Re: [Cbor] Reviews and shepherd for draft-ietf-cbor-cddl-more-control

[Carsten Bormann <cabo@tzi.org>]

Hi Laurence,

thanks for following up on this.

I’ll answer about half of your message now (not in order), and the other half later.

> It would be nice if the cddl tool had a —version option so you could know easily what you have and put version dependency in document validation scripts. I wasn’t planning on updating the CDDL in the to-be-published EAT because you can’t error out saying “you need a new version of the cddl tool”.

I added a version number to the usage message in 0.11.3.

Generally,

   gem info cddl

…also gives you some information about which version of the tool you have installed.

The cddl tool will do the erroring out for you if you use an unimplemented control…

> I've done some work on this, mostly putting .b64u to work. Much is good and makes the CDDL neater and validation more thorough. The interesting one is validating https://github.com/ietf-rats-wg/eat/blob/master/cddl/Example-Tokens/deb.json

Ah, this is about describing the JWT by dividing it into its three parts, essentially a “split”-like usage of “.join”…

Hmm.

> 
> b64u should work on text strings, not just on byte strings.

Well, it accepts a text string as the target (left hand side), and a byte string as its controller (right hand side).
Do you have an example where you need something different?

(In a pinch, .cat can be used as a conversion operator between text and byte strings, but I’m not sure the tool is very smart about that.)

> In JWT, JSON-to-be signed is b64-encoded so we did the same in EAT. In deb.json, there are JSON-format Claims-Sets that are b64 encoded. The validation should be able to fully descend into them.

Yes, that is a useful objective.
.join is almost there.  You can write:

JWT-JWS = text .join ([
             b64u<jwt-headers>, ".",
             b64u<jwt-payload>, ".",
             b64u<jwt-signature>])
b64u<B> = text .b64u B
jwt-headers = text .json jwt-headermap
jwt-headermap = { * text => any } ; simplified
jwt-payload = bytes
jwt-signature = bytes

…except that, while generating example values is easy, validating against this is not that easy in general and therefore not yet implemented to a great extent in 0.11.3.

> The controller for .json names a CDDL group that can be arbitrarily complex CDDL, right? 

It is a CDDL type, and additionally its instances must be representable in JSON (this is not checked in a generic way by the cddl tool, though).

> Plaining to try out .join to validate the JWT message, a series of b64 strings separated by “.”.

> So far not sure what to make of the comment about complex use of .join and switching to ABNF.  Seems more like tool documentation than a standards. 

I think it is useful to mention that it is not easy to do a full implementation of this.

> Is there a second implementation of cddl validation?

Yes, but I’m not sure whether these follow the discussion about more-control very much at the moment.

Grüße, Carsten

Left for next mail:

> The wording in the draft for .b64u and friends should probably be more like standards language. For example:
> 
>     The target of .b64u MUST be a text string type
> 
>     The controller MUST be a byte string type (or a text string type)
> 
> Probably need to use “target” and “controller” in other places too.
> 
> All the members in the .join controller array must be text, right? It should say so.