Re: [core] Media type for OSCORE in HTTP (Was: AD review of draft-ietf-core-object-security-08)
Göran Selander <goran.selander@ericsson.com> Wed, 21 February 2018 07:47 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0103712E882 for <core@ietfa.amsl.com>; Tue, 20 Feb 2018 23:47:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.321
X-Spam-Level:
X-Spam-Status: No, score=-4.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8jIl8rlt_rkw for <core@ietfa.amsl.com>; Tue, 20 Feb 2018 23:47:48 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2128212E880 for <core@ietf.org>; Tue, 20 Feb 2018 23:47:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1519199264; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=IXQDstRkoy2x5qalG2R/qHduqvdbkLNaEpNSXb73gPY=; b=LkIvTOuP34p+IrXiJdlqHjJW+FXSuLjEbmzphfF///aCox3mwlMkl5L7B2xnYwLx XgtC/SYMdPD6nmOagUPIcVhNGKAkFH5ic7/Ve2jv5y6tUA9l9cldUziWrTb+RQy8 n2lRgovRbSmOqdEyOMZl0qG8RuAmsu16uLBcCPxB2uc=;
X-AuditID: c1b4fb2d-87c029c000005540-21-5a8d242099b6
Received: from ESESSHC012.ericsson.se (Unknown_Domain [153.88.183.54]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 12.97.21824.0242D8A5; Wed, 21 Feb 2018 08:47:44 +0100 (CET)
Received: from ESESSMB107.ericsson.se ([169.254.7.129]) by ESESSHC012.ericsson.se ([153.88.183.54]) with mapi id 14.03.0352.000; Wed, 21 Feb 2018 08:47:44 +0100
From: Göran Selander <goran.selander@ericsson.com>
To: Carsten Bormann <cabo@tzi.org>
CC: "core@ietf.org WG" <core@ietf.org>, "draft-ietf-core-object-security.authors@ietf.org" <draft-ietf-core-object-security.authors@ietf.org>
Thread-Topic: [core] Media type for OSCORE in HTTP (Was: AD review of draft-ietf-core-object-security-08)
Thread-Index: AQHTqagJt6vNLBmjjUqxOVAMxqqEAKOsA50AgADkPoCAAZVagA==
Date: Wed, 21 Feb 2018 07:47:43 +0000
Message-ID: <D6B2C5D5.9FDCF%goran.selander@ericsson.com>
References: <D6B0C4F1.9FB9A%goran.selander@ericsson.com> <E9960982-EA03-48CE-8724-8D852381299D@tzi.org> <D6B1402A.9FBE6%goran.selander@ericsson.com>
In-Reply-To: <D6B1402A.9FBE6%goran.selander@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.3.170325
x-originating-ip: [83.251.191.108]
Content-Type: text/plain; charset="utf-8"
Content-ID: <15355749ADDDB0459542D7B50445B9DE@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIIsWRmVeSWpSXmKPExsUyM2K7ma6CSm+UwbdNGhZHptxltdj3dj2z xeZnX1kdmD2WLPnJ5DFtUWYAUxSXTUpqTmZZapG+XQJXxu4jZxkL7ulXfGmay9TAeECvi5GT Q0LAROLN0susXYxcHEIChxklFs9dzg6SEBJYwijxbTIPiM0m4CLxoOERE4gtIqAkceHiGjYQ m1lgIqPE3lcSXYwcHMICWRKNO4wgSrIlFrxsZIWwnSSWXtsDNpJFQFVi8tpGsDG8AhYSXV+m M0PsncEocXb1E0aQBKeApcTb/gYwm1FATOL7qTVMELvEJW49mc8EcbSAxJI955khbFGJl4// gS0TFdCT2NvTzgZyjwTQnT0bpEBMZgFNifW79CGmWEscuHmXHcJWlJjS/ZAd4hxBiZMzn7BM YBSfhWTZLITuWUi6ZyHpnoWkewEj6ypG0eLU4uLcdCNjvdSizOTi4vw8vbzUkk2MwIg7uOW3 7g7G1a8dDzEKcDAq8fCeftETJcSaWFZcmXuIUYKDWUmEt1KoN0qINyWxsiq1KD++qDQntfgQ ozQHi5I470lP3ighgfTEktTs1NSC1CKYLBMHp1QDo8Pnb0zKixZItx9QXH7/n0aCjanCIv6D KyYXaLQp1vrkX3yoLbRZJef1RBXFsr6DKadlXwRIMydaLV04h3+t/Zd10Ts2bnx5+2nTwc0y 85L3XPk15YhQUF+ixKqLtrx5/KnF9yymv3+5/uvC7akH3OJsv5Yv2yFiy/Au2Nzm3wulhzM0 YpVbupRYijMSDbWYi4oTAQAmhn+0AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/n8ulvdhuhBb4fVVB8qkWJVQS6ms>
Subject: Re: [core] Media type for OSCORE in HTTP (Was: AD review of draft-ietf-core-object-security-08)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 07:47:49 -0000
Responding to my own mail -- got an off-list comment that the reasoning was hard to follow so here is another try. When an OSCORE message is sent with CoAP the Content-Format option is redundant (i.e. the Content-Format of the CoAP message visible on the wire, not the Content-Format of the original unprotected CoAP message which is encrypted and part of the ciphertext of the COSE message). The Object-Security option, containing the compressed COSE headers, has all information necessary to process the COSE object in addition to signaling “this is an OSCORE message”. Since there is no default for Content-Format this should be sufficient for CoAP. Intermediary nodes that perform legitimate proxy operations on an OSCORE message either understands OSCORE, in which case they can know where to find the necessary information in the message (e.g. reading class I options, mapping between HTTP and CoAP), or if they don’t understand OSCORE can process the message as an ordinary CoAP message (e.g. CoAP proxy forwarding, blockwise fragmentation). When an OSCORE message is sent with HTTP we need to explicitly signal that this is OSCORE for which the new media type 'application/oscore' is defined. Hope that makes more sense. Göran On 2018-02-20 08:36, "Göran Selander" <goran.selander@ericsson.com> wrote: >Hi Carsten, > >The intent is to allow a few defined operations independent of media type >of payload between OSCORE wrapping in the sending endpoint and OSCORE >unwrapping in the recipient endpoint, including: CoAP proxy operations, >blockwise fragmentation and reading class I options. And with the addition >of HTTP processing, also the operation of mapping between HTTP and CoAP. >Before OSCORE wrapping and after OSCORE unwrapping the processing should >be handled by the normal transfer layer. So, a special media type like >'application/oscore' keeping “helpful” HTTP processing away seems to be >right. Apart from that I don’t see a reason to make any special use of >Content-Type/Content-Format. But maybe I’m missing something? > >Additional comments inline. > > >On 2018-02-19 20:00, "Carsten Bormann" <cabo@tzi.org> wrote: > >>On Feb 19, 2018, at 09:35, Göran Selander <goran.selander@ericsson.com> >>wrote: >>> >>>>> - reuse of "application/cose” defined in RFC 8152 (if appropriate) >>>>> - new media type e.g. “application/oscore” to be defined in this >>>>>draft. >>>> Either of these work for me. >>> >>> >>> Does anyone have an strong opinion here (or deviating opinion about the >>> necessity of having this header field)? >> >>Generally, REST bodies (as transferred in payloads in CoAP) need to have >>a media type. >> >>OSCORE skirts around this for CoAP by having the Object-Security option >>essentially supplant Content-Format. >>That is not great design. (It also isn’t a disaster.) > >[GS] The other alternatives add more message overhead. > > >>(This works, as long as these are not in error responses, since >>Content-Format does not have a default, see RFC 7252 Section 5.5.1.) > >[GS] Error responses protected by OSCORE are not visible as error >messages. > >> >>For HTTP and its valiant ecosystem, there may be stronger reasons to >>indicate a media type so existing implementations don’t feel like they >>should try to help (*). >> >>application/cose is not useful because the OSCORE payload isn’t. > >[GS] There was a request to use one of the reserved flag bits to indicate >a variant when the OSCORE payload is a COSE object instead of a compressed >COSE, but in general that would not be the case, and the discussion of the >reserved flag bits was deferred to Group OSCORE. > >> >>So something like application/oscore should be registered > >[GS] OK. Unless there are other comments I will add this in a new >subsection in the IANA considerations and the additional HTTP-CoAP mapping >rule. > > >>(is there only one of these?). > >[GS] As stated above, I don’t see the need to make any other distinction >based on media type. > >> >>Next question: Does this media type get a Content-Format value, too? > >[GS] Same answer here, I don’t see the need. But if someone can give a >good reason we can define that. > >Göran > > >> >>Grüße, Carsten >> >>(*) technical term: “try to help” = destroy a protocol based on all the >>nicest intentions. >> >
- [core] Media type for OSCORE in HTTP (Was: AD rev… Göran Selander
- Re: [core] Media type for OSCORE in HTTP (Was: AD… Carsten Bormann
- Re: [core] Media type for OSCORE in HTTP (Was: AD… Göran Selander
- Re: [core] Media type for OSCORE in HTTP (Was: AD… Göran Selander