IETF Logo Mail Archive

Re: [COSE] "CBOR Certificates"

Göran Selander <goran.selander@ericsson.com> Fri, 12 February 2021 07:37 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 845C33A139C for <cose@ietfa.amsl.com>; Thu, 11 Feb 2021 23:37:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmiLoHWFRz4n for <cose@ietfa.amsl.com>; Thu, 11 Feb 2021 23:36:57 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150041.outbound.protection.outlook.com [40.107.15.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01C403A139A for <cose@ietf.org>; Thu, 11 Feb 2021 23:36:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XhVGtLCzXjKQbUVoMmRjqJHn2y6mFS6u9M9SBniKd1g+EjYgcqtbuVdTj6D4tJVUmR/CwspVBZSPAQpd+KUlWUKj1R8QdfrEDKQRoyVAbLHw66YZiI9JXFQu1axrfwXuDHr69tP1nNpxRftMFKcO7ICZuAtLmVE4iq825JfUQy6K94UjdC2CCT0pImZQly2oYHLVn3VcEadDDND5ut21k8VvpelLKXYmKQt8TM8LBzyINAyRswv9pTHFwRHYq62ojDpcRMFr1Oh7iYaFFtCGyE539VU9EhRMcKTpWUKJe5GGyec619VALRPKgyhPk1D/gTayQNrOiIipW2o0SkMU7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RpfhwaQoItyC1fQRokkFWfZpwEDk//Ys8XQx98cfQpU=; b=jbarizY3v63wR1yZM1MNc710wccHOwzdc3sZiqrxbqkAUfHYIXAGyKtekD50twr8z+NnTXsySpz/8gacK5KCWsXPyH44dZf+vo9APuOaf/PEehTQtcU6g2nXxVToqdbWmOIpK138fg9j23ED5c5X1Scx2qPHp24FPbQEZxBbao6FjF8UIv9lpw1H7r0J+S1q1rJg0bYi0c5/GbcgiaLss6HBYzww+Bytegu00uREmGqTWJMiTnM+Fd+mbVrVodjug+j7vPC1Kc2o0N0prRyDxxlZvL0ozpIDFfbB2DOvjvTTlnKRo1RTptrsFmIB4J3NFrscwcSLFtLgVd9tjEA86w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RpfhwaQoItyC1fQRokkFWfZpwEDk//Ys8XQx98cfQpU=; b=t/OcXODfw0Sg4URcyS5zvsqCOCAKS52lPKioVDtwAlzgS2GmHLyDDCx2lfpCADnQ9djBwYNoAk8xNY1TdKREDAuMeA6knmY3erjhzP4Z7+Rh0GamCF3JbDRM8ox6pYTX7o63BMHkFx5XfTCuJxxeJWgkxww/NY0jPKFqMa2XMc8=
Received: from (2603:10a6:7:82::14) by HE1PR07MB3305.eurprd07.prod.outlook.com (2603:10a6:7:2b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25; Fri, 12 Feb 2021 07:36:48 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8%5]) with mapi id 15.20.3846.021; Fri, 12 Feb 2021 07:36:47 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] "CBOR Certificates"
Thread-Index: AQHXAL5qhu5RvtjwakaGg9eCSpSu5apUMumA
Date: Fri, 12 Feb 2021 07:36:47 +0000
Message-ID: <B8DE7623-B2D2-48EE-A832-626058268EDB@ericsson.com>
References: <5C2A6065-AC5E-4702-A94D-F72C85BD6DAC@ericsson.com> <452ddae14b19ac8a6b98cdbbb20edede@bbhmail.nl> <4c5a7de2-e855-3bb7-cc6d-abfaa86c09dd@ri.se> <d197e8c500c7f1b284c74f3d25985df845d722c2.camel@aisec.fraunhofer.de> <2214.1613079564@localhost>
In-Reply-To: <2214.1613079564@localhost>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21020801
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dcc068a0-f1fd-4c8b-dac7-08d8cf28f471
x-ms-traffictypediagnostic: HE1PR07MB3305:
x-microsoft-antispam-prvs: <HE1PR07MB3305DD603020968BAEDCED51F48B9@HE1PR07MB3305.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9QKPgeoXozboe7wXuEMio+H2Z3XrP1x/QEXbI7s4a6udNXaQu+JE1PgDZbae2iJ9svlAHmWXNE+ivOgSl8OWihyHGQLffHiOcpllqotQUz3Q80csaf0EYx/gacmmDl5fM+2R7ldbe8E7g3Ir27P/ZN5KORmdgLlyNABgnkDLLUdTh39OatR4nkjE3Le64eepvMyuupeVw949VV8tuJKww3IdDmS+imC3ElkvhPzbmeE/GR+gzbswgNzPskdVg4fvViiUYc1wNfmQ6W1i/DrPhqZndUBlP5sC1zEnGDbv3/5UdAfwXA7pEOLYrckFhQqyLwGDKhg9wGT53Pcj+FMf5vbMaeAGXvHj4e4xqdflH3eng2q4Z6qHLFSJLdT3+AbuX1bX+1j2SkZSE+P4SMEWoHA4LetBIlHjdHyFEQHdo2oG1NSM7mtII9IEA1XIzuIgafwj78MyDa75wMx52W8dQ98J2vgrNfqrZhi92KKWwF0U1+2FS9bI4/U/x5mmIlzC0rCWYUFaspzZIRFYNI9+AwdoHGfF23FYALi2hXKCSvOrke5DBh/vA8hscREi++THKyeKLYi1FIcJ8oA33ZZi+Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(396003)(376002)(346002)(366004)(66574015)(76116006)(66556008)(186003)(71200400001)(83380400001)(316002)(26005)(6506007)(66446008)(86362001)(36756003)(6512007)(8676002)(64756008)(6486002)(66946007)(85182001)(8936002)(33656002)(2616005)(2906002)(110136005)(85202003)(66476007)(478600001)(5660300002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: KtAgIQAHCXCt+yVI/Qh+xG6h3rWYX1Hk0ttwazufRCbhuv5wEU48ske1kwejPbPHPOA1AX2k3NtaWU3fHgJp6ztaYtHRGOG89EqGksM/x/5n9mZ5Sdm9KPFIKBkeL1xyN7tiVLX1BjApj1QyR/qqFbsSqDjvsHeYkFgnpmh33x5fUcToMGtDqyn46AnETZgYRKjM9H+JXeOqsjAO1I5vPYQjw+lfW9iZi96FfF5ywASxQygoNjCHyXez8a+ytkveOYrxgAX1h3QVCdU/O0ugNnCxS7Xb1YPBU0dVQMQZYGuZ17/uCY+RD6vnGajZ1QcpdwM5ofCdj19vhphERfdxMgmB7wwznL6MzcdYiAHJjh22KzlpjcCSkzOPg0F2pt4+2+7WTeDWI3u7j9YsMx2iCos76a9Al3N9w4xw54HdogV/vapvIfyXsFImUISKZWWeExx00A289t4mpf7TmBLWoWnXJMWDeHoFKB8hPrs+OPFsEGVsU3RNozfw7cMF7cys1OWqUVnOS6gdiP1cnL6JhsTILnYZ/Go35UkKOKooWD/Y9LQnWZEImMxWH2T4SyVjwP9gI3/PxMvKSD8++pNnetlgPiCWxcL5oDe+XjiCOLZVUmkZdd3CuxCpGVwJ5AdAFuG65e8bkrFfOBOvHc70Uh920/d7uLlDtwLsN1kV8TwO+vDoP9/QqTA4Nvq8tAh6OYrfZOVNzwDPayuNYF6QR41fQVFQ+27625IDgcVAxVVa/+46infU4G2NuEEbAM1uAtFUdqnW+zGhFRIZxzsD1RHgHnWbVxJO1N0QXF61v92KqLG2ZddolNEm0wW/Yu8uKEctzB43P1x77RQU/n1nVC/9meg3vkEAE4dsbVwa7hMw4RRMlmlXeDf3yWhOmGZ5kzzTZfV8hINX/YtAMCPKxV7xw/nz4fRixYJLoDms8loYAPegrJbbk4GOD8h0YwFxlcnnug1SfOOeruoL8JlgjOFmcrsbDVdwxIAjvTobE25PmiWcSK7tJ+TvFHzcWGsSP+Qf6l7FGfsfLDdvmn/6DtHz2D746WQdg+71ECpnQzSkOY0O/Ii+EA/lOjeejyBf1OCrUnYYwRdcC79+Fc+kZjnJx60aOVy4+6nO8bXxpxuBUh7T9cok3pQhSv44XOyL5gIUAXTJ0tpcjQCHd3beZ6+I1npHperSYqmItiuBtOgx3E/UsWblYEe0mpIqD6myut24xmgAQQcjW/zhZYHcGTt+aa5Bju4GSACuGzRxqKMVLYAm6fdQ+SA2i+2I4iZvnIdazR1l0QkI+wtd4s4kkvkylA2w70r2KVglIU8CicZKhSKcg16c89kfEXUwMKZJ
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <32FD58EE86FE8C419BCF5A908C31402D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dcc068a0-f1fd-4c8b-dac7-08d8cf28f471
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2021 07:36:47.8479 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nTqCUFRiGz8er9ERyi2Ld5oubRIoPLkmM8nHTcBzPpENVLi2Ow0hlRGaKLZnsSFMa0K42XVrSGb1r8ZFU2cbZR8Vv/6n16zXWk101s5ePZc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3305
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/2Mjyv8gTbO5Klq-nsRV0q5riWYI>
Subject: Re: [COSE] "CBOR Certificates"
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 07:37:02 -0000

Hi Michael,

We have struggled with naming. And as names have been updated, not all text has followed. 
The draft is defining a CBOR encoding of PKIX certificates and two different ways of signing them. One which requires re-encoding as ASN.1/DER and one which does not, each having advantages and disadvantages. It seems to me that both variants have support in the working group. 

We can revisit the naming, and discuss whether it is relevant to describe one as an intermediate step between the PKIX and the other. But removing the specification of one of them because of confusion with the current naming is throwing the baby out with the bath water.

What you point to is that in -06 the term "CBOR certificate" is overloaded to mean either both variants, or the variant which is signed over ASN.1/DER.

I think it makes sense to use the term "CBOR certificate"  (shorthand for "CBOR encoded X.509 certificate") as a common term for both (i.e. keep the title of the document), and use other qualifying words to describe the difference in how the signature is generated. 

These terms are probably too long:
1. CBOR certificate signed over the ASN.1/DER encoding
2. CBOR certificate signed over the CBOR encoding

We have already discussed and agreed on "natively signed CBOR certificate" for no. 2 and I don't have a better proposal. How about "PKIX signed CBOR certificate" for no. 1? Other proposal?

For comparison, with this terminology the quoted text (with minor editorial) becomes:

       PKIX signed CBOR certificates provides an intermediate step between
       PKIX certificates and natively signed CBOR certificates: An implementation
       of PKIX signed CBOR certificates contains both the CBOR encoding of the X.509 certificate
       and the signature operation, which are sufficient for processing natively signed CBOR certificates.

(If we still don't link this paragraph and can't fix it then we can skip it.) 

Thanks for providing IDevID examples! Please share, you don't need to do the compression.

Göran


On 2021-02-11, 22:39, "COSE on behalf of Michael Richardson" <cose-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote:


    So, draft-mattsson-cose-cbor-cert-compress has in it's title:

            CBOR Encoding of X.509 Certificates (CBOR Certificates)

    Section 7 is: _Natively Signed CBOR Certificates_

    and I strongly believe that we should remove this section, and the title.
    This is going to very confusing.  And section 7 is not sufficient to really
    have native CBOR Certificates.  It even says that it's an intermediate step.

       CBOR encoded X.509 certificates provides an intermediate step between
       [RFC7925] or [IEEE-802.1AR] profiled X.509 certificates and natively
       signed CBOR certificates: An implementation of CBOR encoded X.509
       certificates contains both the CBOR encoding of the X.509 certificate
       and the signature operations sufficient for natively signed CBOR
       certificates.

    So if this document confuses people into thinking that this intermediate step
    are "CBOR Certificates", then when we actually do that (as LGL and others
    want to do with EAT), then there will be mass confusion.

    So, if that term could be struck from this otherwise excellent document on
    compressing PKIX certificates, that would be nice.

    (ps: I have some IDevID examples which I can share.  I've been trying to
    compress them, but haven't done the OID compression that I need yet)

    --
    Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
               Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email