IETF Logo Mail Archive

Re: [Cbor] Unusual map labels, dCBOR and interop

Orie Steele <orie@transmute.industries> Thu, 28 March 2024 18:02 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88309C16941F for <cbor@ietfa.amsl.com>; Thu, 28 Mar 2024 11:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.074
X-Spam-Level:
X-Spam-Status: No, score=-2.074 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JnWRCrqt09gA for <cbor@ietfa.amsl.com>; Thu, 28 Mar 2024 11:02:01 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4991BC14CE42 for <cbor@ietf.org>; Thu, 28 Mar 2024 11:02:01 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id 41be03b00d2f7-5ce07cf1e5dso870570a12.2 for <cbor@ietf.org>; Thu, 28 Mar 2024 11:02:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1711648920; x=1712253720; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rnCfOppaBxL7sGZecjn/lT0Eo9MJcjyeVowLqKM9JMY=; b=YQ6Cz+BEymTgs3uTxcr+A8b+3YiNGuVwnjVDXzcQEJuNvviXSeKcyRMAGBsfcwAqyi VcZVUDH3X1ebdlosiVr/sM+wLTjLa0wT7qmTO1he8WoZKEMe6HSKowQV0vc/g/ATwff6 dRXD30ajr4cS0M+6SUI+pFnVeE3R4n9IwApIcQHg2gDfXsefs1YQ/PLRUmY5LXITjVcS BLn88NAHVPCXEPwOeHj+LQQRxtZmpkbW47Az93jUzf73LM2jH0QBM/7MxTm1M6WBJ1+K F1OOvYwPWM14fGGxO2+vCq6g7piFuwp+69z3SEFMi9+B1LXkmVe1EUUeiE71QI0uj4Nb JPaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711648920; x=1712253720; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rnCfOppaBxL7sGZecjn/lT0Eo9MJcjyeVowLqKM9JMY=; b=B3pozSVcfFeW46ZxOt5jyeKilKbQYdrjO4Rvb0paVx0KG238VQxufBDigQhkpfyQAz G9yCxyhOPQWt/HE1zQsKSw6pyiWeLOWDsyJsWDjHxk46v+xi0kyV1STFPTIJvVsugZng XL041pFjZgzUzhci80BU/46qspm3mrZpHK2Mc0SqUOjyjO0aTC3ptIPgfqrleHxNAwgt tYq8XaIfFdlK0dTm4KrQ5AfU022MBrq2nY+oPwyqW8hoVI5265VgBsmLAFc0p26qRhRa 3SOxkeSvSfuVnaqMzM4klmGW1qtFS14bBTsQFt+KdnOcm4BuQ1L8fnVqogj9myYhtw4p NIAg==
X-Forwarded-Encrypted: i=1; AJvYcCUjlVh2KYPrA94RSJ3m4wWVkpncKLTSwXQhj1kgvmrAixmpyBwc76dK3ai9Vj91SJx9YLUXjSSGhP+f2e27
X-Gm-Message-State: AOJu0YxPbzo4nIYtudDPYoYnc+UJLY3Lm63kMWRezwtjG15mpbD2PynF ds95DpHO/MxsF3DrYpRQ9zuruAq43ZfgxRJm8Hz8WjPyaE7kIC2Jvxu03fBAyElh+SZh9hCnE8h 9h0epoGPxEd/cBraPentjc3SlkTAvmauhlB/DtAIUKHscw7ZLYdE=
X-Google-Smtp-Source: AGHT+IFalXQV+v8OycvOT6nvzOWPdE2lwxzr0GMtCID1ZHilKPjAEYL/U2kaNdb9YG0c2/8wlVmnWgRlqF2v0Cn2xW0=
X-Received: by 2002:a17:90a:9401:b0:2a0:45cf:14aa with SMTP id r1-20020a17090a940100b002a045cf14aamr138972pjo.47.1711648920427; Thu, 28 Mar 2024 11:02:00 -0700 (PDT)
MIME-Version: 1.0
References: <8C245824-1990-4616-AB70-FFD4FACB1AE9@island-resort.com> <11E8A8A5-D891-49FF-AF16-697C06F463B3@tzi.org> <9A0CE364-C141-4EBE-9703-292C416D12F5@island-resort.com> <3D62C4F0-D570-4EE4-AF6A-163C708AA6BE@tzi.org> <58BA8F8C-0C63-4534-9BF7-255C32D02C16@island-resort.com> <CAN8C-_KCLv_cAt-0-C_=i6DXjZFkgkmgZ8DNq48RcxcvV+jEUQ@mail.gmail.com> <437a375c-49e8-4406-a192-acb9a5e7bf31@gmail.com> <9272C2ED-432D-4D6D-AB64-38976F9297D5@wolfmcnally.com> <794fae9f-1c87-498b-aaea-4e476b0dc420@gmail.com> <C24BFA9D-D19C-4267-B0C8-54842B124452@wolfmcnally.com> <03144212-69bd-441e-8697-fdf1fd9f9689@gmail.com> <B53F373E-4997-4654-AB56-7719EF0ADD99@wolfmcnally.com> <CADEL5zt=CHZPpksVm8Qwo3NY0VTStbpSFPgfDbDMN8RgjVrJwQ@mail.gmail.com> <1FD1F074-F07D-46A5-AB80-7782F33FCBAB@wolfmcnally.com> <CAN8C-_JiRzWQZLpxs5p5fx7BM_zPH8-NGY-e9b6MJ_iN8nAP0A@mail.gmail.com> <DD5E4E51-62BA-4E7D-9CC2-44CA829767EB@tzi.org>
In-Reply-To: <DD5E4E51-62BA-4E7D-9CC2-44CA829767EB@tzi.org>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 28 Mar 2024 11:01:49 -0700
Message-ID: <CAN8C-_+bZ7O1MHpPrLqJ97NfecCPbuzvF7RvNL8oYCe68pfORA@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: Wolf McNally <wolf@wolfmcnally.com>, CBOR <cbor@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e206a00614bc51d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/lWLaOklVxVWae18ylfKxYzwIuuA>
Subject: Re: [Cbor] Unusual map labels, dCBOR and interop
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 18:02:06 -0000

<no hat>

Sounds like the advice is:

For more specific media types such as gordian envelope, make it clear that
while they might end in +cbor they are actually a subset of cbor / dcbor.
As you have said this is essentially the same as what we do today, when
creating more specific media types for cbor based application formats.
This advice belongs in the dcbor draft, but a new media type for generic
"application/dcbor+cbor" is maybe not needed since we don't expect any
protocols to use generic "application/dcbor+cbor" or really even
"application/cbor" when they have more specific media types available such
as:

application/cose (which is never dcbor)
application/cwt (which is never dcbor)
... https://www.iana.org/assignments/media-types/media-types.xhtml (anything
with +cbor, is only dcbor when it says its dcbor)

... and it's forbidden to update a media type that was previously cbor to
dbor because doing so would create a breaking change.

I think this advice is worth writing down.

OS



ᐧ

On Thu, Mar 28, 2024 at 9:33 AM Carsten Bormann <cabo@tzi.org> wrote:

> Hi Orie,
>
>
> On 2024-03-28, at 15:10, Orie Steele <orie@transmute.industries> wrote:
> >
> > Let me try my argument one more time, and if it doesn't land, then maybe
> I'm chasing ghosts.
>
> This thought experiment makes some assumptions about what people could be
> doing that fall firmly into “don’t-do-that-then” [1] land with me.
>
> [1]: http://www.catb.org/jargon/html/D/Don-t-do-that-then-.html
>
> > Let's say you have a CWT based protocol that is supposed to implement
> dcbor,
>
> CWT is not based on dCBOR, so I don’t know what that would mean.
> (OK, maybe that new protocol is a variant that is *not* a CWT but
> otherwise similar, let’s call it NCWT.)
>
> > and that spans multiple middle boxes.
>
> And that is definitely a good scenario to test the above…
>
> > The protocol starts with a coin flip to decide which serialization to
> use "cbor or dcbor".
>
> After the coin flip, it would need to tell the result, e.g., by using a
> different media type.
>
> > After deciding any time "cbor" is chosen, a random "dcbor incompatible
> data element" (such as undefined, or weird numbers) is inserted into the
> unprotected header by every middle box that supports "cbor" and not "dcbor".
> >
> > My concern was that on the wire, the boxes will see "application/cbor",
> but internally they will process them as "application/dcbor+cbor”,
>
> Well, both media types (assuming there will be a dcbor+cbor) are
> non-specific and therefore do not provide much of a handle to do any
> application processing.
>
> > hence it is less safe for this protocol to use "application/cbor"... but
> it would be more safe for this protocol to use "application/dcbor+cbor".
>
> Yes.
> But it would be much better to use media types that are more specific as
> to the application protocol.
>
> > I think the recommendation for such a protocol would be to define a more
> specific dcbor based media type, like "application/foo+cbor",
>
> Exactly.
>
> > but then in the media type registration cite dcbor instead of normal
> cbor....
>
> Exactly.
>
> > I suspect that people won't read this registration and will look at
> "+cbor" and assume "undefined" and "weird numbers", are allowed.
>
> But there is never an assumption that foo+cbor allows all of CBOR; we
> usually try to provide some CDDL or other specification that defines (and
> thus restricts) the application data model.
> Intermediates that randomly insert data items into an application protocol
> they don’t understand are destructive.
>
> > That's the argument I am trying to articulate, is this a concern?
>
> The usual response here would be “let’s write some text then” (e.g., for
> the security considerations to discuss check/use vulnerabilities).
> But if your assumption is that people don’t read, that won’t help.
>
> Grüße, Carsten
>
>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email