[Ace] Gap in registration of application/cwt?

Laurence Lundblade <lgl@island-resort.com> Mon, 10 August 2020 20:25 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFA1F3A0D93 for <ace@ietfa.amsl.com>; Mon, 10 Aug 2020 13:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPLyXT7dfNJO for <ace@ietfa.amsl.com>; Mon, 10 Aug 2020 13:25:11 -0700 (PDT)
Received: from p3plsmtpa11-01.prod.phx3.secureserver.net (p3plsmtpa11-01.prod.phx3.secureserver.net [68.178.252.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A35B3A0D83 for <ace@ietf.org>; Mon, 10 Aug 2020 13:25:10 -0700 (PDT)
Received: from [192.168.1.78] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id 5EM1kceYbHQQg5EM1kJp7u; Mon, 10 Aug 2020 13:25:10 -0700
X-CMAE-Analysis: v=2.3 cv=dP7YZ9Rb c=1 sm=1 tr=0 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=YaPx7vO5ZZfLwkmRaMsA:9 a=QEXdDO2ut3YA:10 a=Ohn9mvRcOn01qA0XQ9UA:9 a=5SGI_DtbSNQBuw0V:21 a=_W_S_7VecoQA:10
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0CBF1B83-1310-411D-BA95-7892200EFA17"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <D964158E-4895-4C75-A27F-0141D4EDCE5A@island-resort.com>
Date: Mon, 10 Aug 2020 13:25:09 -0700
To: Ace Wg <ace@ietf.org>, cose <cose@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfMEnjNlliq34F0w2tytYtZpaLar2xlehdEgnVxvdsr4GkH/ugD5kC0p5DiNHo9XmYqITjHeFDExJA+U5LJE9lbkMWKSdTLC5A+u+Oun+7bK2fVuKeWEv stG72/91N60xxOfRafk+4O7+b9AJ86RGsuw2HDBDi1lDaZhFVrWhysCgr8q+rwR16fsKrTrOHAbAxw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Wc0iGMmtjN446tYMyL5JJWDvRO4>
Subject: [Ace] Gap in registration of application/cwt?
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 20:25:20 -0000

It doesn’t seem clear what the CBOR tagging requirements are when application/cwt is used to indicate a message is a CWT.

This is the text that I think it missing:

The CBOR CWT tag (61) must NOT be used. It is unnecessary because the media type already indicates it is a CWT.

The COSE type indicating tag MUST be present. It is necessary to determine whether what the COSE type is, whether it is COSE_Sign1, COSE_Mac0...

Another solution could be a MIME parameter added to the application/cwt indicating the COSE type.

Step 3 in section 7.2 also seems wrong. It doesn’t make it an error for the COSE type tag to be absent when the CBOR CWT tag is present.


This is all based on my understanding that the surrounding protocol for must specify exactly when CBOR tags are to be used and when they are not to be used and that the surrounding protocol must not leave it as an optional implementation choice. In this case application/cwt is the supporting protocol.

LL