IETF Logo Mail Archive

Re: [Ace] [COSE] draft-raza-ace-cbor-certificates-04.txt

Göran Selander <goran.selander@ericsson.com> Tue, 28 April 2020 10:23 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76DF53A12B1; Tue, 28 Apr 2020 03:23:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yK2PbUblC9MU; Tue, 28 Apr 2020 03:23:35 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00046.outbound.protection.outlook.com [40.107.0.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69CF33A12DB; Tue, 28 Apr 2020 03:23:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mTXvjMUSxlrHrYOPHD856VyPiVba+BwkEX7W0BE7jcKkoICnhDwt8kQ8zO2qBjVfZ9oWQ/XEf5QPf5MTZzZ6li1cVaOzvu6xQha1SXjo7AB+JZytHw+2XuyYjKNXUOOtjvVa9tLs6d5AZcFDzRIdZPjrzxFZrR3qaiPxHKUmZ1QWw/uLafCAYsqf4w8UdWYiCEwcCOfIsCFH0M2rTyQRZNCJa4UBFKWvWa46z5SVAev0yR4cAQTzt/cYhLyKP3Na7eL23AohncnQiGNJO1ql8F+nkXT0NO1unWTDShyV6FKoRO+kAHV1MsI89+WTUsjxWPadsfZF0mdqM8AFnNAwpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=opOhOku16BwAH0ODJHVD7RpFoTagNX6OKtnWL3bF45s=; b=CpFiHGjVJrEBHcW/udun2PqkCOKDTPMERo2Zha1Omdh+W6ouQJEYVcDIdoDtl2k2F48P1q2SbPTZ3BFg2LOveBoo8yx41j3yR2Ii/NeIMn2OHCB1TYixr/QdTWAtpyYKRz6CvgfdpUVX6BY07d2ApB91PgJQ8adQfsXu9RSmt4SMSrZWflmd+WnscTsogzJHCpXW2A+z8r4t+2zVKw/Aa/EBJ8dA5LRHHKQTKauP7i6Vlg90+LS8OnWyuClOq7+P5pF6iPd1J7C69u0wf5Jmjb08QPcZZOZW8q0s26zEEes5tTCeoDzRINC24cauQ7klESzv9kMY9mtUiAKGfU/OaA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=opOhOku16BwAH0ODJHVD7RpFoTagNX6OKtnWL3bF45s=; b=bJjRZrA28XkgKkVuMhAKrjst1ShdTcxo3SQUp4r+LX5PmYLJXhdAk9gmMK8CNPjM0CjBWYimkLyvx8iu6bbAoSDGJVCYz82E/OQPikfOrBGGZOSA4yz44AJiBGx2PnnFQK23cLW/UufEmi7UyWN2OGB+7/f3TGXhGqHwuYagRbk=
Received: from VI1PR07MB5023.eurprd07.prod.outlook.com (2603:10a6:803:9e::13) by VI1PR07MB5966.eurprd07.prod.outlook.com (2603:10a6:803:be::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.14; Tue, 28 Apr 2020 10:23:31 +0000
Received: from VI1PR07MB5023.eurprd07.prod.outlook.com ([fe80::7c90:eb1a:e7da:2321]) by VI1PR07MB5023.eurprd07.prod.outlook.com ([fe80::7c90:eb1a:e7da:2321%7]) with mapi id 15.20.2958.014; Tue, 28 Apr 2020 10:23:31 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Laurence Lundblade <lgl@island-resort.com>, Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
CC: Joel Höglund <joel.hoglund@gmail.com>, "cose@ietf.org" <cose@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] [COSE] draft-raza-ace-cbor-certificates-04.txt
Thread-Index: AQHWHL9/AQkz8jksrU+IVD0bq1nzAqiOdicA
Date: Tue, 28 Apr 2020 10:23:31 +0000
Message-ID: <3BB4FFA8-AABD-4520-9B21-1F0B0CAFB08C@ericsson.com>
References: <CAHszGE+s0gBKNmDky4NZLP3SO-BqosQ2FvA7HeZprv3jWFFL7g@mail.gmail.com> <CAHszGEJ94aF9XA_4q-DnKzUNAtJo059zXMFcunOv8f-SG2hyvw@mail.gmail.com> <8B4A9572-3770-416E-B937-1902AFC07DA7@island-resort.com> <964634A4-7B61-4CEF-8ED0-6A9A48D984CD@ericsson.com> <AE7B76F5-12A0-4F65-BD6E-B0428B2AFA40@island-resort.com>
In-Reply-To: <AE7B76F5-12A0-4F65-BD6E-B0428B2AFA40@island-resort.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
authentication-results: island-resort.com; dkim=none (message not signed) header.d=none;island-resort.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.85]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fef454ab-63af-43a2-1163-08d7eb5e3335
x-ms-traffictypediagnostic: VI1PR07MB5966:
x-microsoft-antispam-prvs: <VI1PR07MB5966C2D740984B0B41FC045EF4AC0@VI1PR07MB5966.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0387D64A71
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB5023.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(39860400002)(366004)(346002)(396003)(136003)(54906003)(6512007)(8676002)(6486002)(186003)(2906002)(26005)(8936002)(66476007)(91956017)(76116006)(66946007)(66574012)(66556008)(66446008)(81156014)(478600001)(64756008)(316002)(85182001)(6506007)(5660300002)(53546011)(85202003)(36756003)(4326008)(110136005)(33656002)(966005)(2616005)(71200400001)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q9jJ3aKmZOVYy4wq5MGPAbua7pMNSDaTDChAFjyUtI4FwNL1WwZ9cCSXvtmBTZLoF13QKMDexmxElZMdGlhk5CuNjoSZkngRUmndUY5xqHVthHwiQzvyT3f18TZTML4lvzJIHtJQnGj/MJIprvWXhHh3WYiz6C1+EqRq5l8JIkKT0MqIdEzhfIYHa4bxocGlngFVUJiE+9a7mLF9F+/2Utzs2M2dYKc7tUI++8VwimDlHwTXtCjVGueoFtagapfO8he8VH8vvrmarrr6bYw9iVUTgctznTHPKnSfoRjOnZh/eQ1H6Y/fh92U2HFhAooDcBTdI2Sdr2x5FIs7vIXoRNId+73fvmNTHCgY8NOVVOw3bYBCZIIiQNxKvb2jjFF9ii7d+4/YffzEifCjE9Deu7E1xqkRacOqXQzJcaQ6rJ/iXZ7CZbJxS9c+8SvaKLy2UgWEviNOy94owE5yJdpx9HtQksu/qFRDHvGoJ+djU3eBkGE/yDiUWW9jp3wukkXooO3J5SiaSe9Q7Obzk4DW+Q==
x-ms-exchange-antispam-messagedata: NhNRhoqtI2zb/5gv9OVnk6WSN/FmcLk2nQkyJ7PXf40khcWE3jcxidpyjME6h/rT1iZkIALTtwwb8Ag7OICbbHbE9ZV+T+EyfyQ4Q3usy0MShkeK77AiyHZBXRehq5ztDUl2bSUWb0PVQYVodn+RGKa+JJUTtryf5Mr8obmksf3l1nG2luQ9Qv0svtiHSahc6LSj2NkW9xJ1jB+7IocIYuMywYKAsT9p5Mm4cIOkB2ugs0Aq/a4DczDD+NYD6EJtWilCBh0eDZdsnW9If9QBdj1cLABCd7mldN308BbUeLnKJPo8Kyija7jLpdCnmcua7QUYMcOQ5J/IAYV8oetlMYtti4C9u+pOMRj44CyYDn1M6Dwau57AiwEhosPGQZ1u0t0lDfhjnDTvLbbK3aWSUuNGT0Xcrv97Xwg3p8jUSvjMOsIOtSjMNShwfKB2q5GBuG5TWZYLhx2JIu/SqsbdRqt6CkiLYRZIFwwzSO71GMV/zZWEKuZoNFzLMe6vFM3Dqbec9KKJkdBCmfginjxL3wYuwbUWkcep3Up/VGKJYCRuZX9I1BFdkvoZqbnyxVY/OdJI0aZUMKbKal6pFBNngcXXyoGr9Lik/Ww33prbAMWyao8xzCLTyGdueJhbfHT3ztkqMrgAhWrow+9pC1LopxpWJq4f14M+DZ6fpULrHec2mxIvHFMDE+tx4hM7La9uiSvhXntoUgSgJ4ZfpejacFBIQvldYDYzpCPsH86aTw5/HxdPpcS4kEasIDGuHh+mm+xn+7LWAXPl6ckeW7GQQv0b1WTPM2eBxRjBGdDldXE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_3BB4FFA8AABD45209B211F0B0CAFB08Cericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fef454ab-63af-43a2-1163-08d7eb5e3335
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2020 10:23:31.3044 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Y/sAem6ofsxz2Dq0lXi1re3AJp8pXah2q+yQhx7LWsW8fWUXCi2jZXtpaMNg/6P5A2Rzu+F0RB7Injvtn/Gl1q2Ov8e7yDGjgr4Ijb4Rbi4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5966
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/RsF_GyAkWvw5yTrtYlHEsxdCJC8>
Subject: Re: [Ace] [COSE] draft-raza-ace-cbor-certificates-04.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 10:23:46 -0000

Hi Laurence,

Thanks for sharing your thoughts. It seems we are working on slightly different paths.

The part you called “Compressed Certs” is already in the draft COSE charter where it is referred to as “A CBOR encoding of the compressed certificate profile defined in RFC 7925” so we can leave that out for now.

My comment was about the other part, what we both call “native CBOR certificates” but mean different things. What is called native in
draft-raza-ace-cbor-certificates is not intended as a certificate format breaking with X.509. While there are many potential improvements to make on X.509, there is a resistance against new certificate architectures as was clear when this was brought up in Secdispatch at IETF 104 a year ago. As mentioned previously, what we mean by “native CBOR” is the lossless compression of the certificate profile of X.509 into a CBOR encoded format, but signing over the CBOR instead of on the uncompressed data. In this way it is possible to define a bijection between native CBOR certificates and profiled X.509 certificates – the payload of the compressed version of the latter would be identical to the former. So the native CBOR certificates are a faithful representation of these profiled X.509 certificates, using the same payload as in the CBOR compression scheme.

In contrast to the compression scheme, a conversion between native CBOR and X.509 representations requires access to the private signature key.
Therefore a mix of X.509 and native CBOR would require multiple handlers at the backend (parsing the payload would be the same). Dedicated deployments could of course use native CBOR certificates exclusively.

In the same way it would be possible to instead define a COSE_Sign1 and/or a CWT representing these profiled X.509 certificates, this is what I thought you were asking about but apparently not. That would be an alternative as long as we can decide on exactly one of these representations.

There are a lot of fun things to do in this space, my concern is how to get out a standard. Trying to replace X.509 doesn’t seem like a promising way forward I’m afraid . . .

Göran


From: Ace <ace-bounces@ietf.org> on behalf of Laurence Lundblade <lgl@island-resort.com>
Date: Monday, 27 April 2020 at 20:13
To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
Cc: Joel Höglund <joel.hoglund@gmail.com>, "cose@ietf.org" <cose@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] [COSE] draft-raza-ace-cbor-certificates-04.txt

On Apr 27, 2020, at 5:00 AM, Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org<mailto:goran.selander=40ericsson.com@dmarc.ietf.org>> wrote:

[GS] The rationale for native CBOR certificates is to reuse the same encoding as in the compression scheme defined for RFC 7925, but signing the CBOR instead of signing the uncompressed data. This provides a roadmap with minimal changes when moving from compressed to native CBOR certificates.

I agree with you that the overhead of COSE_Sign1 or CWT is not major and these points are open for discussion. The more important question is where this should be standardized. The compression scheme is now included in the new draft charter for COSE:
https://github.com/cose-wg/Charter/blob/master/Charter.md<https://protect2.fireeye.com/v1/url?k=dd127709-819bd8c0-dd123792-0cc47ad93e1c-5b6bae84abc5c4a0&q=1&e=5bb412fa-ec1d-44a0-8dba-c66844d1b797&u=https%3A%2F%2Fgithub.com%2Fcose-wg%2FCharter%2Fblob%2Fmaster%2FCharter.md>
The charter is currently not explicitly supporting native CBOR certificates. If you think it should, in some variant, then this is a good time to raise your voice.

To go straight to the issue, I think a designing a native CBOR cert should be approached differently than compressing / re-encoding an X.509 cert:

Re-encoding
- Size is important
- Exact compatibility is required
- Near zero change to fields and semantics

Native CBOR Cert
- Clean up some of the mess in X.509; it is an old standard with a lot of cruft and baggage
- Re design extensions so they are in CBOR format
- Make many of the fields optional, for example not before can often be left off, maybe even serial number
- Avoid DN structure for issuer and subject for most use cases
- Use modern formats like COSE and CWT and COSE_Key
- Size is important, but far from the only goal (some size reductions, like optional fields will be possible here that are not possible with re-encoding)
- Compatibility matters, but not in the same way

Seems like the right thing to do here is to remove native CBOR certs from this document and just focus on compression and re-encoding. Maybe even call them “Compressed Certs” rather than “CBOR Certs”.. Where that work should go is above my pay grade.


BUT, my main interest here relates to CWT and EAT. CWT seems like a really good choice on which to base a native CBOR cert. Some of the fields for an X.509 cert are already defined in CWT (subject, issuer, expiration, not-before). It has an extension mechanism built in already in the CWT IANA registry. The crypto and signing are well-handled by CWT’s use of COSE.

In work to fit EAT<https://tools.ietf.org/html/draft-ietf-rats-eat-03> in as a CWT, a few issues have come up — how fields / claims are managed and registered with IANA, label spaces and other.  All these issues would apply to CWT/COSE/CBOR-based certificate as well.

To name just one issue, in CWT the expiration date/time can be a floating-point number, which is burdensome, not useful. Should we change CWT to disallow or should it just be disallowed when a CWT is used as an EAT and when it is used as a Cert?

I’m also excited at the idea of re using CWT in a simple form so there is re use of code between CWT, EAT and native CBOR certs. I’ve started playing with an implementation like this.

LL

v2.23.0 | Report a Bug | By Email