IETF Logo Mail Archive

Re: [COSE] Paul Wouters' Discuss on draft-ietf-cose-countersign-09: (with DISCUSS and COMMENT)

Paul Wouters <paul.wouters@aiven.io> Tue, 20 September 2022 17:07 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADFF6C1522D2 for <cose@ietfa.amsl.com>; Tue, 20 Sep 2022 10:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wIVZGdbt-lNW for <cose@ietfa.amsl.com>; Tue, 20 Sep 2022 10:07:02 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8F2C14CE28 for <cose@ietf.org>; Tue, 20 Sep 2022 10:07:02 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id d8so2802631iof.11 for <cose@ietf.org>; Tue, 20 Sep 2022 10:07:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date; bh=qm2p5/LYH9vDdCNVrC22LKLL7u7IW6nrQvhFfHf4dlw=; b=iaaYIu1MbTUiahpawscSa99U7YQDZEgdN7xNW6Ag4lsMVfXnqElbQPFY1RzZU63DRn 1ivXoLbRDcnnUm9OgMFoBIKwSaFXSQ9kecpvlE0Lt24WW+zpzJR8OhlJn+RD/w5Ph/41 PZMmtp6QPeq861GueuSLzBbMZfz+wKr/Me6Xg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date; bh=qm2p5/LYH9vDdCNVrC22LKLL7u7IW6nrQvhFfHf4dlw=; b=bR5x7Asc3EXl6lyUp+tiYuNkWZ4wFISnI2JhG6bQgerj40brZ9MYYZ+fihTVuiLpZQ eU8LgiTLaFLii04n9DGmUAYgLZUw7MYN8HmlxCl8kXeft2tWLQr4RUGH3aTxWFk/ngCy BK/VVZ7iOiK8xfD21H0zrLE68DxSZFHMFrvsjNEEXZ7pvIHsHsi94Wcl5zdN8XeoXWzw 56yAZgyM9aFqWYITkaDx64DKgWkT8pAB0UXPprubtz8NuN0O4ziwZk1p9tIUkGNWP3wr 33JT8fN4VqdaK3No3DCL3KMYFUPdzhcwnstcfgVgImDfnRtJGt/3SGDTqFQDGneWraJE 1kDA==
X-Gm-Message-State: ACrzQf1CBAtCfkNTIxakGmhQDBaiEOSQ7xiaq7a52lJsJFJeqQqiKmkx WqyIFj0vtm0Pdx/sNjPAb2LThA==
X-Google-Smtp-Source: AMsMyM6Gviqe0PrfUQYg6bgrjxcCclGHRYfkG0GIFl43d9+9CGefuESf6RjKnxb9SZxtcL2eUFEcOw==
X-Received: by 2002:a05:6638:130a:b0:35a:b44d:f8c3 with SMTP id r10-20020a056638130a00b0035ab44df8c3mr7022030jad.59.1663693619528; Tue, 20 Sep 2022 10:06:59 -0700 (PDT)
Received: from smtpclient.apple ([2605:8d80:665:c5b1:ed6b:fa0a:6f4c:bf84]) by smtp.gmail.com with ESMTPSA id o19-20020a056e02103300b002f4c576a9f8sm102668ilj.37.2022.09.20.10.06.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 20 Sep 2022 10:06:57 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-5713CB58-49B7-4440-BF9E-416DFEE87DE9"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul.wouters@aiven.io>
Mime-Version: 1.0 (1.0)
Date: Tue, 20 Sep 2022 13:06:54 -0400
Message-Id: <FEBFA908-2614-4DA4-9831-1E943F5A15BD@aiven.io>
References: <A5155715-10F1-405A-B2A5-66FB9E521B33@vigilsec.com>
Cc: IESG <iesg@ietf.org>, draft-ietf-cose-countersign@ietf.org, Cose Chairs Wg <cose-chairs@ietf.org>, cose <cose@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
In-Reply-To: <A5155715-10F1-405A-B2A5-66FB9E521B33@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/2LE1GnP3HBy4z8jrYT6wM73xCWc>
Subject: Re: [COSE] Paul Wouters' Discuss on draft-ietf-cose-countersign-09: (with DISCUSS and COMMENT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2022 17:07:06 -0000

Yes that would resolve my DISCUSS 

Sent using a virtual keyboard on a phone

> On Sep 20, 2022, at 11:48, Russ Housley <housley@vigilsec.com> wrote:
> 
> Paul:
> 
> I propose adding this information reference:
> 
>    [CBORDIAG] Bormann, C., "CBOR diagnostic utilities",
>               <https://github.com/cabo/cbor-diag>.
> 
> Then, the text at the front of the examples would say:
> 
>    This appendix includes a set of examples that show the different
>    features and message types that have been defined in this document.
>    To make the examples easier to read, they are presented using the
>    extended CBOR diagnostic notation (defined in [RFC8610]) rather than
>    as a binary dump.
> 
>    The examples are presented using the CBOR's diagnostic notation.  A
>    Ruby-based tool exists [CBORDIAG] that can convert between the
>    diagnostic notation and binary.  The referenced webpage includes
>    installation instructions.
> 
>    The diagnostic notation can be converted into binary files using the
>    following command line:
> 
>    diag2cbor.rb < inputfile > outputfile
> 
>    The examples can be extracted from the XML version of this document
>    via an XPath expression as all of the sourcecode is tagged with the
>    attribute type="CBORdiag".  (Depending on the XPath evaluator one is
>    using, it may be necessary to deal with &gt; as an entity.)
> 
>    //sourcecode[@type='CDDL']/text()
> 
> Does this resolve your DISCUSS position?
> 
> Russ
> 
> 
>> On Sep 20, 2022, at 10:58 AM, Russ Housley <housley@vigilsec.com> wrote:
>> 
>> Carsten:
>> 
>> Do you have a webpage anywhere that can be pointed to by this document?
>> 
>> Russ
>> 
>>> On Sep 8, 2022, at 8:36 PM, Paul Wouters <paul.wouters@aiven.io> wrote:
>>> 
>>> I am fine with a pointer to a downloadable source which can also contain the commands to install the software. Upon compromise, the pointer can be updated to protect the immutable RFC text. Wether it points to GitHub or IETF or elsewhere doesn’t matter to me.
>>> 
>>> Paul
>>> 
>>> Sent using a virtual keyboard on a phone
>>> 
>>>>> On Sep 8, 2022, at 16:04, Russ Housley <housley@vigilsec.com> wrote:
>>>>> 
>>>> 
>>>> 
>>>>> On Sep 8, 2022, at 1:47 AM, Carsten Bormann <cabo@tzi.org> wrote:
>>>>> 
>>>>>> On 2022-09-08, at 04:14, Paul Wouters via Datatracker <noreply@ietf.org> wrote:
>>>>>> 
>>>>>> ----------------------------------------------------------------------
>>>>>> DISCUSS:
>>>>>> ----------------------------------------------------------------------
>>>>>> 
>>>>>>       gem install cbor-diag
>>>>>> 
>>>>>> I am concerned about adding install commands for "programs from the internet"
>>>>>> within an RFC. If the rubygem for some reason becomes malicious, we cannot
>>>>>> pull it from the RFC (even if we pull it from the datatracker link, it would
>>>>>> still live on in copies of the RFC elsewhere and malicious people could point
>>>>>> to copies of those original RFCs to point people to downlod the malicious rubygem.
>>>>>> 
>>>>>> I would be okay with an iet.org download location of a ruby gem.
>>>>> 
>>>>> “gem install” is the appropriate way to install rubygems software, not a “location of a rubygem”.
>>>>> 
>>>>> What you seem to be asking for is some indirection so we can swap out the name of the gem in case cbor-diag becomes rogue.  That does make some sense to me, but we’d need to install that indirection somewhere in a place maintained by the IETF.
>>>>> 
>>>>> ➔ “Please consult https://www.ietf.org/software/cbor-diag for the way to install this software”.
>>>>> And that page would contain instructions including “gem install cbor-diag” until that goes rogue.
>>>>> 
>>>>> Can we get such a infrastructure of pages recommending software up and running?  Do we mire ourselves in process issues (who gets change control etc.)?
>>>>> 
>>>>> Data point from a quick search:
>>>>> The RFCs that already suggest installing rubygems via a direct “gem install” include RFC 8152, RFC 8610, RFC 9052.
>>>>> 
>>>>> (In reality, I’d expect the rubygems organization to act more quickly on a report of cbor-diag going rogue than the IETF would.)
>>>>> 
>>>>> Grüße, Carsten
>>>> 
>>>> 
>>>> Paul:
>>>> 
>>>> Are you satisfied with this explanation? Or, would you prefer the pointer to https://www.ietf.org/software/cbor-diag
>>>> 
>>>> Russ
>>>> 
>> 
>

v2.23.0 | Report a Bug | By Email