[Cbor] CDDL for CWT, JWT, UCCS and UJCS

Laurence Lundblade <lgl@island-resort.com> Mon, 25 October 2021 17:23 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 674BA3A0E15 for <cbor@ietfa.amsl.com>; Mon, 25 Oct 2021 10:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id R3Nx1BDrRJG9 for <cbor@ietfa.amsl.com>; Mon, 25 Oct 2021 10:23:12 -0700 (PDT)
Received: from p3plsmtpa06-02.prod.phx3.secureserver.net (p3plsmtpa06-02.prod.phx3.secureserver.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F8AE3A0DC7 for <cbor@ietf.org>; Mon, 25 Oct 2021 10:23:12 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPSA id f3eamRSjOZUorf3eamw2eh; Mon, 25 Oct 2021 10:20:56 -0700
X-CMAE-Analysis: v=2.4 cv=asJ3tQVV c=1 sm=1 tr=0 ts=6176e779 a=VPU1mRQhDhA4uSX60JRRww==:117 a=VPU1mRQhDhA4uSX60JRRww==:17 a=48vgC7mUAAAA:8 a=xLVHtm_MZ-zFkIr1GpEA:9 a=QEXdDO2ut3YA:10 a=0uuE_O8oMfqEXb6voXcA:9 a=-pPNhuCSWNJX9qXt:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4DB9C3E0-E196-4F62-AEEF-42582A8163BA"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Message-Id: <DF92CC30-A84C-4474-AF2B-C51C9856534D@island-resort.com>
Date: Mon, 25 Oct 2021 10:20:56 -0700
To: rats <rats@ietf.org>, cose <cose@ietf.org>, cbor@ietf.org, ace@ietf.org
X-Mailer: Apple Mail (2.3608.
X-CMAE-Envelope: MS4xfMRNw0V1/Icpu6lZBtimBwuWmAq0GdSc/7JJVCsGOEKH+gvWkR/lRkqjrtob+srHxfwMcKAu6VcwuZG12jbKthBP4WJ7cS36cLKpSsBgXoipiAg3lt6C TelXvihHAVVa8UYAnTD8E025p3wJt6ftWRa3gNsGBUDL1grVMkOrLZ9ae/YNX1Jj4GTIm4x4p6Lu1J0Hthhx6YPoE+zpGN80IimYsHLhYZzNDKeVOwAltU3T FfmXLQhmW37luM2oSVZ1tg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/GXf2QXK51n31AflwRZ6mpKc6Ulc>
Subject: [Cbor] CDDL for CWT, JWT, UCCS and UJCS
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 17:23:21 -0000

Hi folks,

Sorry for the large cross-post, but wanted to be sure everyone is a little aware of this.

The latest EAT draft  <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-11> efines CDDL for a Claims-Set, the main collection of label-value pairs that is central to CWT and JWT. It is intended to work for both CBOR and JSON (and maybe other encodings). When you want to define a new claim for a CWT or JWT you can write it in CDDL and both the CBOR protocol implementer and JSON protocol implementer know what to do. Should even work with the CDDL validation tools. See here <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-11#section-8.4>.

There’s a few other things in this EAT draft:
The Claims-Set CDDL applies to UCCS
It defines UJCS (which is a one-liner in CDDL) in case you don’t want to use JWT NULL algorithm for something like EAT Attestation Results
It defines a way to put a CWT inside a JWT and vice versa since EAT needs nested tokens

A common format for signed/encrypted/unsecured collections of CBOR/JSON label-value pairs seems generally useful for more than just EAT. The common format could give some code re use too.

I’m not sure that this belongs in the EAT draft. I put it in EAT to get it published in a coherent way for the basis of discussion. I’m expecting discussion of this in the RATS sessions at IETF 112 (Chairs / ADs, maybe you have an opinion on where further discussion can happen).


P.S. This turned up some issues around how CDDL for CBOR+JSON works and how to validate with the cddl validation tool:
Integer vs text labels
How to represent byte strings so they get b64 encoded and validate
An alternative to CBOR tags for JSON