IETF Logo Mail Archive

Re: [Cbor] Reviews and shepherd for draft-ietf-cbor-cddl-more-control

Carsten Bormann <cabo@tzi.org> Mon, 15 April 2024 06:32 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27944C14F68C; Sun, 14 Apr 2024 23:32:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.884
X-Spam-Level:
X-Spam-Status: No, score=-1.884 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yNi9w4nl5Emp; Sun, 14 Apr 2024 23:32:35 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8A2AC14F61D; Sun, 14 Apr 2024 23:32:32 -0700 (PDT)
Received: from smtpclient.apple (p5089a3d9.dip0.t-ipconnect.de [80.137.163.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4VHy5T71ddzDCdK; Mon, 15 Apr 2024 08:32:29 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <C99FB4A9-1BCD-427E-8107-9EC52F809742@island-resort.com>
Date: Mon, 15 Apr 2024 08:32:19 +0200
Cc: Christian Amsüss <christian@amsuess.com>, "cbor@ietf.org" <cbor@ietf.org>, "draft-ietf-cbor-cddl-more-control@ietf.org" <draft-ietf-cbor-cddl-more-control@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3AABC79-14C6-45BB-888C-6B7166C7FD67@tzi.org>
References: <ZeMG7tpfKLyf3aSz@hephaistos.amsuess.com> <ZhPIC9DyzcpyhjPI@hephaistos.amsuess.com> <3FECD79D-C19A-4F04-BF04-A39AC4962C2D@island-resort.com> <31FEFB97-87CD-4B6D-86A7-06CBE12D51E8@tzi.org> <EF87DF03-8483-45DD-AA80-8E885BB78F75@island-resort.com> <824851A4-BB83-400A-BBBE-2BFA5E6A4D60@tzi.org> <3F4D3A40-B55D-4625-8684-09915B13B036@tzi.org> <C99FB4A9-1BCD-427E-8107-9EC52F809742@island-resort.com>
To: "lgl island-resort.com" <lgl@island-resort.com>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/NK2E1n9uyLdRFUZRc0ZrE2KURIs>
Subject: Re: [Cbor] Reviews and shepherd for draft-ietf-cbor-cddl-more-control
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2024 06:32:41 -0000

Hi Laurence,

> On 14. Apr 2024, at 21:30, lgl island-resort.com <lgl@island-resort.com> wrote:
> 
> I’ve made a lot of progress using .join as described below, but this comment is about “.b64u” and RFC 4648 section 5.
> 
> It’s clear to me that a base64url encoder should output “-“ and “_” instead of “+” and “/“, but it’s not clear what an RFC 4648 section 5 decoder should accept. Most tools and websites I’ve played with accept both, and that’s OK. However, I was expecting .b64u to reject  “+” and “/“ because it is opinionated, but the cddl tool 0.11.4 doesn’t.

Thank you for the bug report — fixed in 0.11.5.

> Here’s my CDDL:
>    foo = text .b64u bstr
> 
> Validating “jkd8” correctly succeeds
> 
> Validating "&kd8” correctly fails.
> 
> Validating "+kd8” unexpectedly succeeds. The “+” is b64, but not b64url.

Fixed in 0.11.5.

> Validating "YQ==" correctly fails due to opinions about padding (that I agree with).
> 
> Interestingly, .b64c does seem to reject inputs with “_” and “-“ which aligns with my reading of RFC 4648 section 4.

Yes. My .b64c implementation uses a platform API marked as strict.
I mistakenly believed that the similar platform function that I used for .b64u also was strict in its character set; it turns out it wasn’t.
So I added + and / to the check that already was handling =.

> I think I prefer strict enforcement because this is a validation tool.

I agree.

> If you are picking b64url, you are probably avoiding classic for a reason.
> 
> Whatever behavior is decided upon, it would be helpful to be clear in the draft because RFC 4648 isn’t that clear

I’d say 4648 is quite clear here.
4648 uses “recommended” once in an overview sentence where it introduces what actually is a mandate, but particularly Table 2 leaves no room for interpretation: + and / are not in the set of 4648 section 5 characters.

> and most of the tools I played with are not very organized.

Right — the above observation is another data point that indicates the existing platform mechanisms aren’t always very strict…

Grüße, Carsten

v2.23.0 | Report a Bug | By Email