Re: [Cbor] CDDL for COSE + EAT/CWT + SUIT + CoSIWD

Michael Richardson <> Thu, 09 December 2021 18:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 10CF13A094B; Thu, 9 Dec 2021 10:54:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZfLN9WUzejt6; Thu, 9 Dec 2021 10:54:16 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5BBF43A0948; Thu, 9 Dec 2021 10:54:15 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3667538A47; Thu, 9 Dec 2021 13:58:01 -0500 (EST)
Received: from ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id sabjL-b_E29B; Thu, 9 Dec 2021 13:57:59 -0500 (EST)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id E91A938A46; Thu, 9 Dec 2021 13:57:58 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1639076278; bh=2IsZpXsNnWQy28WJ+G4BcYBnl8eBo9EAIi130qAxdzM=; h=From:To:Subject:In-Reply-To:References:Date:From; b=HHY/mWm1I4ULegdF/WdcKkRMMtsO5Q4sx78ydLtHvvheE+8gpgFznUggmNL0VZjYh XT8bdcOmVVR4kCiwEw4JVBua+ZYFFx4k7i5KxBrx18eypiJm7bIHknZttXxIyEllBw 2qhrkc6iKeyvZA/mSSfV0anhDh6KYFz1Q+DOwBPLabOtcx6FWaNeyBEEzVdbwdaayv O8T/Gznw8YJfBiSdvt0+dRiTu9bXkE47ciH1fLov7zM6lxfyEtq/pqOtisqOMh5Jan q1gYZjgjnhh49vf5fPFFHy/rS5AaUEJhMne8VRNrVsUFExLZ+uLDIEtycbs50paESL 4HotQQHlTJNlQ==
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 28C181FB; Thu, 9 Dec 2021 13:54:10 -0500 (EST)
From: Michael Richardson <>
To: "" <>, cose <>
In-Reply-To: <>
References: <> <> <> <> <>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 09 Dec 2021 13:54:10 -0500
Message-ID: <9912.1639076050@localhost>
Archived-At: <>
Subject: Re: [Cbor] CDDL for COSE + EAT/CWT + SUIT + CoSIWD
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Dec 2021 18:54:22 -0000

{noticing this is not CC'ed to SUIT or SACM or RATS}

Laurence Lundblade <> wrote:
    > I am observing how two different protocols that use COSE specify what the COSE payload should be. I am interested because EAT must specify this too. I noticed that they do it different:
    > — CoSWID goes to a lot of trouble to use CDDL via a .cbor control

probably because CoSWID author (Henk) is also CDDL author, and therefore is
more expert at using CDDL.

    > — SUIT just uses simple prose, not CDDL

I think that the question is what kind of advice CBOR and COSE WG should provide to
other WGs about whether or not to explain things with .cbor controls.

    > Here’s the link between for COSE payload for CoSWID. It is in blue in this CDDL that is replicated from COSE. It occurs in  section 7 of CoSWID. <>

    > COSE-Sign1-coswid<payload> = [
    > protected: bstr .cbor protected-signed-coswid-header,
    > unprotected: unprotected-signed-coswid-header,
    > payload: bstr .cbor payload,
    > signature: bstr,
    > ]


    > EAT inherits this from CWT so it doesn’t need to say it explicitly.
    > However EAT uses CDDL so it is a possibility that EAT can do what CoSWID did.

That seems like the right way to me.
It's unclear to me which direction will work better for people who are not
CDDL experts.  Consider  that a formal language like CDDL might actually be
easier to understand for non-native-english speakers!

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]        |   ruby on rails    [