Re: [Cbor] CDDL in draft-ietf-acme-star-delegation-07

Carsten Bormann <> Tue, 06 April 2021 15:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5FBDF3A2654; Tue, 6 Apr 2021 08:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZpNB6A5bQGiS; Tue, 6 Apr 2021 08:46:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AFBA43A2618; Tue, 6 Apr 2021 08:46:14 -0700 (PDT)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 4FFBhN2DpLzyR4; Tue, 6 Apr 2021 17:46:12 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Carsten Bormann <>
In-Reply-To: <>
Date: Tue, 06 Apr 2021 17:46:11 +0200
Cc: "" <>, "" <>
X-Mao-Original-Outgoing-Id: 639416771.594656-415d36642fb40dcd4f76fe3c62702e57
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Francesca Palombini <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Cbor] CDDL in draft-ietf-acme-star-delegation-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Apr 2021 15:46:23 -0000

Hi Francesca,

here are a few comments.

The definition uses oneOf, which should never be used (anyOf is usually what is actually meant; this is a well-known problem in the vocabulary).

keytypes is missing a minItems=1.

The regexp for “oid” (in both JSO and CDDL) is quite permissive with respect to leading zeros.  It is rather unusual to have leading zeroes (except for arc zero itself) in OID strings, so there might be some interop issues with that.

(4) the intro to the CDDL should probably mention that the multipleOf=8 on the RSA key size is not reflected in the CDDL, nor are the format=xxx keywords (which are not terribly well-defined in JSO either).

(5) subjectAltName.DNS items allow “*” and “**” in the CDDL form but might not in the JSO form (format=hostname).

CDDL Style nits:

rsaKeySize = int .ge 2048
rsaKeySize = uint .ge 2048
While these mean the same in CDDL, converters such as CDDL-YANG converters could put in different underlying built-in data types, and uint is actually the basic type for a size in bits.

There are a number of “1*” occurrence qualifiers that might be slightly more readable as “+”. 

regtext-or-wildcard could be simplified by making use of prioritized choice (Appendix A of RFC 8610).  Of course, the current form is easier to translate into other specification formats (which actually wasn’t done for the JSO form), so this is just a note.  

The non-empty object requirement (JSO: minProperties=1) could be stated in CDDL as

({……}) .and ({ + any => any })

To reduce noise, a generic could be defined:

non-empty<M> = (M) .and ({ + any => any })

…and used:

distinguishedName = non-empty<{
  ? country: regtext-or-wildcard

There is not a lot of tool support for .and, so I am not going to push for this, but it sure works for me.

Grüße, Carsten

> On 2021-04-06, at 12:18, Francesca Palombini <> wrote:
> CDDL experts,
> I am reaching out because draft-ietf-acme-star-delegation-07 is in IESG review, and it contains some normative CDDL, accompanied by non-normative JSON schema alternative, which I don't think got any reviews from (other than authors) CDDL folks. I have personally checked the CDDL via tools, but another set of eyes looking would be great.
> If you have a second to take a look at it, ad send any feedback before tomorrow, I would be very grateful: 
> (Yes, this will become part of the ART Area Review Team area of competence, and you are very welcome to take part in that discussion )
> Thanks,
> Francesca
> _______________________________________________
> CBOR mailing list