?
D
Actually
it's
the
presentation
number
right
and
you
know
the
reason
that
this
comes
up.
Is
you
know,
precisely
because
there
could
be
alternate
versions
of
different
numbers
that
are
intel
and
which
one
is
actually
intended
to
be?
The
presentation
number
is
the
question.
I
tried
to
tell
the
line
that
like
well
by
having
j
card
b
and
rcd
at
all.
The
entire
semantics
is.
D
D
Users
are
going
to
see
it
and
like,
but
but
this
conversation
convincing
me,
I
think
that
that
that
that
may
not
be
tractable
and
then
that
ultimately
might
be
worth
having
an
apn,
even
in
those
cases
where
there
is
a
j
card
with
a
tell
in
it
precisely
because
it
indicates
this
is
the
one
that
we
intend
to
be
present.
You
know
the
presentation
number,
in
which
case
we
should
remove
the
restriction.
That's
in
it
now.
J
You
know
when
we
were
kind
of
looking
at
maybe
more
like
legacy
network.
I
mean
not
no
ancient
necessarily,
but
not
things
that
support
really
rich
call
data.
A
potential
you
know
use
case
would
basically
be
the
verification
is
like
creating
a
pai
header
with
this
apn
number
so
that
it
shows
up
when
it's
sent
to
the
handset
right
that
that's
kind
of
the
intent
that
we
could
use.
So
the
name
goes
in
the
display
name
of
the
pai
and
the
apn
goes
in
the
number
of
the
pai.
J
E
E
C
Presentation
number
are
kind
of
different
because
there
are
standard
like
there
are
standard
ways
of
presenting
those
to
the
user
already
and
so
like
having
a
nice
way
of
keeping
them
separate
and
unique
and
like
easily
like.
So
you
don't
have
like
have
to
do
some
lunging
with
the
j-card
to
work
out.
What
on
earth
you
want
to
display
would
would
would
definitely
go
towards
the
fact
that
we
should
just
remove
the
requirement
that
if
you
have
an
apn,
you
can't
have
tell
in
the
j
card
to
be
more
similar
to
nam.
K
That
it's
going
to
be
presented
as
the
tn
as
the
calling
tm
so
that
the
called
party
doesn't
really
realize
this
is
an
alternate
presentation
number
it's
just
the
number
that
if
they
wanted
to
call
back
is
that
it,
but
we
are
calling
it
alternate
presentation
number,
because
we
know
it's,
not
the
real
number
they're
calling
from
correct.
Or
am
I
missing
something.
D
K
So
at
what
point
is
it
at
the
originating
end
that
we
are
submitting
all
of
the
certificates,
delegate,
certificates,
etc,
just
proofs
of
authorization
that
this
party
is
still
entitled
to
use?
The
alternate
presentation
number
it's
it's
at
that
point,
just
like
all
of
the
good
passport
stuff
that
we
have
created
so
far.
K
E
E
D
Whoever
is
creating
the
block
of
json
that
you
see
in
front
of
you
now
and
choosing
to
sign
it
right,
and
so
I
mean
in
in
a
shaken
like
regime.
It's
the
you
know,
osp
right
area
that
is
generating
this
and
sticking
it
yeah,
and
so
I
mean
it's
if
osp
is
going
to
vouch
for
alternate
presentation
numbers
that
they
shouldn't.
Of
course
that
can
be
an
issue
right
in
the
same
way
if
they
vouch
for
ridges
that
they
shouldn't
that
can
be
an
issue.
E
E
Yeah,
it
all
depends
on
the
authority
model
right
like
if
they're,
if
they
have
the
right
to
use
that
number
as
a
presentation
number,
they
probably
have
to
get
that
embedded
and
a
certificate
created.
That
would
include
that
in
you
know
most
cases
but,
like
I
said
we
have
a
couple
different
models
here,
but
you
know,
and
at
least
in
the
one
we're
intending
to
use
and
the
the
quote
unquote
shaken
model.
I
think
you
would
have
to
get
vetted
and
applied.
E
G
F
K
Right
and-
and
that
goes
back
to
my
question
chris-
you
know
a
few
minutes
earlier-
that
it
should
be
clarified
who
is
actually
vetting
the
authorization
to
use
this
alternate
number
making
sure
it
is
not
something
that
the
end
user
can
program
in
their
phone,
like
you
said
so
some
text
to
clarify
that
and
that
it
should
follow
the
same
regis,
whether
it's
a
registration
process.
You
know
like
the
registered
caller
solution,
etc
to
that
effect
just
to
clarify
so
people
don't
get
nervous.
J
E
D
D
J
D
Think
I
was
gonna
say
yes,
that
this
is
like.
You
know
additional
identity,
and
things
like
that
and
3gbp
plug
into
you
know,
like
p,
preferred
identity
and
things
like
that
right,
so
they're,
it's
not
that
there
aren't
mechanisms
that,
like
enterprises
or
things
like
that,
couldn't
use
to
suggest.
I
want
to
use
this
alternate
presentation
number
for
this
call,
and
so
I
I
guess
we're
not
gonna
stipulate
like
what
the
way
is
that
happens
here,
but
there
are
a
number
of
at
least
somewhat
standard
ways
to
do
that.
E
E
Things
out
of
this
meeting
that
we
talked
about
fixing
as
well,
but
yeah,
I
tried
to
maybe
give
a
summary
of
the
bigger
things.
One
was
consistency
of
logic
with
the
rules
around
constraints.
So
let's
pause
on
that,
because
maybe
we
want
to
discuss
that
the
uri
recursion
rules-
I
will-
I
haven't-
had
a
chance
to
like
really
deeply
read
through
that,
but
I
I
took
all
the
points
from
how
it
was
confusing
and
there
was
a
few
logic
errors
there.
E
A
The
discussion
on
constraints
and
I've
seen
verification
rules
isn't
the
right
time
for
that
or
another
slide
nope.
This
is
the
last
slide,
so
it's
the
time.
Are
you
done
with
the
others?
If
anyone
wants
to
talk
about
the
other,
then
I
can
go
back
and
wait
now.
Let's
start
talking
about
constraints,
okay
and
I'm
glad
to
see.
Alec
is
right
behind
me
in
queue
because
I
was
gonna,
maybe
call
on
him.
The.
A
A
That
the
verifier
has
to
verify
everything.
We've
got
these.
You
know
interlocking
now,
mechanisms
between
the
signature
itself,
the
jwt
claim
constraints
and
the
rcdi,
and
the
use
case
that
I
think
I've
seen
some
people
over
on
the
ip
and
I
side
of
the
world.
Thinking
about
and
and
maybe
alec
can
can
pop
in
a
minute
and
tell
me
if
I'm
on
base
or
off
base
is
a
use
case
where
a
caller
has
a
authentication
service
that
is
signing
with
a
delegate
certificate
and
signs
an
rcd
passport,
and
that
passport
has
two
purposes.
A
Chris
came
back
and
pointed
out
rightfully
that
any
idea
that
you
validate
some
things
that
don't
validate
any
other
things
can
can,
you
know
lead
to
madness
and
maybe
there's
other
ways
that
people
should
be
thinking
about
doing
this
and
and
I'm
okay.
If
that's
the
answer,
I'm
just
kind
of
trying
to
poke
and
be
an
irritant
here.
J
Either
way,
I
I
I
think,
I'm
on
the
same
page
as
ben.
I
I
think,
but
I
would
actually
take
it
even
a
step
further.
You
know
I
I
guess
I
would
say
I
view
rcdi
verification
as
something
that
really
should
be
done
by
the
the
end
device.
That's
about
to
display
it.
If
it
fails,
then
everything
else
is
fine,
because
you
know
the
kind
of
use
case.
You
know
we,
like
you
know
you.
J
Let's
say
you
want
to
include
three
different
logos:
one
for
an
ios
device,
one
for
an
android
they're
different
sizes,
so
the
osp
in
ben's
example
doesn't
verify.
They
don't
go
fetch
the
resources.
They'll
verify
that
the
rcdi
claim
matches
the
claim
in
the
delegate
cert,
but
they're
not
going
to
do
any
resource
fetching
and
then,
when
it
gets
to
the
tsp,
the
tsp
does
the
exact
same
thing.
J
The
tsp
sends
the
url,
as
well
as
the
integrity
value
for
that
url
to
the
device
and
the
device
when
you
go
fetch
something
you're
responsible
for
checking
the
integrity.
So
I
don't
think
it
creates
too
much
madness.
As
far
as
verification,
you
know,
you're,
not
verifying
everything,
you're
verifying
everything
but
rcdi,
and
only
the
resources
that
need
to
be
displayed
are
fetched.
J
You
could
just
not
display
logo,
but
you
get
the
ad
station
elevation.
You
get
all
the
things
that
are
embedded
in
there.
You
just
can't
get
a
logo,
so
I
think
I
don't
think
it
creates
too
much
madness
to
push
that
responsibility
of
verifying
integrity
down
to
the
end
device.
That's
about
to
display
that
whatever
that
is,
it's
gonna
check
the
integrity
of.
E
D
B
B
C
But
I
don't
think
I
disagree
that
the
spec
doesn't
have
to
be
explicit
about
that,
because
just
giving
up
the
verification
service
between
the
service
provider
and
the
end
user
isn't
far-fetched
and
seems
like
a
reasonable
division.
But
I'm
I
kind
of
just
wanted
to
say
that
it's
it's
not
going
to
be
a
edge
use
case.
It's
all.
I
have
a
feeling
it's
going
to
be
the
only
way
it's
implemented
unless
someone
implements
a
verification
service,
but
purely
on
the
end
user
device.
D
D
But
just
does.
Does
the
json
signature
over
that
password
like
validate
and
use
that
as
a
basis
for
accepting
origin
dest?
I
I
wouldn't
see
any
prohibition
on
that
and
I
rather
like
the
idea
of
having
like
the
rcdi
stuff,
only
fire
off
when
it
literally
gets
the
end
device.
That's
that's,
I
think
the
end
state
we
all
want
for
this
is,
for
you
know
those
those
links
to
actually
be
things
that
the
end
devices
that
are
rendering
to
users
would
be
able
to
access
directly.
D
I'm
not
sure,
I'm
optimistic
that
we're
going
to
get
to
that
in-state
anytime
soon.
I
think
a
lot
of
operators
are
going
to
want
to
do
this
and
then
you
know,
I'm
sure
there
are
15
more
verstat,
like
you
know,
editions
that
will
be
added
to
the
asserted
identity
for
all
the
links
that
you
know
are
now
pointing
to
the
tsps
network
and
its
cache
of
those
values.
Instead,
you
know,
but
that
caveat
aside,
that
we'll
see
shenanigans
like
that,
you
know
I
mean
I.
D
I
think
it
certainly
is
reasonable
to
say
that
you're
not
going
to
fail
the
passport,
because
you
ignored
like
the
those
links
and
you
just
don't
care
about.
What's
what's
in
the
cert,
for
what
the
permitted
values
are
for
those
things,
so
I
can
live
with
that.
If
that's
is
that
commensurate
with
what
you're
saying,
alec
and
jack.
J
Yeah
I
mean
for
me:
it's
it's
yeah,
I'm
not
saying
we
necessarily
need
to
mention
shaken
or
anything
like
that.
It's
it's
just
generically!
I,
I
guess
the
integrity,
I
think,
should
be
verified
by
the
device.
That's
about
to
con
display
that
url
that
resource
that
was
whatever
you
know,
received
from
the
url,
because
in
any
situation
you
know
you
have
a
verification
service,
that's
doing
more
complex.
You
know,
verification
of
the
passport
and
the
certificate,
the
cryptography
all
that
stuff
and
then
passing
a
bunch
of
urls
down
to
the
end
device.
J
The
the
entity
doing
the
verification
may
not
know
what
the
end
device
is
going
to
do,
and
so,
if
you're,
putting
that
responsibility
verifying
the
integrity
on
that,
then
it
has
to
verify
all
of
them
versus
if
it's
the
end
device
that
does
the
integrity
verification,
then
it
knows
what
it's
about
to
display.
Maybe
maybe
you
have
two
urls
for
two
different
images.
One
of
them
is
a
high
res,
and
one
of
them
is
a
low
res
and
you
try
and
get
the
high
res
and
it
doesn't
work.
J
It's
not
even
integrity
fails,
but
you
just
get
a
you
know:
404
error
or
server
timeout,
and
then
you
try
the
low
res
and
display
it.
I
mean
there
could
be
some
logic
in
the
end
device
and
I
think,
having
that
device,
do
the
integrity,
verification
just
pushing
all
integrity
requirements
down
to
that
end
stream
device
makes
makes
it
clean,
and
it
is
a
good
separation
of
responsibilities.
E
E
A
I
don't
think
it
is
a
bad
thing.
I'm
I'm
mixing
cues,
I'm
going
to
jump
in
anyway.
The
I
think
there's
another
use
case
which
requires
that
and
that's
the
use
case
where
an
osb
validates
the
rcd
passport
and
then
turn
around
and
writes
those
claims
into
his
shaken
passport
before
sending
it
downstream,
which
that
means
he's
vouching
for
it,
which
means
now
he
owns
it
right.
So
he
better
have
verified
the
integrity,
see.
J
Why
do
they
need
to
to
dereference
the
url
make
sure
they
match
the
integrity?
If,
if
the
osp
gets
a
delegate
cert-
and
it
says
you
know-
here's
the
rcd
information
that
should
be
in
there-
here's
the
integrity,
values
that
you
should
get
when
you
dereference
it
and
they
verify
the
delegate
cert
and
that's
all
fine.
They
put
it
into
the
the
shaken
passport.
In
this
you
know
specific
to
shaken
example,
and
the
image
doesn't
verify
to
the
integrity
that
doesn't
really
change
anything
because
the
end
device
won't
display
the
image.
J
A
A
A
And
you
know,
I
would
argue
that
the
relying
party
on
that
rcd
is
the
party
who's
going
to
use
the
rcd,
not
the
osb.
In
this
case-
and
you
know
we
all
know,
there's
as
much
as
we
like
the
end
device
to
be
the
one
that
renders
all
this
and
does
the
verification.
We
know
good
and
well,
there's
going
to
be
tsps
they're
going
that
are
going
to
eat
that
rcd
passport
and
just
show
the
claims
into
their
separator
fields.
Kind
of,
like
you,
know,
kind
of
easy
name
style.
E
A
A
J
J
D
A
But
I
think
we're
we're
poking
at
the
wrong
layer
here,
at
least
from
a
standards
perspective,
I'm
not
suggesting
that
we
need
to
say
or
even
know
anything
about
how
these
things
get
consumed,
but
we
need
to
say
is:
if
you're
going
to
consume
them,
you
better
verify
it
if
you're
not
going
to
consume
them.
It's
not
your
problem.
D
This
is
the
rub,
and
it
really
comes
down
to
what
we
mean
by
consume
and,
like
you
know,
a
case
where
an
osp,
for
example,
gets
a
delegate
passport
from
the
enterprise
and
is
just
doing
enterprise
at
a
station,
pulls
that
rcd
out
and
sticks
into
a
passport
they're
now
vouching,
for
I
would
be
surprised
if
they
feel
like
they
don't
need
to
validate
that
right,
because
now
they're
the
ones
that
are
signing
for
it
and
vouching.
For
I
think
it's
a
different.
D
I
mean
again,
if
we,
you
know,
think
about.
Like
liability,
like
I
think
it's
like
a
different
landscape
when
that
passport
that
came
from
the
enterprise
is
merely
carried.
In
addition
to
this
is
like
the
fake
sharing
point
carried
in
addition
to
a
shaken
passport
that
is
added
by
the
osp,
the
case
where
the
osp
actually
compiles
them.
D
I
think
the
usp
effectively
can
be
interpreted
as
vouching
for
them,
and
these
are
the
kinds
of
like
political
things
that
are
gonna
really
change
to
calculate
this,
which
is
why
I
like
the
relying
party
being
defined
in
a
way
that
any
originating
terminating
or
even
like
endpoint.
If
we
ever
get
to
that
nirvana,
where,
like
endpoints
the
ones
that
actually
see
these
passports,
is
the
relying
party
it's
their
obligation
where
they
are
to
do
this
right,
that's
that's
what
I
was
trying.
E
A
But
to
clarify
one
thing:
we're
doing
there
and-
and
I
can
also
accept
what
john
said
earlier.
That
said,
if
you
don't
want
to
share
your
passport
information
to
put
them
in
separate
passports,
but
the
what
we're
saying
is
that
a
passport
can
have
more
than
one
relying
party
and
they
can
have
partially
relying
parties.
You
know
they're
relying
on
part
of
the
passport,
but
not
another
passport,
and
I
think
that's
okay,
but
I
you
know
the
security
guys
might
get
high
enough
with
it.
I'm
not
sure.
E
C
I
think
an
interesting
thing
here
is
that
the
especially
in
the
case
of
like
the
osp
copying
the
rcd
information
into
like
their
shaken
passport,
which
for
separate
reasons
that
we're
going
to
into
is
a,
I
think,
a
bit
silly
use
case.
But
anyway,
the
the
osp,
a
failed
verification,
isn't
an
indictment
on
the
osps
like
reliability
or
whatever,
like
that
like
how
much
you
should
trust
them.
C
If
the
passport
fails,
you
don't
really
it's
not
really
saying
anything
about
like
whether
or
not
the
you
should
trust
the
person
who
created
that
passport,
more
or
less,
and
so
there's
this
like
weird
thing
here
by
copying
the
rcdi
across.
If
that
rcd
information
is
gets,
changed
or
something
like
that,
the
rcdi
will
still
verify
and
it
will
cause
the
passport
to
fail
verification.
C
C
So
as
long
as
they're
happy
with
the
rcdi
contents
like
they've
pre-verified
it
or
something
they're,
not
really,
they
don't
need
to
go
and
check
that
the
rcd,
the
things
referenced
in
the
rcd
actually
matches.
What's
in
the
rcdi,
because,
like
the
whole
point
of
this
scheme
is
so
that
you
can
change
what's
at
the
rcd
and
it
will
just
cause
the
passport
to
fail,
validation
or
like
the
logo,
will
fail,
validation
or
whatever.
J
Yeah,
I
I
I
completely,
I
I
I
see
the
distinction.
I
am
wondering
so
I
mean
it.
I
guess
to
me
it
would.
It
doesn't
make
sense
to
have
multiple
people
verifying
the
integrity
right
in
the
chain
like
why?
That's
really,
I
guess
the
way
I'm
viewing
it.
It
doesn't
make
sense
to
have
you
know
three
different
people
verify
that
the
contents
of
that
server
match
the
integrity.
J
J
J
We
wrote
some
language
for
the
for
the
case
of
the
verstapp
parameter,
where
we
said
you
can
only
send
tn
validation
past.
If
you
send
the
attestation
downstream
or
it's
at
the
station,
a
right
like
that
was
the
way
we
got
around
that
kind
of
issue
I
feel
like.
Maybe
we
could
do
the
same
thing
here.
J
You
you.
If
you
get
rid
of
integrity,
if
you
don't
send
the
integrity
downstream,
you
need
to
verify
it.
If
you
send
it
downstream,
then
it's
the
downstream
person's
problem.
So
if
the
tsp
chooses
to
dereference
the
url
and
host
it
in
their
own
web
server,
they
need
to
verify
integrity
clearly
because
they're
getting
rid
of
the
end
integrity
going
to
the
end
device.
But
if
you
choose
not
to
do
that,
you
pass
integrity
downstream.
Then
it's
not
your
responsibility.
J
D
Yeah
I
mean
I.
What
I
don't
want
to
do
is
place
constraints
on
who
we
expect
relying
parties
to
be
in
the
architecture
that
could
potentially
be
limiting
downstream
right,
like
in
terms
of
ways
people
want
to
use
this
I'd
rather
have
a
universal
rule
that
you
know
works
respectively.
You
know
it's
like
an
intermediary
or
something
that,
for
whatever
reason
is
like
mung
rcd,
and
this
doesn't
even
get
into
third-party
rc
cases
by
the
way,
which
are
a
whole
other.
D
Like
dimension
of
the
story,
but
yeah
I
mean,
I
guess
my
point
is
I.
I
still
think
there
could
be
cases
where
the
osp-
and
I
put
some
in
the
chat
like
might
be
interested
in
making
sure
that
the
links
are
validating
properly,
because
once
they're
signing
them
in
a
passport
they're
taking
some
responsibility
for
those
things,
even
if
they're
not
going
to
validate
downstream
right.
Like
I
mean
it's,
that
kind
of
just
policy
level
stuff
that
makes
me
think
we
may
end
up.
D
Unfortunately-
and
I
agree
it's
it's-
the
end
state
we
want
is
one
where
nobody
cares
until
we
get
to
the
device
it's
actually
going
to
render
this
that's
the
end
state
we
all
want
for
our
cda.
Nobody
needs
to
validate
it
under
that
other
than
that
device.
I
just
fear
there
are
a
whole
bunch
of
cases
where
other
people
are
going
to
want
to
validate
it.
There
will
it'll
be
redundant
validations.
It's
it's
a
waste
of
time,
for
all
the
reasons,
all
the
technical
reasons,
but
for
policy
reasons,
it's
not
a
waste
of
time.
A
I
mean
if
I
can
see
from
what
alec
was
saying
if
you
have
an
osp
that
that
copies
the
claims
to
their
shaken
passport,
but
they
also
copied
the
rcdi
and
send
it
downstream.
Then
they
weren't
really
the
relying
party
for
rcdi
it's
whoever
further
downstream,
does
it.
If,
on
the
other
hand,
they
feel
the
need
for
some
reason
or
another,
some
policy
or
something
to
do
it,
that's
fine,
they
can
do
it
too.
J
It
makes
the
problem
even
more
important
that
we
don't
require
to
verify
it
in
the
sense
that
it
could
require
two
round
trips.
You
could
have
to
go
hit
the
j
card
and
then
go
get
the
url
sequentially,
and
so
that's
why
I
really
hesitant
about
the
expectation
that
the
osp
or
the
tsp
do
it.
If
they're
passing
the
integrity
downstream
gets
even
worse.
When
you
talk
about
kind
of
having
both.
B
The
trust
model
to
those
uris
are
very
different.
The
what
we've
engineered
is
the
ability
to
verify
that
the
person
that
we
are
signing
for
has
handed
us
a
integrity
check
that
the
integrity
check,
checks
out
and
that's
it
when
we
skip
that
integrity
check
the
the
we.
We
just
need
to
be
very
clear
that
all
we're
talking
about
is
that
the.
B
Trust
back
to
the
the
the
end
user
was
entirely
in
what
that
integrity
check
was
made.
There's
a
whole
suite
of
potential
attacks
that
we
should,
at
some
point,
perhaps
investigate
for
what
happens
when
the
web
server,
that
is
maybe
not
entirely
under
either
the
the
signing
parties
or
the
end
users.
Control
decides
to
serve
a
completely
different
thing
and
we've
got
a
pretty
good.
B
I'm
about
to
say
that
the
checking
hasn't
happened,
but
I
really
don't
want
to
step
in
that
specifically
just
yet.
We
want
to
be
very
clear
what
the
trust
model
around
the
the
veracity
of
of
that
eventual
source
data
is,
I
apologize
for
the
ramble,
but
I
I
think
that
keeping
those
separate
is
going
to
be
helpful.
E
Yeah-
and
I
think
I
I
totally
that's
exactly
where
I
started
from-
I
think-
maybe
there's
room
for
like
if
we
use
the
words
relying
party,
we
can
sort
of
change
it
around
so
that
you
know.
I
agree
with
the
premise
that
you
know
if
you're
not
going
to
display
an
image
or
or
something
like
that,
then
that-
and
that
has
nothing
to
do
with
like
the
telephone
number.
E
F
E
J
You
know
not
to
say
that
the
osp
isn't
allowed
to,
but
it's
kind
of
meaningless
if
the
osp
verifies
it
or
the
tsp
for
that
matter,
if
they're
not
changing
the
url,
if
you
know
I
get
a
let's
say:
I'm
acting
as
an
osp
and
I
get
a
delegate
cert
and
it's
got
an
you
know,
a
link
in
it,
whether
it's
an
image
or
a
j
card,
and
I
go
fetch
it
and
it
matches
the
integrity
and
then
I
send
it
downstream
and
then
downstream
goes
and
fetches
it.
It
may
not
match
anymore.
J
An
attacker
could
change
the
contents.
The
first
request
I'll
return.
You
know
the
data
that
I'm
supposed
to
the
next
request.
I
won't,
and
so
I
think
really
integrity
is
only
valuable
if
you
do
it
and
then
use
the
url
or
use
the
contents.
If
you
are
then
passing
the
url,
it's
really
it's
kind
of
meaningless.
J
E
E
J
I
I
mean,
like
maybe
meaningless,
was
too
strong,
but
I
guess
kind
of
getting
back
to
the
liability.
It's
I
guess
it's.
Maybe
it's
kind
of
important
to
recognize
that
the
osp
is
not
liable
it
because
they
kind
of
I
mean
unless
you're
expecting
them
to
dereference
the
url
and
then
create
a
new
one.
That
can
happen.
J
So
I
think
you
kind
of
have
to
be
careful
and
not
you
know
the
the
osp.
You
know.
Let's
say
we
get
as
an
osp.
We
get
a
some
image.
We
we
verify
it.
We
say:
okay,
you
know
we
like
this
image.
It's
not
some
inappropriate
image,
it's
reasonable!
We
check,
we
have
its
integrity.
When
we
get
that
that
claim
you
know,
here's
the
the
url
and
here's
the
integrity.
We
we.
We
are
okay
with
this
integrity,
it
could
change.
J
E
I
don't
know
if
that's
the
right
word,
but
you
know
that
those
types
of
things
that
I
think
are
appropriate
for
ipni,
specs
and-
and
you
know
more
usage
specs
rather
than
the
core
protocol,
where
I
think
we
just
can
focus
on
the
authentication,
service
and
verification
service.
And
then
you
know
where
those
things
are
performed
and
what
level
they're
performed,
but
it.
E
But
I
I
think
where
I'm
agreeing
is
like,
maybe
we
can
have
some
relying
party
words
in
the
verification
service
that
stretches
it
a
little
more
to
allow
you
know
so
that
it
from
a
spec
point
of
view.
It's
it's
okay,
but
we
still
have.
You
know
the
strictness
to
say
that
you
should
really
be
checking
the
integrity
or-
or
I
don't
know
something
like
that.
A
C
A
C
I
think
I
would
possibly
go
further
than
what's
been
said
so
far
and
that
the
rcdi,
failing
that
the
digest
failing
to
match
is,
should
not
be
considered
a
fail
like
a
verification
failure,
because
there
are
situations,
for
example
div,
where
the
person
who's
diverting
it.
The
server
could
have
gone
down
while
they're
diverting
it
and
come
back
up
afterwards
them
failing
the
call.
C
Well
they
well
sorry,
not
them
failing
call,
but
then
failing
that
verification
and
throwing
some
error
is
a
bad
thing
to
happen.
At
that
point,
and
even
just
in
a
like
straight
line
case,
the
tsp
verifying
it
if
they're
not
going
to
like
re-host
the
images
or
something
like
that,
then
they
they
can't
reasonably.
C
C
I
would
go
so
far
as
to
say
that
the
like
the
digests
not
matching
what
is
at
the
urls
should
not
be
considered
verification
failure
and
only
the
person
that
is
extracting
the
information
out
of
that
uri
should
be
doing
anything
with
that
digest
and
even,
if
that
fails,
all
they
have
to
do
is
just
discard
that
single
logo,
or
that
single,
like
whatever
it
is.
They
can
just
discard
that
and
everything
is
still
fine.
They
can
even
carry
on
with
like
the
nam,
because
the
nam
the
nam
has
been
signed
for.
E
E
D
D
Is
it
circles?
I
don't
think
this
is
circular.
I
think
we're
actually
getting
a
lot
of
agreement.
I
mean,
I
think,
this
fundamental
question
of
like
what
what
actually
counts
as
passport
validation,
is
important
and
like
if
you
know
how
we
scope,
passport,
validation
and
understand.
It
is
super
important
and
I
think
we
can
resolve
that.
D
I
mean,
I
think
I
think,
for
example,
we
all
pretty
much
agree
that,
like
you
know,
if,
if
the
json
object's
signature
validates
against
the
cert
there's,
you
know
and
there's
a
level
of
passport
validation
in
that
I
know
when
chris
and
I
are
corresponding
about
this
in
the
last
couple
weeks.
You
know
one
of
the
examples
I
posed
to
him
when
I
was
arguing.
You
know
for
jwt
constraints.
Being
honored
in
these
cases
was
like.
D
We
wouldn't
do
this
for,
like
level
of
better
station
right
there's
like
a
restriction
that
level
of
attestation,
you
know
can't
you
can
only
sign
like
b
and
c
or
your
permanent
values
and
so
on
signs
in
a
like.
Even
though
the
entire
passport
validates
I
I
argued,
you
shouldn't
trust
the
origin
desk.
If
that's
true,
do
people
roughly
agree
with
that.
D
A
My
tendency
there
is
to
think
that
the
validating
the
constraints
is
part
of
validating
the
passport.
I
mean
it's
part
of
validating
the
signature.
So
even
though
I
have
a
signature
that
that's
there,
if
it's
violating
what's
in
the
certificate,
then
you
should
not
trust
that
you
should
not
use
that
signature.
D
J
It
I
think
it
really
just
comes
down
to
the
fact
that
this
verification
has
to
be
performed
at
the
end
entity
device
the
device
that's
going
to
consume,
that
url
right.
It
has
to
be
now
it
could
be
consumed,
it
could
happen
earlier,
but
it
has
to
be
consumed
there.
Otherwise,
it's
just
too
easy
for
someone
to
have
a.
J
Where
you
know
you
request
it,
I
give
you
the
right
url
and
then
the
device
goes
to
request
and
I
give
it
a
different
url.
So
you
have
to
do
it
at
the
end.
You
could
do
it
earlier,
but
it
given
that
that's
the
way
you
know
the
integrity
works.
I
I
think
it
just
makes
sense
to
separate
integrity,
verification
from
the
verification
service
right.
What
you're?
What
you're
signing?
J
What
you're
verifying
in
the
verification
service
is
the
integrity
is,
is
a
value
you
expect
the
integrity
and
the
passport
matches
the
integrity
in
the
delegate
cert
if
you're
doing
that
kind
of
model,
but
not
that
the
resource
has
the
value
that
matches
the
integrity
value,
because
that
check
is
really
intended
to
be
done
by
the
device.
I
mean
they
kind
of
so
similar
to
sub
resource
integrity
in
a
web
browser.
J
You
know
a
web
browser
may
embed
an
html
page
from
another
website,
but
it's
not
going
to
check
the
integrity
of
of
that
iframe
that
it's
embedding
it's
just
going
to
pass
that
on
to
the
client,
because
if
it
did
and
it
worked
that
doesn't
mean
the
client
couldn't
do
the
verification
it
has
to
be
done
in
the
client.
I
mean
it.
I
guess
that's
just
the
way.
I
view
it.
D
D
I
doubt
that
will
be
the
practical
case
and
in
fact
the
security
association
is
going
to
terminate
whether
we
logically
consider
it
the
vs
or,
if
it's
you
know
some
modular
component,
that's
like
one
step
off
from
the
vs
after
the
vs
has
done
its
job.
I
don't
want
to
argue
architecturally
about
how
we
want
to
draw
those
boxes,
but
the
security
association
is
likely
going
to
terminate
at
the
terminating
service
provider.
Or
do
you
disagree
with
that.
J
I
don't
disagree
with
that
and
I
would
say
if
they
do
that,
then
they
would
be
responsible
for
verifying
the
integrity.
If
you
choose
to
do
that,
then
go
ahead,
do
it
and
you
need
to
verify
the
integrity
put
in
your
own
web
server
and
then
send
that
url
down?
If
that's,
what
you're
going
to
do,
you
need
to
verify
the
integrity,
I'm
just
saying
that
may
not
be
the
model
for
everybody,
and
if
that
isn't
the
model
that
a
given
entity
is
using,
you
know,
then
they
shouldn't
be
verifying.
J
J
D
C
Even
further
than
that,
like
someone
who's,
not
the
end
user
of
this,
like
what
can
they
do
with
the
information
that
it
doesn't
match
like
if
someone,
if,
if
the
originating
service
provider
or
some
tsp
who's
handing
this
entire
shake
and
passport
onto
the
end
user,
if
they
download
this
logo
and
go
oh,
it
doesn't
match
the
digest.
What
do
they
do
like?
There's,
there's
nothing.
They
can
do
at
that
point
to
change
anything
like
the
the
rest
of
the
rcd's.
Information
is
still
there
and
it's
still
valid.
C
They
can't
edit
the
rcd
because
it's
signed,
so
their
only
option
is
just
to
keep
hand
it
on
down
and
just
go.
Oh
that's!
Gonna!
That's
gonna
be
wrong
when
the
end
user
sees
it
like,
of
course,
now
they
can
fail
that
yes,
but
if
they
do,
then
you've
lost
the
rcd
of
the
rest
of
the
rcd
information
like
you've
lost.
E
So
I
think
that's
similar
to
what
you're
saying
john,
like
you're,
you're,
just
fundamentally
doing
the
wrong
thing
and
you
shouldn't
know
about
it
until,
but
so
that
you
fix
it
sooner
rather
than
later,
and
is
the
osp
the
a
good
place
to
do
that
since
the
osp's?
Probably
you
know
the
you
know
providing
a
service
to
the
to
the
to
the
to
the
person
that
signed
the
passport
originally.
D
Is
this
question
of
dereferencing
further
links
right
that,
like
you,
might
not
want
to
do
along
the
way,
and
that
can
I
could
see
getting
kicked
down
to
whoever
the
relying
party
is
ultimately
whether
it's
tsp
network
at
the
end
point
or
something
if
all
you're
doing
is
your
check
is
just
saying:
okay,
like
this
jcl
field,
checks
out
early,
you
know
like
what
whatever
something
like
that
and
I'm
not
going
to
do
any
of
the
recursive
like
url
generation
within
it.
Like
that's
a
can.
E
D
D
I
have
a
really
hard
time
thinking
of
a
defensible
security
argument,
that
if
the
passport
doesn't
validate
against
aot
constraints,
or
something
like
that
that
that
it's
valid
that
they
that
this
passport's
only
partially
valid,
I'm
going
to
trust
the
origin,
the
dust,
even
though
the
the
iat
is
broken
like
we
have
no
language
in
a24
or
anywhere
else
that
I
think
hints
that
that
is
possible.
I.
C
J
Do
you
mean
rcdi,
or
do
you
mean
rcd
urls,
don't
match
our
cdi?
I
think
that's
an
important
distinction,
I'm
not
saying
in
the
passport
doesn't
match.
Delegate
rcdi
claim
constraint
that
that's
valid.
That's
totally
invalid
kill
it
it's
it's.
I
don't
want
to
dereference
the
urls
to
see
if
the
contents
of
the
urls
match-
and
I
and
and
I
know
we're
you
know
we
don't
want
to
talk
about
an
unlikely
event
of
a
server
failure,
but
I
guess
I'm
looking
at
it.
I
think
it's
highly
likely
and
it's
not
a
failure.
J
It's
it's
too
slow
for
my
verification
service.
I'm
not
going
to
wait
for
three
seconds
to
dereference
this
url,
where
the
end
device
might
be
willing
to.
Well,
maybe
that's,
I
guess
that's
what
I'm
concerned
about
is
I
it's
not
a
failure.
It's
just
it's
too
slow
and
we
see
this
with
certificates,
which
should
you
think
would
be
faster
than
than
I
want
our.
E
Cds,
I
wonder
if
there's
a
way
we
can
get
our
cake
and
need
it
to
like
that.
We
say
I
mean.
I
think
the
point
is
that
if
the
signature
over
the
json
object
is
valid,
then
you
can
pretty
much
trust
the
that
information,
but
we
just
don't
want
to
go
to
the
next
step.
Maybe
there's
some
way.
We
can
creatively
word
it
where
I
I'd
rather
like
that's,
why
I
was
trying
to
say
like?
E
D
I
mean
I
can
imagine
some
creative
wording
that
along
those
lines,
so
it
can't
ever
be
the
signatures
broken.
It
can't
ever
be
that
the
constraint
was
checked
and
didn't
work.
I
can
imagine
some.
You
know
some
language
that
suggests
that,
like
not,
everybody
is
going
to
reference
those
uris
and
be
capable
of
looking
at
the
potential
permitted
values
for
them
and
that,
as
a
consequence
of
that,
you
know
those
entities
are
are
not
doing
full
validation
of
rcd.
D
It
would
be
something
like
that
and
that
any
you
know
we
create
like
two:
two
categories
of
validation:
there's
a
validation,
that's
specific
to
rcd.
This
is
trying
to
speak
to
jack's,
where,
where
I
think
jack
is
going
anyway,
kind
of
two
categories
of
validation
of
rcd,
one
where
you
actually
are
you're
dereferencing,
the
sub
uris
for
it
and
another
way
where
you're
not,
and
that
when
you're
doing
the
first
category,
like
you
just
you
validate
the
json
works
the
constraints.
A
So
we've
got
a
passport
verification
that
just
says
everything
in
the
passport
discovered
by
the
signature
is
is
covered
by
the
signatures.
But
then
we
have
this
rcdi
thing
and
of
course
we
signed
it.
So
it
was
covered
by
the
signature
and
it
is
providing
this
mechanism
to
the
relying
party
of
the
dereferenced
material.
D
A
D
A
D
Yeah
yeah,
I
got
that
I
mean
I
I
I
haven't
meant
to
ignore
alex's
argument
either
about
just
the
servers
like
slower
unresponsive
or
whatever
I
mean
those
are.
I
think
those
are
all
valid
points.
I
guess
I'm
looking
at
this
much.
What
I
want
to
do
is
be
able
to
find
two
processes,
one
of
which
passport
validates.
D
If
there's
you
don't
ever
see,
anything
is
broken
in
it
because
you're
not
even
messing
with
that
rcdi
stuff
right
like
if
we
anything
we
write
this
to
me
like
I
check
this,
and
actually
this
doesn't
validate,
but
I'm
still
going
to
pretend
it's
valid
that
that
that
language
of
that
form
makes
me
extremely
uncomfortable
and
russ.
Would
you
speculate
that
might
make
people
in
security
area
relatively
uncomfortable,
but
but
like
language,
it's
like
look.
There's
one
set
of
checks.
D
You
do
when
you
don't
care
about
that,
rci
stuff,
right
and
then
there's
another
deeper
set
of
checks.
You
do
when
you
do
and
like
as
somebody
who
is
consuming
this
passport
and
validating
it,
you
can
either
do
one
or
the
other,
and
like
does
does
that.
Is
that
sellable?
Do
you
think
is:
is
that
close
enough
jack
to
what
you're
asking
for
and
alec.
J
Exactly
I
was
going
to
suggest
yeah.
It
basically
decouple
right,
so
you've
got
passport
verification
which
does
not
mention
ref
dereferencing,
the
urls.
There's
nothing
to
do
you
know,
that's
you
don't
need
to
dereference
urls
you're,
verifying
the
rcdi
matches
the
delegate,
cert
and
all
this
other
stuff,
but
you're,
not
dereferencing
urls,
and
then
you've
got
okay.
Now,
it's
time
to
de-reference
the
urls,
you
need
to
go
de-reference
it,
and
then
you
need
to
verify
that
it
matches
the
provided
integrity
and
they're
independent
processes,
and
you
may
have
an
entity
that
does
both.
J
A
If
you
pass,
the
url
forward
needs
to
go
in
the
security
considerations
in
this
document,
because,
basically
the
you
know,
if,
if
you
just
because
I
verified
it
now
doesn't
mean
it's
gonna
be
verified,
500
milliseconds
from
now,
and
if,
for
any
reason
you
don't
can't
send
that
dash
forward
or
your
end
user
can't
use
that
hash.
Then
you
need
to
provide
some
other
integrity
mechanism
to
make
sure
no
one
messes
with.
E
A
D
Even
though
we
we
suspect
people
will
do
that
strongly,
at
least
you
and
I
do,
then
I'm
not
sure
we
want
to
tell
them
how
to
do
it
or,
like
you
know,
offer
that
as
like
a
standard
practice
again,
we
all
want
to
get
to
the
state
where
that
isn't
how
this
works.
So
I
I'd
probably
rather
put
some
guidance
that
dances
around
that
and
puts
the
right
musts
and
must
nots
that
that
would
constrain
that
without
explicitly
describing
that
as
a
practice
and
an
rc
word
publish.
E
E
B
B
E
E
B
F
J
J
I
think
we've
kind
of
been
looking
at
with
vendors
and
things
is
kind
of
what
these
images
display
are
going
to
look
like
and
kind
of.
It's
having.
You
know
a
recommended
square
image.
That's
vectorized
means
you
know
you
can
put
a
round
mask
on
it.
A
you
know,
square
with
rounded
corners
mask
on
it.
You
know
you
can
resize
it.
I
think
otherwise
these
are
just
going
to
get
messy
when
you
actually
go
to
implement
them.
So
not
nothing
to
discuss
here,
but
maybe
it's
worth
recommending
because.
E
Well,
I
think
actually
the
good
thing
is
that's
more
in
the
zip
core
draft
which
we
need
to
follow
up
on
also.
So
I
think
I
do
have
some
image
text
in
there
to
try
to
do
that,
but
make
sure
you
join
the
sip
core
list
also
alex.
So
we
can
talk
about
that
issue
because
I
think
that's
you
know
hopefully
easier
to
extend.
I
will
probably
want
to
talk
about
whether
it's
optional
or
I
meant
you
know.
Okay,
I
haven't
had
a
lot
of
discussion
around
that.