IETF Logo Mail Archive

Re: [COSE] Structure of CBOR certificates

Joel Höglund <joel.hoglund@gmail.com> Mon, 27 July 2020 16:24 UTC

Return-Path: <joel.hoglund@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 820873A1B25; Mon, 27 Jul 2020 09:24:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUhuWNzGYXg8; Mon, 27 Jul 2020 09:24:52 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA9F03A1B39; Mon, 27 Jul 2020 09:24:37 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id a14so15522998wra.5; Mon, 27 Jul 2020 09:24:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qelDdkHxD2MNryuUirLIMvENB98jiG21CK3vtO1UckI=; b=VzLCdZBgYDduKdMRG+cRnFf9v4PajAR4lSFb5Ci3FxGAR0xJ8kf/pDWGA1Z2K1dPPN YPmEpzs7zxqNbVW2YimWISods88q/hnvPDlHhlKFJAOzeJ5b/uXhB6NsgzROVPKQJaeL 4EmdgjdckQsENao7QAmF5c78LS7Ukny5sJTlkdnKL+Yke2Pf6CuzPcgIFC1eRrjLN1ea L3tGvTyyfPA3Bg5Q5wNCq9u8tFiTEJFn1PTsydKGkdsQ/VkIMqBsBZU/ze7RlSMIRzhJ kys1dg39oo9lgljUVSHX5WZiSYaP2qJqt2rdXwNsHWsP8CVFpFkov9emdiOBWKBzACeq u9DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qelDdkHxD2MNryuUirLIMvENB98jiG21CK3vtO1UckI=; b=j/5d0yjNAbJKVRR3bpiFOHMpGca+7rrMKEBriyfvLDt/wmRIkmawYEH0Wjh4nsSDvi cYcH3TG1J9FBTic+/yQvjd2z5VwvyrAjl/TgnVqSiRnx6wGSW7pdZgyNRNZbWY1TpCfI yvahX27W3GhkSZ6EKEuTESx4HsMgQfpxZqi3p1Pf8xTud2aF2OPrLqXPt0KBcsLBlfJA +I1b1PR15ZqjRAV7gTI2NtqFg6WxTVEAfTfn4riqugiSOCDvpaOayIl6NDNgWcze34Po VH2OIGj3+c5IHQLghOBVsIdTXzUeNTBNuoHiKSGzA2lqCQlA/+efN33i6dsttVVZcZyz wHvA==
X-Gm-Message-State: AOAM531pfjsHTY0ymhgQdtUlVQKqpgm/nLBuvn2ZqaLdnvoj1Jnq1MZW gqt5910dq1kJJiX9g68s4VfstQ8YgHSc5g38l5fTUv8Hc8w=
X-Google-Smtp-Source: ABdhPJxvj0JqLSphQC9EpJBgwu+FyZXvu0Y2QN0ZX/qx5/Kb47mAleGE4lrO15vyO9x7gvGFY1yPfOZPYUK0bdyfW3Y=
X-Received: by 2002:adf:dfc7:: with SMTP id q7mr21005381wrn.80.1595867076199; Mon, 27 Jul 2020 09:24:36 -0700 (PDT)
MIME-Version: 1.0
References: <4fbee615-6d6f-700f-2439-237add7fbcf2@sit.fraunhofer.de> <CAHszGE+A=e9tdBZpa51wMasxm1AhA_xRbAUCmR55xXSJgtF7Lg@mail.gmail.com> <20200710125843.GA224527@LK-Perkele-VII> <CAHszGELkqDzL8n1FWOmLiTQh1jxS7EZKNZCqX89PEFoisHXPmg@mail.gmail.com> <702.1595377246@localhost> <CAHszGEKzcnCsNgZNpthAoJbK3JjSGYRDjsvN_2=QNqVP-F-hfg@mail.gmail.com> <75486A7D-E06F-49F8-A851-6A051816EBA7@tzi.org>
In-Reply-To: <75486A7D-E06F-49F8-A851-6A051816EBA7@tzi.org>
From: Joel Höglund <joel.hoglund@gmail.com>
Date: Mon, 27 Jul 2020 18:24:25 +0200
Message-ID: <CAHszGELSMnUnooaBUrxWDL9EoNRcOikKsz3s6H82u4CD-8FRig@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, draft-raza-ace-cbor-certificates@ietf.org, Ilari Liusvaara <ilariliusvaara@welho.com>, cose@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002f880f05ab6ec286"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/07wRdUTm_erlWCWpHQYZpEbjOMY>
Subject: Re: [COSE] Structure of CBOR certificates
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 16:24:55 -0000

Hi!

A reply and a comment below:

On Wed, 22 Jul 2020 at 13:12, Carsten Bormann <cabo@tzi.org> wrote:

> Hi Joel,
>
> > Michael, to quickly reply to your explicit question: the new draft was
> posted before the IETF 108 deadline on 2020-07-13, which is also before the
> expiry dates of the three different drafts that are now combined. (
> https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ )
>
> That draft says in
> https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
> that it Replaces            draft-raza-ace-cbor-certificates,
> draft-mattsson-tls-cbor-cert-compress
>
> What is the third draft?
>

The current draft, draft-mattsson-cose-cbor-cert-compress-01 is the result
of updating and combining:
draft-raza-ace-cbor-certificates-04,
draft-mattsson-tls-cbor-cert-compress-00 and
draft-mattsson-cose-cbor-cert-compress-00.


>
> > Another observation is that while our starting point has been to encode
> rfc7925 compliant certificates, we hope to make the proposal more future
> proof by allowing new algorithms also deemed suitable for constrained
> environments. With that target, we think it is possible to exclude RSA on
> the list of supported algorithms.
>
> Supported for what…
>
> The chain may still have RSA certificates in it.
>
> Grüße, Carsten
>

Supported for being possible to parse and validate by an IoT device: if a
chain has RSA certificates in it, the end device would need to implement
RSA algorithms too. Which is what we have considered out of scope. From
rfc7925, the following explicit constraint is stated:

There are various cryptographic algorithms available to sign digital
certificates; those algorithms include RSA, the Digital Signature Algorithm
(DSA), and ECDSA.  ... [C]ertificates are signed using ECDSA in this
profile. This is not only true for the end-entity certificates but also for
all other certificates in the chain, including CA certificates.This
profiling reduces the amount of flash memory needed on an IoT device to
store the code of several algorithm implementations due to the smaller
number of options."

Best Regards

Joel Höglund


<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.
www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

v2.23.0 | Report a Bug | By Email