RFC Errata
RFC 8224, "Authenticated Identity Management in the Session Initiation Protocol (SIP)", February 2018
Note: This RFC has been updated by RFC 8946
Source of RFC: stir (art)
Errata ID: 5391
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Invalid content for "iat"
Date Reported: 2018-06-14
Held for Document Update by: Orie Steele
Date Held: 2024-11-15
Section 4.1 says:
Third, the JSON key "iat" MUST appear. The authentication service SHOULD set the value of "iat" to an encoding of the value of the SIP Date header field as a JSON NumericDate (as UNIX time, per [RFC7519], Section 2), though an authentication service MAY set the value of "iat" to its own current clock time. If the authentication service uses its own clock time, then the use of the full form of PASSporT is REQUIRED. In either case, the authentication service MUST NOT generate a PASSporT for a SIP request if the Date header is outside of its local policy for freshness (sixty seconds is RECOMMENDED).
It should say:
“4.1 PASSPorT Construction”: Third, the JSON key "iat" MUST appear. The authentication service SHOULD set the value of "iat" to an encoding of the value of JWT generation as a JSON NumericDate (as UNIX time, per [RFC7519], Section 2).
Notes:
RFC7519 JSON Web Token (JWT)
4.1.6. "iat" (Issued At) Claim
The "iat" (issued at) claim identifies the time at which the JWT was
issued. This claim can be used to determine the age of the JWT. Its
value MUST be a number containing a NumericDate value. Use of this
claim is OPTIONAL.
This text clearly states that “iat” is for the generation time of JWS.
One may argue that origination of SIP dialog - on which Date header content is based - and JWT generation times would be very close to each other but this is not always true. JWT, for example, can be added only at administrative boundaries and a session may have started long before that,e .g. it involves user interaction with an IVR for announcement/PIN verification.
It should be noted that populating "iat" with JWT issuance time makes use of complete form mandatory. So, if this errata is accepted, there probably would be a need to remove compact form as an option.
See related: https://www.rfc-editor.org/errata/eid5392