Re: [Cbor] Benjamin Kaduk's Yes on draft-ietf-cbor-sequence-01: (with COMMENT)

Jim Schaad <> Thu, 19 September 2019 02:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0CA4C12008A; Wed, 18 Sep 2019 19:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1LPaP33fU7Aj; Wed, 18 Sep 2019 19:27:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D9ECF12007A; Wed, 18 Sep 2019 19:27:38 -0700 (PDT)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 18 Sep 2019 19:27:32 -0700
From: Jim Schaad <>
To: 'Benjamin Kaduk' <>, 'The IESG' <>
CC: <>, <>, <>
References: <>
In-Reply-To: <>
Date: Wed, 18 Sep 2019 19:27:29 -0700
Message-ID: <008401d56e91$caf513f0$60df3bd0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEizBJKGRp1vGdGTbmCKwQZxgn0oqiXhtwQ
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [Cbor] Benjamin Kaduk's Yes on draft-ietf-cbor-sequence-01: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Sep 2019 02:27:41 -0000

One response down below.

-----Original Message-----
From: Benjamin Kaduk via Datatracker <> 
Sent: Wednesday, September 18, 2019 4:41 PM
To: The IESG <>
Cc:; Jim Schaad <>om>;;;
Subject: Benjamin Kaduk's Yes on draft-ietf-cbor-sequence-01: (with COMMENT)

Benjamin Kaduk has entered the following ballot position for
draft-ietf-cbor-sequence-01: Yes

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)

Please refer to
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


Section 2

   o  Otherwise, decode a single CBOR data item from the bytes of the
      CBOR sequence, and insert the resulting CBOR data model value at
      the start of the result of decoding the rest of the bytes as a
      CBOR sequence.  (A streaming decoder would therefore simply
      deliver zero or more CBOR data model values, each of which as soon
      as the bytes making it up are available.)

nit: I think s/each of which/each of which is delivered/, or just take Barry's suggestion that addresses the nit differently.

Section 3

   The use case for the "+cbor-seq" structured syntax suffix is the same
   as for "+cbor": It SHOULD be used by a media type when parsing the

nit: if the use case is literally "the same as" for "+cbor" then there would seem to be literally no value in having "+cbor-seq".  So perhaps "essentially the same as" or similar would be more appropriate?

Section 5

I might note that when COSE is applied to the elements of a sequence, the cryptographic protection is on a per-element basis, and thus there is no guarantee of relationship between level of protection, source authentication, time of generation, etc., across members of the sequence.

[JLS] I don't believe that there is any requirement that there be only a single element of a sequence inside of a COSE wrapper.  If three elements are generated at the same time then all three could be placed into a single encryption.  Thus I am not sure how to say that the protection is on a per-element basis.  

While it is true there is not necessarily a relationship between each COSE object, each COSE object does have the ability to provide that information for each element of the sequence.  You have more than what you started with, where you had none of that, and now you have it for each element.  You just need to do key validation on each decryption.  That might be a better way to say things in that a stream could have multiple sources and thus multiple keys.


Section 6.1

It's probably best to treat the following as a side note and thus not an actionable comment, but couldn't the URL fragment fairly easily be used to extract numbered elements of the sequence?