IETF Logo Mail Archive

Re: [Ace] draft-raza-ace-cbor-certificates-04.txt

Joel Höglund <joel.hoglund@ri.se> Fri, 24 April 2020 11:35 UTC

Return-Path: <joel.hoglund@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECEA33A0942 for <ace@ietfa.amsl.com>; Fri, 24 Apr 2020 04:35:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dDdJuC2cnDTw for <ace@ietfa.amsl.com>; Fri, 24 Apr 2020 04:35:36 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40067.outbound.protection.outlook.com [40.107.4.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 415013A0940 for <ace@ietf.org>; Fri, 24 Apr 2020 04:35:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZBI5MMkxvLUAuJMux46A/WmC6SGH2QCS9QEbUsW4UKeJHE6e/6Oq15kyJjdzBlAr3iRo3g6RLT3xD+JdBxCf8GMwhQCiyZueesFtUIHND3slg4adiz328QLoCH/bsPdPfs4xYht5AtBdEXMOv89gBHeNa/EFKR10fzs5S36Nh06j3Y0WwF5pm75o2XP+nKMXJO5cq6s9lGdEG/J2TJXVsqj7z0pcq4KW89uyTTFXEru1ZUEFEN1hE5x4aNZ2nTIE6ut9av247xU4tBQzyx+P1pkbMsDxMGPM3EoDNKkUDs93FENoHJRLhzGjaN0npqw/5AoIUykqYh8y4Jb2XzZ5eA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NayDq7Ow32qipLzd8xcx4McdqMAMgwZlU02yhPggp5I=; b=nQDSkzIHQ+yMG5/yft0H/hbEpiMi/gm6i7EGDQxUJIWoiAZlT6M/a69ha9nNRvvjgdziAeTr7RQADxFOVO9XVro/CrDpYVONLqjky9yslnUVJFMyy0DjcoX6Alm0SoIkYeX8P2v+YKrUUWu0RDW9Pq0K++i2Q9BSmG7MFFcvXoMi8hx1+Idb/gpypufhy3B753AA9PZRQm0yI5uheS4l0tIHSRoXADBQyDZ43Uw8LEXAUpfho7dhLCVY1eL83zdmQI/iZ8xDo9Y7eu6SAGY66N4X8QuyjvR2ti0hHJ5MzbC1KDRd3uHzFnOQ+LZwxh6QzylSJW1DyC88wAkwxoP/ZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NayDq7Ow32qipLzd8xcx4McdqMAMgwZlU02yhPggp5I=; b=g5JC5WHaxVBHHoZRmWj8jitGLaxCx2+n6gnPUy7Ybcm/GB774yFXJxmheblgilNXWU1FfAt/TdKtmMJwHKZ04V23JihuqRN5ASsj/8HxPf8JHhuscym+rCWEC0JIXsBcsKiq3uX9o1Txf6GyY+eE1QH/mzklQm5CHiQ0YErqRgo=
Received: from HE1P189MB0363.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:59::22) by HE1P189MB0347.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:58::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Fri, 24 Apr 2020 11:35:33 +0000
Received: from HE1P189MB0363.EURP189.PROD.OUTLOOK.COM ([fe80::611d:120e:2090:38e4]) by HE1P189MB0363.EURP189.PROD.OUTLOOK.COM ([fe80::611d:120e:2090:38e4%3]) with mapi id 15.20.2937.012; Fri, 24 Apr 2020 11:35:33 +0000
From: Joel Höglund <joel.hoglund@ri.se>
To: Ace Wg <ace@ietf.org>
Thread-Topic: [Ace] draft-raza-ace-cbor-certificates-04.txt
Thread-Index: AQHWGLoC6fimJTZ8RE2inCVQn/ODz6iIJw4l
Date: Fri, 24 Apr 2020 11:35:33 +0000
Message-ID: <HE1P189MB0363DD95A30BB2C2356F9C8288D00@HE1P189MB0363.EURP189.PROD.OUTLOOK.COM>
References: <44737D23-ADDF-4F43-8C68-B898C06DBD69@island-resort.com>
In-Reply-To: <44737D23-ADDF-4F43-8C68-B898C06DBD69@island-resort.com>
Accept-Language: sv-SE, en-US
Content-Language: sv-SE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=joel.hoglund@ri.se;
x-originating-ip: [79.136.50.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 839fd0d2-983c-43a9-b374-08d7e843998f
x-ms-traffictypediagnostic: HE1P189MB0347:
x-microsoft-antispam-prvs: <HE1P189MB03472AF2D02D009C62BE85E588D00@HE1P189MB0347.EURP189.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03838E948C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1P189MB0363.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(366004)(39860400002)(136003)(396003)(376002)(9686003)(81156014)(8676002)(5660300002)(33656002)(8936002)(316002)(66574012)(6506007)(86362001)(52536014)(478600001)(186003)(55016002)(66476007)(2906002)(966005)(26005)(19627405001)(76116006)(7696005)(66946007)(64756008)(66556008)(6916009)(71200400001)(66446008); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ri.se does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pm0SC+M3ER0sV++LKPe9BpoExxPUymIV1aCycdlpNF3GjhNKPaGLkWyzOUeuZcL+kPBeDt6PjxuBCwWTPR2QW+fZ2hdp28Clv3XiBnrzQPJ0OMq18VjtbgEDTimIkAIl1Vm/0Y6XE7EPBpSd1z/OIpcoJv7kgRtcXEipsA5McHPzXq6yxIkREeyB+lSm3p9KCsHIfSsV1QyPfFISzMI5E4Rc7gd9YZsPjDDbrPPerYZkTOc3hMZNMNP1+seYBXo/nHezvy+ydg2/sRYxQ0IKhws7cUhtBbPA8+9pDvLw/NxVkRjID9hOheudysSytk4GiOmymv2x0EIaRisfCzxK+mW3CJnWGLl+x6JVPlf9bmbtD1oalwJBFL7Z4lDImDzT4CBs3ZkLz9cpiDF96U4Q79nebv+lvZAzI8uyEWmDMPXFduCR2X/efFw+XcZnYdjwX6YdW+caqv04XABlXFWYkRtsPwBzYxOVtEdUwWG2DbNC6MFin0dMSiQyOStkQBazPayYEfRypdz/GSZ/LFTedQ==
x-ms-exchange-antispam-messagedata: HB6zKJ3L7YamfHeupI9lxn00bsap7pCt4YYUAfQCpgc1qLDDPeELU5v8IYuzs1UhhDExXbU0vjRKJn2yGRSxRU1i/q/ggwfMgFiVLLur2dBw+LaURksALch9KHuaOTl3PYniO6yFKKRE9tdYGKJANtFk0e/f4dXpv4zjRTYhvLdakn4zGbxj6Ua9qs4TK8qCoHewQ9Z1ADMS+RMb3939RK3sAtQyLVDpOZiVf9MMVBTwjo8eO2XVpxNKqCfVclUOXZILdZMai/6rPxVqniCXrN0A6SKhxxTwufJ6UXnvap0AaQdsScoXnPmgdlJ9byHweE3aTMfrXuHlMm4OLNcia4Dn2h+osN0ZNkPS4XL9LeR8acSJ2oUUETXKDe0L9uCU+le4JcLk7iPv3sxrnogUv0e7woSeqbf6sYP65ehdP2k80sdLs+ZQKc0vcdgae6NaeUkRrYKBQvdXL5OJlORludeu9s2XyIqQtLpngflrK8rsQMwje3iwxxeJo6g0ldJK3RjIEIiBc8YShmBNgBVihWPdGy2Nt8DzG262EcTFVsBU2r9p9hIv9uro9SCrg3kX7uVKlfUxFvovpOfE3bFG1JJONvcSawUMGRmvyAUTD/X+lAesivLjJns1v74sxTZyiWoUonJGsJ3AnpTEqscvgtj6uA9V3RQ3qL70vdG+IxlIp1JDFbW6x/OHfqna8frw/3urDEF9ejOFHb66l2HpQ83G71DIHvLAmIP9x2/gQ2b+znP60Q1uOe5wjwRSJDjCS7mJ4kKxOGTdORr8zfDwNKo/E3auFDn+ax7jQstgUv8=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1P189MB0363DD95A30BB2C2356F9C8288D00HE1P189MB0363EURP_"
MIME-Version: 1.0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 839fd0d2-983c-43a9-b374-08d7e843998f
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Apr 2020 11:35:33.1719 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5xDDiJuFWgzDQnyKrIhTWNqEqbBYzjYrjcDsLk2CTasXNsraY+gwU81MO5BWp2RO+9P03MGp1YmD6qfBzfiHuw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P189MB0347
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/kyOdKZ6WgL3x4AqugFA6WZyY0Ck>
Subject: Re: [Ace] draft-raza-ace-cbor-certificates-04.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 11:35:39 -0000

Hi!


First a meta comment: I’m now answering to both the ACE and the CORE mailing list. If the working group chairs have recommendations on where to keep the continued discussion I’m eager to hear.


Thank you for your review! Some answers to the questions are inline below.


> When you sign CBOR, usually it is wrapped in a bstr. This is important

> to be able to use typical CBOR encoders/decoders. This doesn’t seem

> to be the case here, at least I don’t see it in the text near the end of

> section 3.


Since this bstr wrapping has become the expected norm we agree this is a good suggestion for an improvement with low overhead, which we will add for the next version.


> Was any consideration given to using the COSE algorithm registry rather

> than defining a new one?


Yes, it is still work in progress to determine if the COSE algorithm registry can accommodate the algorithms deemed useful for inclusion.


> But of most interest to me is whether the COSE was considered as the

> signing format for native CBOR certs. If COSE is used, then this looks

> almost identical to CWT and may be a native CBOR cert is a variant of

> a CWT? … …


Our starting point has been to stay close to the original X.509 format while minimizing size. A COSE encoding would re-add some format overhead (close to 10% for the provided example certificate). But if a COSE encoding would help making the format accepted and used, it can definitely be further discussed.


Once again, thank you for your comments!


and


Best Regards


Joel Höglund

________________________________
Från: Ace <ace-bounces@ietf.org> för Laurence Lundblade <lgl@island-resort.com>
Skickat: den 22 april 2020 17:23
Till: Ace Wg <ace@ietf.org>
Ämne: [Ace] draft-raza-ace-cbor-certificates-04.txt

I have a few comments / questions about draft-raza-ace-cbor-certificates-04.txt section 6 on native CBOR certs

When you sign CBOR, usually it is wrapped in a bstr. This is important to be able to use typical CBOR encoders/decoders. This doesn’t seem to be the case here, at least I don’t see it in the text near the end of section 3.

Was any consideration given to using the COSE algorithm registry rather than defining a new one?

But of most interest to me is whether the COSE was considered as the signing format for native CBOR certs. If COSE is used, then this looks almost identical to CWT and may be a native CBOR cert is a variant of a CWT? One advantage of this would be reuse of some of the CWT (and EAT) code. Some of the fields in the CBOR cert might overlap with CWT claims. That might be a good thing.

LL




_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email