IETF Logo Mail Archive

Re: [Cbor] CDDL for COSE + EAT/CWT + SUIT + CoSIWD

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 08 December 2021 12:30 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2910F3A0763; Wed, 8 Dec 2021 04:30:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=EaVzk1Ea; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=EaVzk1Ea
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phMn-X1pW8BC; Wed, 8 Dec 2021 04:30:18 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20057.outbound.protection.outlook.com [40.107.2.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE79D3A074E; Wed, 8 Dec 2021 04:30:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8zoSPgIG9R02NqBAG3Dgq3wlTFWxyCIzJEL3Nq0lWv8=; b=EaVzk1EahFFf1/qDtivZzMJmlZ3Q9Qa2sk5MWfsP1LyoM6M+a/3vXGJ+JCdASBdZp1JYSeST4BjzF7qToT3VhT8jg1BVw6in7s8kE2LBKD3TmXUNo8cJ5VVoVVywZpZCQuKtbr61t9SwTKJISqYr986QX12rIditE8TVykWlIBU=
Received: from AM6P194CA0049.EURP194.PROD.OUTLOOK.COM (2603:10a6:209:84::26) by AS1PR08MB7476.eurprd08.prod.outlook.com (2603:10a6:20b:4dc::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.13; Wed, 8 Dec 2021 12:30:14 +0000
Received: from AM5EUR03FT045.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:84:cafe::3a) by AM6P194CA0049.outlook.office365.com (2603:10a6:209:84::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.17 via Frontend Transport; Wed, 8 Dec 2021 12:30:13 +0000
X-MS-Exchange-Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=temperror action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT045.mail.protection.outlook.com (10.152.17.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.13 via Frontend Transport; Wed, 8 Dec 2021 12:30:12 +0000
Received: ("Tessian outbound c61f076cbd30:v110"); Wed, 08 Dec 2021 12:30:12 +0000
X-CR-MTA-TID: 64aa7808
Received: from e5ac3ab311d8.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id E0EA7E78-85FE-49EE-B2F9-6B3F9B7CB2FE.1; Wed, 08 Dec 2021 12:30:06 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e5ac3ab311d8.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 08 Dec 2021 12:30:06 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DpcqCuHikBPHXq3xz7pUsIOw4b/CHwFtbe2ge4qhkOR30cOYpkxqMeANKNPcOs2GYOddo+C91iZvFZaBrnq4NQVr84lH6BLFLUq7qxjqx2wdiehwPKcBs8ao0tWZ73l8ww0IyyqfDQ95KtApBhjGb9MQynOMuQBLfjXKrNDuurrEf6g8ORim+GTErJmeHXTsEOvEimODCvR5urDRaqY2IWjogHoTorG6HgCz68waz9a3aNAJfCa33lbhHKkR8ZdY6e0SMDcqPHPsDRsiXXOZpsWyMtFv41+ufgWE0XptyY+SUbdWKDpmvx8MOr1JAcSpAP3qc615UwY/f2+ZBA4bMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8zoSPgIG9R02NqBAG3Dgq3wlTFWxyCIzJEL3Nq0lWv8=; b=LPaNPS/T5k6Z0Ud4mcxXBQvsBkuOQ0MvFoHXtzQG3Ic4CBpK+URvj4OxlXgB022Ic8CWhwjk5vs6N0mPrxDobIlJbvzJuTVcZyA1wNjfkYzXOu4Pp2DfSROQcG1wcB9O71gwwDpKW61prHGOZ3vUBvF/K2gMtpWiCuXTYr2NgxfpASyELCfUrvs3waREVh8o1FUIW4X9rBcyp68aySqLVlmtc9AszdqRmCpEeKGkEHBJ9EzEi4TlIQbFMURZHkWrSk6eRWMHhWsU91iipiclxeHLZfo0/sZ1/ZE2OHNYh1VAA4fmhBgSARiw0GYyxd+RvwvbKOZXK/DHiEFI3fZKcg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8zoSPgIG9R02NqBAG3Dgq3wlTFWxyCIzJEL3Nq0lWv8=; b=EaVzk1EahFFf1/qDtivZzMJmlZ3Q9Qa2sk5MWfsP1LyoM6M+a/3vXGJ+JCdASBdZp1JYSeST4BjzF7qToT3VhT8jg1BVw6in7s8kE2LBKD3TmXUNo8cJ5VVoVVywZpZCQuKtbr61t9SwTKJISqYr986QX12rIditE8TVykWlIBU=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by DB6PR0802MB2535.eurprd08.prod.outlook.com (2603:10a6:4:a1::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.21; Wed, 8 Dec 2021 12:30:05 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::dd96:eb7:b263:b290]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::dd96:eb7:b263:b290%4]) with mapi id 15.20.4755.022; Wed, 8 Dec 2021 12:30:05 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Laurence Lundblade <lgl@island-resort.com>, cose <cose@ietf.org>
CC: "cbor@ietf.org" <cbor@ietf.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Thread-Topic: CDDL for COSE + EAT/CWT + SUIT + CoSIWD
Thread-Index: AQHX67gvNbcS2jfqyUOwtKjobSbIKKwohLpQ
Date: Wed, 08 Dec 2021 12:30:05 +0000
Message-ID: <DBBPR08MB591541267172A49382892483FA6F9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <85278E84-AD34-4F68-94DC-437BABCCD621@island-resort.com>
In-Reply-To: <85278E84-AD34-4F68-94DC-437BABCCD621@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 3B1020697708E84D9ECC04E7986A1ACA.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: f1230114-12c6-44ab-7078-08d9ba467b0c
x-ms-traffictypediagnostic: DB6PR0802MB2535:EE_|AM5EUR03FT045:EE_|AS1PR08MB7476:
X-Microsoft-Antispam-PRVS: <AS1PR08MB74766E9482AE30B5B643BD7AFA6F9@AS1PR08MB7476.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: c0VC99rHjxrX3aj/YPNlwYdtwTaUTYUfKwibA5E59x/ufPVq0bATnoeKeD/QBFmjfIq30bZWN2yI+qJhsCuBa0YxsV2lIil92+LqlAA3ShgCj9QfAjY3trHJzSufIGKCMdI2T+rs1wEa8Kldsrog6Nulwf5K/XqWfCZJoH0Ka6IIXbYn+SBWn8h5pzVDFh01AVe7/wlblT0GbCC6jkPBt2Zq64MhSqZwCEdFEH5Jmv7USOdIV74UVwDqVrp8GPiDHXGjWvv1nqcbkVe88ych9OZpmrbjL/65OIcjMcOrZd66XVyrJaTdJDxYGx2KQbakyPiGT6fKsEijjFYvsxblCNEfCVWFIPILqQZ2+3u9s8j8YePrIzEe/5z0gZmon9+rpPHlAcYeXQRIzKHT88zUWD3uysoSpVbA/EG3Jxw8YYiwEQp/IcRtj55ZjgGmREwfnn/YQbM/vzzjDj+amHCLw9sfGyYOrHSnthYxtQYSQpGdPl7GN2z0fqqeySSIxi2ZpuAN+xi6YaFBfGYiFpnrhV3SyucuMaZd3l0+zp0sRPIathsg7kdUnZzKtYIvBhsQgixqHR2o2Oh/feSIvwf/Po8pblwwWIVgs7w/ndMS1+DNVEXXNYL0o1MIFRU8DA3cYgcV3PVjsih5yVthQVkslPWexBg9X4vetobTZSNfyrIuil4ft3e55xLQDoWr4fjAPWCD0flGR72hpkIYAmKxtQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(110136005)(55016003)(38100700002)(83380400001)(8676002)(7696005)(76116006)(9686003)(54906003)(66446008)(2906002)(5660300002)(8936002)(316002)(64756008)(66556008)(122000001)(66476007)(66946007)(4326008)(52536014)(86362001)(71200400001)(38070700005)(6506007)(33656002)(53546011)(508600001)(26005)(186003); DIR:OUT; SFP:1101;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0802MB2535
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT045.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 142fa822-26de-4017-875a-08d9ba4676ab
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: azZU2zA6GO+JQPXii6q2YIIEe9oxzn1NJUa/U+D4wEfIE8HTcCeps6coGRClZQZLfoUEIiM2ezK1fZNqKLWztqG0Q1u9zhmn2hkuvCI5nqwIDXM8JV5PnSj9Zm7g5czEu8dQFrlMT0ME7gI7aW7M90HQuHs5uieqOhj2cJTFUhxTbvunUnX7a9QBycVgZwAY1rG7QaSXcsuKfJlrdA0gfh1j41X8jptqD3hekKY7FGCLIRXb3eaf+lPWJ1QtYOBnMhZu/2vX9jNYS4vGK+u2mscCMXmc9O/gvUVi2hycDUELAGxlo839PavoQGEbpCnsGUT7LAjtb4DzYWmscjEi8Z09M0rrWBBZ5rJVAIK1dr8xa+SHS8X9ARPk06IR7Uv+tTVh4xgsbZAjbvu0/8zizR2lRTuPbEG0rGvWwSxqbHUmWj1++ZSAh6kFpvkHaaM+AK12M7u9UMib7s1whz0p6bGoq/PiWjnSC5a+iINe2acOmklAenIPHrB9q5vshsBMI0OMXoFKPlKI29nVgT/c/7cRjeeQDTuGwRSonLEbUpwX6Yei+burUL0ZHhbFqtD5KYD4TFHn4L8Z4KbYkflk0GFkfXfuS6rF+dzb5bhHzwMECijb6v/6ZuynRs3Tj3MmbB9odz0+u0hRopixXTQi1MYoT+iyOmWYyx7igwf4L2j20vlUQtHZEjXevmc5HWpZNn2XmqM6SHbzzya7vzQZC/8lOERq8V2NfSSk5UbczyGz7HyOzcKGUD7ewWFCKopvCFQXM2gbzbpgjOfVCDniIw==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(46966006)(36840700001)(40470700001)(450100002)(83380400001)(70206006)(63370400001)(55016003)(5660300002)(8676002)(54906003)(336012)(36860700001)(81166007)(82310400004)(70586007)(63350400001)(110136005)(40460700001)(316002)(86362001)(26005)(47076005)(8936002)(33656002)(186003)(2906002)(9686003)(7696005)(52536014)(53546011)(6506007)(107886003)(356005)(4326008)(508600001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Dec 2021 12:30:12.3742 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f1230114-12c6-44ab-7078-08d9ba467b0c
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT045.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR08MB7476
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/ZDXfEV-OIFTDFnSNgkBGaBZwgi0>
Subject: Re: [Cbor] CDDL for COSE + EAT/CWT + SUIT + CoSIWD
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2021 12:30:23 -0000

Hi Laurence,

I am wondering why you want to do this. The reason is that EAT by itself is not really an interoperable spec. COSE on its own is not interoperable either. With the SUIT manifest we have just stripped it down to the bare minimum to make it interoperable but it is not finished. I have no idea whether CoSWID is an interoperable spec.

Hence, I wonder whether it is just better to reference COSE by saying that they would be refined by a profile.

For the SUIT manifest and for CoSWID I would even go a step further and move the "Software Manifests" claim to a separate specification. This specification would be finished after EAT. The main reason is that neither CoSWID nor SUIT are finalized and would block the publication of EAT. Spending more time on the software manifest topic will help to improve the quality of the claim once the details have all been fleshed out (including examples, implementation experience, end-to-end story).

Just my 5 cents...

Ciao
Hannes


-----Original Message-----
From: Laurence Lundblade <lgl@island-resort.com>
Sent: Tuesday, December 7, 2021 11:17 PM
To: cose <cose@ietf.org>
Cc: cbor@ietf.org; Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Subject: CDDL for COSE + EAT/CWT + SUIT + CoSIWD

Hi,

Not sure where this will go, but thought it worth running up the flag pole.

To validate EAT CDDL I’m pulling in *all* of these into one:
— CoSWID CDDL
— SUIT CDDL
— COSE CDDL
— EAT/CWT CDDL

I have diag format EAT example tokens with claims that are CoSWIDs that validate against the above.

CoSWID replicates and modifies a lot of COSE CDDL in normative text primarily so it can fully specify the COSE payload with a .cbor control.

SUIT doesn’t replicate COSE. It specifies the COSE payload in prose.

I have thus far taken SUITs approach as I don’t want to replicate and modify COSE CDDL. EAT also must support nesting of COSE encryption inside COSE signing and such. (It seems CoSWID’s approach actively prohibits COSE encryption).

In an ideal world, I think the CDDL in the COSE struct draft would some how use a CDDL template through which one could specify the CDDL for the COSE payload.  This CDDL template would work for COSE signed, then encrypted or encrypted then MAC’’d and any other nesting of COSE. In this ideal world CoSWID wouldn’t have to replicate CDDL from COSE and SUIT and EAT could use it too. I’m not sure this ideal COSE CDDL is possible though.

Has anyone considered writing the COSE CDDL this way?

Another problem with the replicated COSE CDDL in CoSWID in the EAT document build and validate is that there is collision between the names of CDDL rules. I’m just manually tweaking stuff to get around this. CDDL name spaces would fix this.


If the world stays the same (no change to COSE struct document or CoSWID) I can make EAT work as follows:
 - No .cbor control to specify the COSE payload, only prose
 - Some non-normative, unpublished glue CDDL that is part of the EAT document build and example validation script is needed.

LL








IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email