IETF Logo Mail Archive

Re: [Cbor] Updated Drafts for dCBOR I-D and Gordian Envelope Structured Data Format I-D & IANA Tag Registration

Christopher Allen <christophera@lifewithalacrity.com> Thu, 01 June 2023 00:49 UTC

Return-Path: <christophera@lifewithalacrity.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB07C15198D for <cbor@ietfa.amsl.com>; Wed, 31 May 2023 17:49:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lifewithalacrity-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQNx_ywspxyh for <cbor@ietfa.amsl.com>; Wed, 31 May 2023 17:48:58 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6389C1516FF for <cbor@ietf.org>; Wed, 31 May 2023 17:48:58 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-51496f57e59so496835a12.2 for <cbor@ietf.org>; Wed, 31 May 2023 17:48:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifewithalacrity-com.20221208.gappssmtp.com; s=20221208; t=1685580537; x=1688172537; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UU5f8VJsATbE8DYzqDwqJai1JXKoO1B+rH7RymoveMw=; b=0dn7FXHBbGSTcReInhzchCXgoef9v1m8QGb1peb4E1LtWFoWEtsk5h+Wfsp9C6TaZm zRaXHEGIjEKFKZtCqT9nx/Yva62hyuPeSMVAWz6QE5C8yHGLtI+8Cb8SQ+XAvtX0w5+A DOUITAZv05iXvz+gt3CKDYyAg82HrN1lRC0d8iN2Mu5YHToJiVGThDmadbRFoQjESRkd CH0qkGJfHC8K56yi7eLfq2LVd9fi9C/OS+GI/4bbbWvuSIyPcxdDUgKMfOP7ZplOMrN4 r8TPS49PJglY5TKU0zUiZevcDdBe96Fo+sb52TItxTIXhj+5VEVQx+5N8Gs5GJ7YFu4Y 5j8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685580537; x=1688172537; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UU5f8VJsATbE8DYzqDwqJai1JXKoO1B+rH7RymoveMw=; b=Ski3aRsTBVy5Z3LqTdeWXrNkgRys0c39kwwxzuWTiDsZCMVXO2MkSnx9x98kWeuvyU aMaJx3bFHiLMVPAyLuFVZnzjMVgDrN5oTHxb48Zp+mVYtt8Ns1Vr+SWhGZI63WZx8BwV 1aMQA9vyk/SqPPfQLQXmLS3R0tXOGHcxSA6b9oxYfQDCl9Kojh7AT+MfOfsl9hQAPe+M u9X8CqGL2SS6Ti899kSjiR0H9WelXyMrewTbdtMTU/ipn8MuBG4yfS5O5AfhBhPHG97+ QXXhfAyQeyinBnsVg9rr9/H9jKAZf2GpIzmNFZvKRqO2owL4jzamNNunhIBNwlQXYxY0 fAHg==
X-Gm-Message-State: AC+VfDy7X092hqe6EON1ZuI8A8UgDIm7M61/Oe6pLvPQwAM/0SaVjYG3 kQEL7Zc/yd1okaOOuKouentaysohIYIUkOKAyegcBw==
X-Google-Smtp-Source: ACHHUZ6wAPQCL/+oqJtZQYNzQi4vUdvpvxIqa7MXD+BXr4AGv2n9WIxbuI6KOFcLdq7uP9nQy/Q/xvHarIAeAkfkrfQ=
X-Received: by 2002:aa7:c615:0:b0:514:9df0:e3ec with SMTP id h21-20020aa7c615000000b005149df0e3ecmr5287779edq.0.1685580537122; Wed, 31 May 2023 17:48:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAAse2dEFB_FVP6_KkNANSYPW+yX4-M9pN3YkUq5=FTgLZnyWGw@mail.gmail.com> <FFD1AFCB-45F7-4893-B4B8-F2F093FEE6E5@tzi.org> <42FDA88A-7D6A-4AA7-986A-C94EBC1B0999@wolfmcnally.com>
In-Reply-To: <42FDA88A-7D6A-4AA7-986A-C94EBC1B0999@wolfmcnally.com>
From: Christopher Allen <christophera@lifewithalacrity.com>
Date: Wed, 31 May 2023 17:48:46 -0700
Message-ID: <CAAse2dGQzjBPFK-HFAYvkZQxbi-zR_c=_4LEvO3yATX=fDwkGw@mail.gmail.com>
To: Wolf McNally <wolf@wolfmcnally.com>
Cc: Carsten Bormann <cabo@tzi.org>, cbor@ietf.org, Shannon.Appelcline@gmail.com
Content-Type: multipart/alternative; boundary="00000000000027e13205fd06cd16"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/zEeQyk5ILQ9xLibHSlDmiZ1f6Ww>
Subject: Re: [Cbor] Updated Drafts for dCBOR I-D and Gordian Envelope Structured Data Format I-D & IANA Tag Registration
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2023 00:49:03 -0000

On Wed, May 31, 2023 at 4:33 PM Wolf McNally <wolf@wolfmcnally.com> wrote:

> (4) I think there may be a misunderstanding here. Crypto-agility is a
> non-goal of Gordian Envelope; in fact, we feel that crypto-agility is often
> a huge barrier to understanding and adoption; I think Christopher will have
> more to say about this.
>

To be transparent, Gordian Envelope is specifically designed to have only
one required cryptographic function, a hash algorithm. Every other
cryptographic function happens in layers above Gordian Envelope. If an app
wants to use IETF COSE, W3C Linked Data CBOR, ISO mDOC, or something else,
it can. We very specifically are trying to avoid being a new "security"
protocol and only use a NIST standard hash algorithm (SHA256) and a
well-understood and proven hash tree (patented by Merkle in 1979) for
integrity checking. No new crypto here — only new in that it is designed to
offer integrity checking of graph data in CBOR.

Our main promise, as described in the section on Futureproofing, is that as
> the crypto landscape changes we are sure that we can update the spec to
> incorporate additional cryptographic constructs as they become necessary.
> For now, the only actual normative construct is the hash algorithm:
> SHA-256. This is due to the intractability of handling envelopes (and hence
> hash trees) with hashes created by a multiplicity of algorithms.
>

We investigated if there could be multiple choices (we had originally
chosen the slightly superior Blake3), but having multiple choices causes
too many problems. There were just two many reasons why SHA256 was the
optimum choice today, especially given constrained hardware. We really
don't like how IPFS/Filecoin has 10s of hash algorithms and the
incompatibilities between them and the implementation problems it causes.
I have also written before about my reservations about classic
cryptographic agility at
https://www.blockchaincommons.com/musings/musings-agility/.

The strength and weaknesses of SHA256 are quite well understood, and when
combined in a hash tree, it is even stronger. If there should be a break in
SHA256, we should have plenty of warning, and at that point, we could
register one new tag that is equivalent to our 200 tag, which says "This is
a Gordian envelope, but it uses XXX algorithm". We believe it is premature
to register that next tag or even make decisions now on how to implement
that tag, but if advised to do so, we would as long as the choice of which
next hash algorithm to use is allowed to be "pending", as this topic area
is changing too rapidly.

Nothing in the spec requires that a particular construct for encryption (or
> compression) must be used; it only informatively states what we’re using
> now. As was indicated in the Futureproofing section, we don’t believe that
> we need algorithm specifiers in envelope as the only normative algorithm is
> defined by the spec, and other normative documents will define standards
> for other constructs as well as ways to disambiguate their envelope
> encodings. To be clear: the `encrypted` arm of the envelope is *not* a
> specification for IETF-ChaCha20Poly1305, it is a specification that the
> envelope is *encrypted* by some means and the only requirement is that it
> publishes the hash of the plaintext in a verifiable way: nothing more.
> Likewise the `compressed` arm of the enveloped is *not* a specification for
> DEFLATE, it is a specification that the envelope is *compressed* and that
> it publishes the hash of the uncompressed contents.
>

Our reference implementation (a CLI app) happens to use a conformant IETF
RFC 7539 ChaCha20Poly1305 to demonstrate the `encrypted` option, but it is
not part of the spec. Similarly, we use a conformant IETF RFC 1951 DEFLATE
to demonstrate the `compressed` option, but again, that is not a normalized
part of the spec, purely informative. In both cases, it is the layer above
that makes its own choices. If they want cryptographic agility at that
layer, they can choose one that supports that capability.

-- Christopher Allen

v2.29.0 | Report a Bug | By Email | System Status