IETF Logo Mail Archive

Re: [Anima] [COSE] [Rats] cose+cbor vs cwt in MIME types

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 04 April 2023 16:14 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBEFC1524AC; Tue, 4 Apr 2023 09:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjMlfc_KjoGU; Tue, 4 Apr 2023 09:14:43 -0700 (PDT)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on20725.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1a::725]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 826D3C1522D7; Tue, 4 Apr 2023 09:14:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Sg0uLBLcz7KytxhZhIplXXz6k+W+I4/1v12iesGznTytz4tRB5WFPLq6VsqTPpW5hKQOygiFMOpgCwdPBdx2rpGSAFXkY70VhBwUJmuPnzXmSg68XuNJQeCngHh0H+Og8kncJze2bXzhn7PJLg//LgY5aeH7TVQaPPPBLfJHLqY0HAHp9C10NGWTtYI7ew+60JzmDnudGnWSPBjtvxHEXrS/H2SuIle5HWD56Y5DPQwGsnzUXykiBV8/eh0t3Ca7CidvYVuBpjZ/PwzFOmWWYAa1fcazsF90QrPUQWaSHOYO0MCE8U7nvMEGph4XnPLf/seudU/jJWuzhBjk0+57Pw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=top+B6honC/LxB2WYPYrPkfxzrSxGN4MORo7nSptUz8=; b=adQPDmN1JTp2ydYFMFGPGuFhLd0nZjZ35o8HopddcI+phRY2Exwh4SP4vlmUjbiyntY/Go9dKrPdJSbTS116O819/6cfoVQHeQ3nqcKDIkqVBqIKZ/8GBkX9U2CUc7e3j1KUc4b9McDmiqvCvXIop+35/1Do4+QqqB+5MH6r+9+y0E+SWPVnxwSgiDfjPGeRpjFRU5unriztShTYwLzQq0p+MjuVfJFJY/OxEcFV8zg3d+oDa5iLf2hGSjzwXqNDG4wGr7qGx7pjSpVLduZ0DzwZZlG+sAL5lzg/ltVMS65akWMNuTtojgJT26kBt75gvPcDFQztXx+UBpmNnXyCXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=top+B6honC/LxB2WYPYrPkfxzrSxGN4MORo7nSptUz8=; b=vntNVAaiB5U6xfvnbfXZsD84DzHaFsq4j7oewGlPZc+FRcN6M8T8+yzhKiqi1l2ENppznzVLm4QRHO6ddVoqGz0378jAK6z5UADsBZ2/lbEe8Trr7e2GbGqWGjx1ou0eay+V4LpNdJV/YJts9sfMZXhQsP82w1dsVERlaqdAH8M=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by GVXP190MB1848.EURP190.PROD.OUTLOOK.COM (2603:10a6:150:6e::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6254.35; Tue, 4 Apr 2023 16:14:32 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::fade:8297:345b:7083]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::fade:8297:345b:7083%5]) with mapi id 15.20.6254.035; Tue, 4 Apr 2023 16:14:32 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Orie Steele <orie@transmute.industries>
CC: "Smith, Ned" <ned.smith@intel.com>, Laurence Lundblade <lgl@island-resort.com>, Michael Richardson <mcr@sandelman.ca>, Thomas Fossati <Thomas.Fossati@arm.com>, Thomas Fossati <tho.ietf@gmail.com>, cose <cose@ietf.org>, rats <rats@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types
Thread-Index: AQHZZlReQ9Fwk+ziV0WJTmEcAjfNQq8Z4yQAgAAAhICAABjHAIAAB3qAgAAkugCAABT1gIAACRWAgAByzcCAAI2zAIAABveA
Date: Tue, 04 Apr 2023 16:14:32 +0000
Message-ID: <DU0P190MB19788753DBA803124E05B501FD939@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <167847004893.23876.9884501000866697896@ietfa.amsl.com> <DB9PR08MB6524E8F83E7149AD95B6CDB89CBA9@DB9PR08MB6524.eurprd08.prod.outlook.com> <2313611.1678640027@dyas> <DB9PR08MB6524D3E44EBF11BB83F8F9069CB99@DB9PR08MB6524.eurprd08.prod.outlook.com> <2380614.1678721850@dyas> <CAObGJnPjijJ61B_WvujcbunwW7aPA7c-CY4goPDX+yohR_kHOw@mail.gmail.com> <DB9PR08MB6524A6A7E5AABD96BBA34C8A9C879@DB9PR08MB6524.eurprd08.prod.outlook.com> <14833.1679597042@localhost> <8225.1679872718@localhost> <DU0P190MB19784AFEED440A3EBF922A87FD929@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <4BB67CAE-73E0-43B7-86C4-76DC06379CB1@intel.com> <CAN8C-_L0VnwZaOy8QxKiDBG1dXK+Ct9X-5jzeQGFSnZwLkRzaA@mail.gmail.com> <3EC8A813-C84E-4869-83D2-ECAC2487DE97@intel.com> <CAN8C-_+z0GoNCo_Jd77DWeKN3XE76hccr5gKd90q+rm1w6haAw@mail.gmail.com> <36C7760F-4180-422C-A35B-A626DDC2A6F2@island-resort.com> <EB82CDEC-44A0-42DA-BAF1-71791B28CFDD@intel.com> <CAN8C-_JsBMHGe_5jbShKTHuvT+sZXWFk+G-MOQ9zLVMr_GVxFw@mail.gmail.com> <1A299CE1-9572-48F2-84EA-2DEB21B216C1@intel.com> <CAN8C-_KEVXxS=0ca=n0b5bC=5bpV3xgwzFSE0PrUZYWUS5rHnw@mail.gmail.com> <DU0P190MB19781199C1C9E18FA7DF16B5FD939@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <CAN8C-_KZ5uUruf0tVfwniVWDUua9AVh7bvRAWtzZOtWzVYpEaA@mail.gmail.com>
In-Reply-To: <CAN8C-_KZ5uUruf0tVfwniVWDUua9AVh7bvRAWtzZOtWzVYpEaA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|GVXP190MB1848:EE_
x-ms-office365-filtering-correlation-id: 6800745a-c411-4c92-76dd-08db3527aceb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pRbOcbH/KMpS+sP0Bc909OBk1S2aIfj9+T8vHer19U/QYLsvraRB5nqwFAgH5TRaBJaU0/tj47OdHdsw/GI/8h6VdWsyj82S1b/d+yD7Mo+6208GfpWAP/oTWHiBEXk16Xle41MyvsIQhOWDcjODy6kMOAV8BpqYIRgPIDiEzHvyHUG2V0W816GQMnRB/2zff8SobcCPAi4Sbo2ggIQQqfy4lKjFKRjwRNcTsEyZtlf5hKjN3JeobWGPelLVgZhiaPuEKrDPymPKgNPesaFA6GIO88hJKp+1NnJP1GmMC8+kAJCeli3wzjJzJvcA3lYa2gY4Mj2XyetOmL2p/Hjm+9eQV78pHluvUxC+wofLh/VPYDuT68zfGOXSkIvGHMLT4UPPY1MVfjoodwnkt/r7xe5ZCWi2tlF/XkKj+KidHtwfdt9CP3XfDvdqIS0P/EK/MY9mEWr5SZDJSkHpphJvwR1IYZNkgMywDkRWcOK5yzZa+QJmnBPPbrECcFhHhw6DAsTvP3ZN1kuoGlBspzIPDaa0OL2Y74+H6NkIhSrrRb1aOMPRXh5er8BAk/l53ubi1N+yeHg0cJoiTDZYUbhgWd8TGhMup7g3WzsebRlQLMqu65Cqb3AeZX1PQ4QRrsRJ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(136003)(346002)(366004)(376002)(39830400003)(396003)(1690799014)(451199021)(66446008)(2906002)(41300700001)(66476007)(64756008)(30864003)(66556008)(4326008)(6916009)(8676002)(52536014)(66946007)(76116006)(5660300002)(8936002)(478600001)(44832011)(21615005)(54906003)(6506007)(316002)(9686003)(966005)(7696005)(26005)(53546011)(186003)(83380400001)(5930299015)(66574015)(33656002)(122000001)(86362001)(38100700002)(38070700005)(71200400001)(55016003)(166002)(559001)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4g0BqPG/W4cOcT1idQSlm5wNg7Dv4gVbvOLnqih34juZa90H9Oj0g8SUSguZht4DTiLY67b3XS4HtYike7ftZMWwshw1e1e0rloYbDG0zKD9eCOlOEHk41UvTXrWwQrq16MoHn+e+M6sGJXDNzwTU+NTlkVFtI05W45Qp/4dka55paHh3Vzad+/h9NQoCUluhNn3QO5J5gWG5rVI3Owps64Dqr3shQkiyf3DhhfQefHVMZa/SHQ7jtFqYiDZ++MOonVZ3tXWvFgW6brfO44Y8AFk6ycWgowYpjguLAMTRtibi0EnPSKo6ub/+08fXRoxMxIlZiX1VyadaBfhXnbuv2FOibm+t5NvATB+jfiOFMGJVyTD7MBiUaCJyox2T52EG7gAByatfFzBOWZc5P6Nk/Nm3Zfkei1Ke9bNmbThB7S+QPQY6e1yM8Tf7KXMzcHlqCJyFVkkeaHUe2Hgjhe9aStCceOH+NAIestLfYLd73Dy0eYRZqZtwrqHiRfwZXzicivnS/Tr/V/EkaUC1/M2M7GZPhiM3GXdEp4ZPcrQrEb6uirOZLwomEgyqfGi8g0nHadsVans2fecDcY+lpxntONuKlpLATEsTeW/dH9RThsCul68ldTeuDKQ7L5EAz/syweiYqFORZYv1W4pJItCt98m5hUEo9LA67umb2u+S4w5FP5JTKFzfadlglR/BzoUyTsVoLDOXjKI9sxtjRnM6RUb0OjTXRJVSC6//MQMBwztDMBI0xCGJuePlGxaZ+MSkd/7mjFFjgTZ+copWVgdvqoOLJOCBdyQHkY2yuU6apIk+0Nu5a9oceUfv7m2N9gyLTfEkYD5EaDfwxVUecz2UDYDupqaDmy8NOzzhqwr/ZNmnelJ6VtEYnSq375CGnVR49FbNnthxUAqe+XgapqAki8CSe8ZdDIGl5MZnICkg5gkHvdRXCFkrQ7ufCsEC1Q0BAMDlM5HcNY1r8NuavCEfwI8KpETRUnGoGVQcFiXiP0oJAmeDP67iLMnp+TLEnIsipcE+OmMJf6E47KD2DfoYhcc7ygjBH0lXpF9yyi99W6PsAxtEpyYXAG68Vqu4JoCPjRKga6L6BZN7+XBMGLSs8DGNXvWiZ54t6L1Z4JQV5wzuTpkvcxN+/kJT7GLIhvy630QBi6H1uBbECSH+lcH832+OjN9zIvriwU4Xk8w1lXOD+hBS3bcO8reMir38RiwSHMbXJ+cj16RSQ0HgpqelLF/y4fSaN9XujbmUIvhPqyXVboea5Z837vR1cI6Ps+DPclpYtVD7aQVcOZEnz9KFEY+VOrnZrfiySrPER10vAEhtgvasJGoPwD5tuEutu0VJkdHeGQ0atjPy6u42lUHnGtdMc2eDE4P2oBE8R3SRZSbzneVe4WDTylpG7UDY9C7jO89CX5ed+eNCJuhMQMOLJaETxxBZbrOdQLPsqREHbK3NT+obL945zcoJm8r3R78cAtpDhJf4MtT5aRXd5nXXjFhJWOzLCXrctfKKPVuFXo/V+7YH1pLWFEQYuhykvlWwBN+u675zmt9AeoIWBisXI07zVCo3BbvgIwz5kR45eoTVbc6NuQxbdOR2Wd9ybDr
Content-Type: multipart/alternative; boundary="_000_DU0P190MB19788753DBA803124E05B501FD939DU0P190MB1978EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6800745a-c411-4c92-76dd-08db3527aceb
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Apr 2023 16:14:32.3936 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +4pwOs3DdvZLBmIts7rw8fPgw8slel6GcPY20z2BggIXrRyi19yBUt1epRwadkd7ShFW/6r2kLiqxUjDKpO4CaBDJiN/oaYdbe2kT5e7xPo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXP190MB1848
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/YsiTdcTpFyJlbWRS30OKOxGNM9M>
Subject: Re: [Anima] [COSE] [Rats] cose+cbor vs cwt in MIME types
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Apr 2023 16:14:48 -0000

The security & safety aspect is definitely important here – I was assuming that a receiver that cannot understand/parse the full media type may just render some informative details about the data object to the user, or log these details in a nice way (so that a user reading the logs can understand), without necessarily continuing to process:
the receiver should not take any risky / critical actions like authorizing something, based on a partially parsed data item. Whatever the media type composition it remains the responsibility of the receiver to not be vulnerable to attacks done by an attacker e.g. sending half-correct data items to that receiver.

For example, if a receiver logs every failed request carrying a ‘eat+cwt+cbor’ item where the CWT is incorrect in a CBOR diagnostic notation in the log file; then the attacker has a nice way to try to overflow the logs. But the same problem is there if it would be an ‘eat+cwt’ media type, although slightly different perhaps. (The version of ‘eat+cwt+cbor’ may give a slightly larger attack surface in implementations. E.g. a developer may be more tempted to let the receiver treat the data item as CBOR as a fallback option and do something with it, thus wasting system resources.)

In ANIMA WG we just had a call to discuss we could have a ‘+cose’ subtype registered, so that our Voucher format could be “voucher+cose” or “voucher-cbor+cose” or so.   (The latter ‘-cbor’ is appended to distinguish from the archetypical Voucher data format which is JSON. The fact that the COSE wrapper is itself CBOR, is independent from that.)
Input from COSE WG members would be useful for this!

Esko


From: Orie Steele <orie@transmute.industries>
Sent: Tuesday, April 4, 2023 17:27
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: Smith, Ned <ned.smith@intel.com>; Laurence Lundblade <lgl@island-resort.com>; Michael Richardson <mcr@sandelman.ca>; Thomas Fossati <Thomas.Fossati@arm.com>; Thomas Fossati <tho.ietf@gmail.com>; cose <cose@ietf.org>; rats <rats@ietf.org>; anima@ietf.org
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

Inline

On Tue, Apr 4, 2023 at 2:55 AM Esko Dijk <esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>> wrote:
> So you can read the subtype "eat" and then consider it as +cwt, +cose, +cbor, for an example media type of "application/eat+cbor+cose+cwt"

It looks like in your example the order is reversed; given the existing examples defined in draft-ietf-mediaman-suffixes-03 Section 2.1?

Let’s assume it is the reverse, namely “application/eat+cwt+cose+cbor”. Then following the Section 2.1 examples a parser would go through these steps for example:


  *   Do I know “application/eat+cwt+cose+cbor” ? No.
  *   Do I know “+cbor” ? Yes, decode it as CBOR – ok it’s valid, proceed to next stage of the processing pipeline.
  *   Do I know “+cose” ? No. Processing stops here.

Is it safe to end here?


  *
  *   End result: I’ll render it in CBOR diagnostic notation.

Is this safe for a token format?


  *

Another parser might do these steps:


  *   Do I know “application/eat+cwt+cose+cbor” ? No.
  *   Do I know “+cbor” ? Yes, decode it as CBOR – it’s valid, proceed to next stage of the processing pipeline.
  *   Do I know “+cose” ? Yes, that’s COSE semantics – decode it – it’s valid, and although I can’t verify the signature, go to next stage of the processing pipeline.
  *   Do I know “+cwt” ? No, stop here.

Again is this safe place to end?


  *
  *   End result: display it as a COSE object. Do not trust it as I can’t verify the signature.

Exactly... This could be desirable, but it makes me a bit nervous... see "alg=none".


  *

Yet another parser:


  *   Do I know “application/eat+cwt+cose+cbor” ? No.
  *   Do I know “+cbor” ? Yes, decode it as CBOR – it’s valid, proceed to next stage of the processing pipeline.
  *   Do I know “+cose” ? Yes, that’s COSE – decode it – it’s valid, go to next stage of the processing pipeline.
  *   Do I know “+cwt” ? Yes, that’s a CWT – now checking that the COSE payload is correct CBOR with CWT structure inside – okay.
  *   End result: display it as a CWT.


For security oriented APIs this feels like where you want to end... Perhaps what we are seeing here is an interaction between "safe api design" and "trying to process stuff that might not be verified, or has been tampered with"...


Using the reverse way "application/eat+cbor+cose+cwt" seems not compatible with what’s currently written in draft-ietf-mediaman-suffixes-03 about “pipelines”.
For example, suppose a “CWT decoder” gets this media type first, and it then sends “eat+cbor+cose” to the next pipeline stage, that wouldn’t make sense since the ‘+cbor’ and ‘+cose’ parts were already decoded as part of ‘+cwt’.


I agree, but the JWT BCP uses at+jwt... so you either handle JWT or you fail... that seems desirable in most security cases.

For completeness here the example from the draft "image/svg+xml+gzip":

  *   Do I know "image/svg+xml+gzip" ? No.
  *   Do I know “+gzip” ? Yes, I can unzip the data – that works. Send the data to the next pipeline stage.
  *   Do I know “+xml” ? Yes, that’s just XML – can display it.

It is not "just XML".. it is "+xml" vs "application/xml"... this is discussed in the IETF 116 meeting (and there is no consensus on how the current draft should be interpreted).

- https://www.iana.org/assignments/media-types/application/xml

vs

- https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml
- https://www.rfc-editor.org/rfc/rfc7303.html#page-12


  *
  *   Do I know “svg” ? No.
  *   End result: display the object in my XML viewer.

(Using here "image/svg+gzip+xml" would lead to incorrect results clearly.)

Yes, this makes me wonder what happens to protected and unprotected headers, when processing anything with +cwt or +cose in the middle of multiple suffixes... to me this suggests that they cannot go "in the middle', unless everything to the left expects them.

I suppose this concern also applies to +jwt, except in those cases the intention is very clearly to produce a specific subtype that is also a JWT.

Arguing against myself:

“application/eat+cwt+cose+cbor”  seems ok if the goal is to end at COSE without verifying (a tamper friendly media type).

“application/eat+cwt” seems ok if the goal is to end at an eat token or fail (tamper unfriendly)

I am nervous about specifying "verifiable media types" that in practice processing of verifying can be skipped, and it seems like multiple suffixes is a gateway to seeing more of these in the future.

I think it would be nice if the suffixes draft commented on cases where digital signatures might interact with suffixes, including commenting on +jwt and +cose.


Esko

From: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Sent: Tuesday, April 4, 2023 02:09
To: Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>>
Cc: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>; Esko Dijk <esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>>; Michael Richardson <mcr@sandelman.ca<mailto:mcr@sandelman.ca>>; Thomas Fossati <Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com>>; Thomas Fossati <tho.ietf@gmail.com<mailto:tho.ietf@gmail.com>>; cose <cose@ietf.org<mailto:cose@ietf.org>>; rats <rats@ietf.org<mailto:rats@ietf.org>>; anima@ietf.org<mailto:anima@ietf.org>
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

Per the JWT BCP, regarding typ.

https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing

The +jwt suffix goes on the end.

You would need to register +eat as a structured suffix otherwise.

My understanding is that you currently intend to register application/eat as a subtype, not a structured suffix (you can do both, see json).

The 116 meeting mentions that while it is the case today that most structured suffix are also registered subtypes, this might not be a reliable assumption in the future.

The current multiple suffixes draft makes it clear that processing of suffixes is right to left (confusing / surprising perhaps).

So you can read the subtype "eat" and then consider it as +cwt, +cose, +cbor, for an example media type of "application/eat+cbor+cose+cwt"

As I mentioned before, the multiple suffixes draft might not land... So it would be better to avoid multiple plus and follow the conventions from the JWT BCP, and avoid registering new or interesting suffixes, given the current confusion regarding them.

I'm not saying any of this is correct, just noting what the suffixes draft says today, and how it is related to the several +jwt media types that have already been registered.

Another interesting case to consider... Data URI of type "eat+jwt+gzip"... Since base64 URL encoding can quickly max out QR Codes / NFC or URL limits.

Decompress, verify, parse / validate.

OS


On Mon, Apr 3, 2023, 6:36 PM Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:
> application/eat+cbor+cose+cwt

EAT is a specialization of a CWT or a JWT. What in eat is encoded before the cbor (which encodes the token)?

If the conceptual message is identified by a message wrapper draft-ftbs-rats-msg-wrap-02 - RATS Conceptual Messages Wrapper (ietf.org)<https://datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/>, then the cbor bytes could be encoded in an cmw array. As in:
`[ “application/cbor+cose+cwt+eat”, bstr ]`

The discussion around cmw hasn’t concluded, but in theory, the array structure could be embedded in a conveyance protocol or message that would have some way to identify it as a cmw. The cmw I-D doesn’t try to define a media type name for `cmw-array`. Hopefully, that isn’t needed. But it is the outer most onion skin before talking about conveyance protocol / message framing.

-Ned

From: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Date: Monday, April 3, 2023 at 3:21 PM
To: "Smith, Ned" <ned.smith@intel.com<mailto:ned.smith@intel.com>>
Cc: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>, Esko Dijk <esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>>, Michael Richardson <mcr@sandelman.ca<mailto:mcr@sandelman.ca>>, Thomas Fossati <Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com>>, Thomas Fossati <tho.ietf@gmail.com<mailto:tho.ietf@gmail.com>>, "cose@ietf.org<mailto:cose@ietf.org>" <cose@ietf.org<mailto:cose@ietf.org>>, "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, "anima@ietf.org<mailto:anima@ietf.org>" <anima@ietf.org<mailto:anima@ietf.org>>
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

Inline:

On Mon, Apr 3, 2023 at 3:10 PM Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:
> there’s no standard for the key material and key identification
The observation is that the COSE block contains a key-id that can be used to locate the key material (e.g., I assume key material refers to the public key needed to verify the COSE signature given asymmetric crypto). The COSE parser (layer) would normally be equipped to handle this sort of thing. If the media type was ‘cwt’ the parser would have to support everything in the COSE layer as well as what’s in the token part as well. EAT adds additional parsing requirements on top of CWT.  Hence, the expression “application/cbor+cose+cwt+eat” isn’t unreasonable.

I would expect something more like this (according the current suffixes draft):
application/eat+cbor+cose+cwt

or simply:

application/eat+cwt (since cwt implies cbor + cose)

Closest JWT analogy currently in the registry:

- https://www.iana.org/assignments/media-types/application/at+jwt
- https://www.rfc-editor.org/rfc/rfc9068.html

keep in mind the multiple suffixes is not yet an RFC... if you can avoid multiple suffixes, I think it is very wise to do so.

The reason to use multiple suffixes is to signal that there is meaningful processing that can be done... for token formats, I feel this is less true than json flavors, such as "application/vc+ld+json".

I had a discussion with friends at IETF 116 about "sd+jwt" vs "sd-jwt", related to https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-03.html#name-iana-considerations-24

For example, sd-jwt implies normal jwt processing is not meaningful, whereas sd+jwt implies jwt processing is meaningful... There were good arguments on both sides.
Given the current state of consensus on multiple suffixes, I would potentially avoid taking a dependency on it if possible, sticking to just 1 plus.

Someone could argue that “…+cose+cwt…” doesn’t add anything, as “+cwt” alone could infer both. The same is true for “…cbor+eat…”.
But I think there is value in being able to describe a fully qualified representation that is the primitive representation after the various inferred representations have been computed.

> but that’s about the library, not dispatching some content arriving to a particular application
I think the value is it doesn’t assume monolithic applications. A library or processor that is specific to the encoding between the pluses, e.g., “+cose+”, can be used in some sort of highly optimized pipeline, rather than presumed to be a monolith.

From: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>
Date: Monday, April 3, 2023 at 12:44 PM
To: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Cc: "Smith, Ned" <ned.smith@intel.com<mailto:ned.smith@intel.com>>, Esko Dijk <esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>>, Michael Richardson <mcr@sandelman.ca<mailto:mcr@sandelman.ca>>, Thomas Fossati <Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com>>, Thomas Fossati <tho.ietf@gmail.com<mailto:tho.ietf@gmail.com>>, "cose@ietf.org<mailto:cose@ietf.org>" <cose@ietf.org<mailto:cose@ietf.org>>, "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, "anima@ietf.org<mailto:anima@ietf.org>" <anima@ietf.org<mailto:anima@ietf.org>>
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

I’m not sure identifying something as COSE, or even CWT is that useful because there’s no standard for the key material and key identification that cuts across all uses of COSE or CWT.

For example with EAT the receiver probably will need an endorsement (a very specific thing with very specific semantics) with a public key to be able to process the CWT/COSE. If COSE is used for encrypted email (a future S/MIME), the key material identification will probably be really different. It’s hard for me to see what a generic COSE/CWT handler is going to do here. It’s good and well if an EAT processor uses the same COSE library as an S/MIME processor, but that’s about the library, not dispatching some content arriving to a particular application.

No objection to the work here. Just some observations.

LL



On Apr 3, 2023, at 11:14 AM, Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>> wrote:

Yes! That seems to have been one proposal, related to cleaning up the registry and clarifying interpretation.

If you have strong opinions on this, please help contribute to the dialog on this media types list:

https://mailarchive.ietf.org/arch/msg/media-types/qO72m31whV5QZmV6kj55KDqS8n8/

Regards,

OS

On Mon, Apr 3, 2023 at 1:12 PM Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:
Interesting!
It would be nice if I-D.ietf-mediaman-suffixes could define a backward compatibility convention that shows how existing / registered media-type-names can co-exist with I-D.ietf-mediaman-suffixes.


From: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Date: Monday, April 3, 2023 at 10:47 AM
To: "Smith, Ned" <ned.smith@intel.com<mailto:ned.smith@intel.com>>
Cc: Esko Dijk <esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>>, Michael Richardson <mcr@sandelman.ca<mailto:mcr@sandelman.ca>>, Thomas Fossati <Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com>>, Thomas Fossati <tho.ietf@gmail.com<mailto:tho.ietf@gmail.com>>, "cose@ietf.org<mailto:cose@ietf.org>" <cose@ietf.org<mailto:cose@ietf.org>>, "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, "anima@ietf.org<mailto:anima@ietf.org>" <anima@ietf.org<mailto:anima@ietf.org>>
Subject: Re: [COSE] [Rats] [Anima] cose+cbor vs cwt in MIME types

At IETF 116 this draft was discussed:

- https://datatracker.ietf.org/doc/draft-ietf-mediaman-suffixes<https://datatracker.ietf.org/doc/draft-ietf-mediaman-suffixes/>
- https://youtu.be/BrP1upACJ0c?t=1744

TLDR; there is work in progress to define multiple suffixes, and how they are interpreted.

This would be relevant to potential future +cwt media types, it is already causing us some concern with respect to special cases of +jwt.

Regards,

OS

On Mon, Apr 3, 2023 at 12:28 PM Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:
It seems the early registrations focused on encoding formats for content to the right of the "+" like '+xml', '+json', '+cbor', '+der', while later registrations seem to include schema formats like '+jwt', '+sqlite3', and '+tlv'.

It would have been nice if the registry defined the right side for encoding formats and let the left side contain content / schema formats IMHO. That way, the parsers could scan for the "+" to identify if it supports the encoding format as a first pass operation. If it can't decode the first byte, then there's no point in going further.

If it can decode, then the first byte/bytes may provide insight into what content is there. For example, a CBOR tagged structure. But additionally, the left hand side identifies schemas. Given many data structures can be integrity protected, signed, and encrypted. Supplying a value that describes a cryptographic enveloping schema / format seems like a reasonable requirement for the '-label' to the immediate left of the plus, e.g., "-cose+cbor".
The data within the cryptographic envelope may follow a well-defined schema such as the RATS ar4si. E.g., "ar4si-cose+cbor". I don't see a problem with omitting the cryptographic envelope label if no envelope is provided. E.g., "ar4si-+cbor".

JWT and CWT are both an envelope and a data model schema, so the cryptographic envelope could be inferred. But it wouldn't be incorrect to restate the obvious for the benefit of the parsers who only care about cryptographic wrapper processing. E.g., "jwt-jose+json" is still a reasonable way to encode 'jwt'.

If there are content schemas that are to the left of some other content schema, then that can be accommodate easily by prepending another 'label-'. E.g., "ar4si-jwt-jose+json".

This approach allows an initial parser / message router to get a view of all the parsers needed to fully inspect the message in advance of making an initial message routing decision which would enable efficient parser offload architectures. There could be different registries for the different types of structure "+label" for encoding formats only, "-label" to the immediate left of "+" for cryptographic enveloping, and application formats for the next left most content.

To make processing even more efficient, the content-type-name should reverse the order based on outer-most format. E.g., "json+jose-jwt-ar4si". This way buffer only needs to contain the first bytes up to the '+' and so forth.

I realize this goes beyond the initial focus of the discussion thread. But IETF is also concerned about the long-term future of the Internet and in optimizing wherever it makes sense. Content typing is just a form of deep packet inspection that goes beyond network framing.

Cheers,
Ned

On 4/3/23, 12:33 AM, "RATS on behalf of Esko Dijk" <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org> <mailto:rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> on behalf ofesko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl> <mailto:esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>>> wrote:


Hi,


As for the questions mentioned on these slides:


1. "Is is '-cose+cbor' or '-cbor+cose'


The registry https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml<https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml> lists the subtypes that one have after the '+' sign.
'cbor' is there but 'cose' is not. 'cwt' is also not there.


So for the moment, registering a 'mytype+cose' or 'voucher+cose' or 'voucher-cbor+cose' is not possible now unless you would also register the '+cose' as a subtype. RFC 9052 did not choose to register the subtype '+cose', for whatever reason.


Luckily because COSE is just "plain CBOR" itself , we can use the subtype '+cbor'. So having "voucher-cose+cbor" would be fine. Also "voucher+cbor" would be equally ok albeit a little bit less informative that it contains COSE.




2. "are they sufficiently different" (this is about application/voucher-cose+cbor and application/eat+cwt formats)


The voucher is not a CWT format, e.g. it does not use the standardized CWT claims at all. It defines an own format within the constraints of YANG CBOR, while CWT does not use any YANG semantics.


(Now converting the constrained Voucher format into a CWT based format would certainly be possible; but that's probably not the discussion intended by these slides.)


Regards
Esko


PS more detailed info at
https://github.com/anima-wg/constrained-voucher/issues/264 <https://github.com/anima-wg/constrained-voucher/issues/264>
https://github.com/anima-wg/constrained-voucher/issues/263 <https://github.com/anima-wg/constrained-voucher/issues/263>


-----Original Message-----
From: Anima <anima-bounces@ietf.org<mailto:anima-bounces@ietf.org> <mailto:anima-bounces@ietf.org<mailto:anima-bounces@ietf.org>>> On Behalf Of Michael Richardson
Sent: Monday, March 27, 2023 01:19
To: Thomas Fossati <Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com> <mailto:Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com>>>; Thomas Fossati <tho.ietf@gmail.com<mailto:tho.ietf@gmail.com><mailto:tho.ietf@gmail.com<mailto:tho.ietf@gmail.com>>>; cose@ietf.org<mailto:cose@ietf.org> <mailto:cose@ietf.org<mailto:cose@ietf.org>>; rats@ietf.org<mailto:rats@ietf.org> <mailto:rats@ietf.org<mailto:rats@ietf.org>>; anima@ietf.org<mailto:anima@ietf.org><mailto:anima@ietf.org<mailto:anima@ietf.org>>
Subject: Re: [Anima] [Rats] cose+cbor vs cwt in MIME types


Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca> <mailto:mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca>>> wrote:
> COSE CHAIRS: can we have 5 minutes for this discussion?
> I guess I can make two slides tomorrow and get Thomas to co-author them.


I guess we didn't get any time at COSE.


https://github.com/anima-wg/voucher/blob/main/presentations/ietf116-cose-mime-cwt.pdf <https://github.com/anima-wg/voucher/blob/main/presentations/ietf116-cose-mime-cwt.pdf>


_______________________________________________
Anima mailing list
Anima@ietf.org<mailto:Anima@ietf.org> <mailto:Anima@ietf.org<mailto:Anima@ietf.org>>
https://www.ietf.org/mailman/listinfo/anima <https://www.ietf.org/mailman/listinfo/anima>


_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org> <mailto:RATS@ietf.org<mailto:RATS@ietf.org>>
https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>



_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose


--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>

Error! Filename not specified.<https://www.transmute.industries/>


--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries/>

Error! Filename not specified.<https://www.transmute.industries/>
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose



--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>



--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>

[https://drive.google.com/a/transmute.industries/uc?id=1hbftCJoB5KdeV_kzj4eeyS28V3zS9d9c&export=download]<https://www.transmute.industries/>

v2.23.0 | Report a Bug | By Email