IETF Logo Mail Archive

Re: [COSE] Key identifier of type bstr / int

Orie Steele <orie@transmute.industries> Mon, 21 March 2022 18:04 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA6FF3A1245 for <cose@ietfa.amsl.com>; Mon, 21 Mar 2022 11:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cEYHXrbNVAQv for <cose@ietfa.amsl.com>; Mon, 21 Mar 2022 11:04:37 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37E9C3A1211 for <cose@ietf.org>; Mon, 21 Mar 2022 11:04:37 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id w27so25912208lfa.5 for <cose@ietf.org>; Mon, 21 Mar 2022 11:04:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Kel7psWSughe3FkztcjGMdT7wdepbZVjuG/orXcUI74=; b=LVCZ+vtP6PtLrG+HvVK1Ni2safecA2DjqSTQV0hv7KCKLjAHYXipnUHSDRz80zpEbC QPBPSXwWQMBxvhiUhpRbCGcWTtsc9qpk01s8dNkgxSDCt1fNMuQQZCFrHJjwwxbNdANP zipDJhrhDRekrprcX3ysp/hIIc34cS1Y+WKP+B3oF+o8pWXmoglXi7w1w4yBnZ0h6vZR N7p/Iy+njfBLdkkOoKScKDYs2UtuwaPFmiUZd2V0eE4nyLdftPSgaUTimEpZXcy2BUZ3 H2Kmih/u9JynhDeWFp7uQJOrMp0LTJepevvdj+vSQ1vTr2kl5+7K5Le39FGYFF6fBpqq 59Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Kel7psWSughe3FkztcjGMdT7wdepbZVjuG/orXcUI74=; b=d2lUFYnKjWDHds+Y5ZxoGtr+CBmy4O583f+QawGVpVl4BQrrayIiGKCLNmxs27H9EJ voKmEK0mPmRcfYfYkZweYw6ZjF0PjMcuUI5YZoCjsK4jXtmX/kT0+BxkjzKr+MLcfQSo 3ufG+2LDsrNXrU8an0KNOvWN3dbwT0w/1CWqUvGc8404sUEa5ooCjgTirdzepGfXe6kW ilf8y8MUsL46MFkhNl0YYwyk9LQQXVHx/2Q97hjWrHqEVGOdQyJkhJyCNrjFLhvV69Cg i5krfqaii7T2CQPlUe8uZ2NgjiCPsZt0oWENXjsm74Wbc044w61YEFWUqM98HGtwqf4F Q7zA==
X-Gm-Message-State: AOAM533JXiAusgnjB7cDObj9nV75gG4vrALEpYx44/QTW4asmPrLUYbv MyI32xwoORJjuJAg1pLAYIchEqZ+hiUu9HnfmukrXHAtNJ4=
X-Google-Smtp-Source: ABdhPJzrbaswIYqT+yExdzSMRM0W0YVBm7Mygybkkb6ynsadD/NMJnh3nP/os9M8i1Bzxn0EQ5VLLxIyKlt/wTZiDsE=
X-Received: by 2002:a19:5f12:0:b0:44a:3274:9b96 with SMTP id t18-20020a195f12000000b0044a32749b96mr2421255lfb.251.1647885874832; Mon, 21 Mar 2022 11:04:34 -0700 (PDT)
MIME-Version: 1.0
References: <95B75634-B147-4756-A950-C6B139CF3ADD@ericsson.com> <9DF382AC-12A8-47A5-AAE7-2B0D75EAA669@island-resort.com> <EDFDB6E4-2BDE-4E2E-9CF0-D771E2DEF3C6@ericsson.com> <823C00C2-4F6C-4DF5-99B0-87D8524D4A9C@island-resort.com> <C059B669-4C5D-4980-A665-96A39F4457C3@island-resort.com> <AM4PR0701MB21958541C07CEA44DB1B1578F4169@AM4PR0701MB2195.eurprd07.prod.outlook.com> <CAN8C-_+3sWckZKo7KS2fsPU4pBHo+NNGgQpxg7p8LytFX01eEw@mail.gmail.com> <AM4PR0701MB2195D76D8CFCC873C1D05A04F4169@AM4PR0701MB2195.eurprd07.prod.outlook.com> <CAN8C-_K4EfFSar9H_QR+cV_pz+xhXtWA=pKK+rFv241E5DQofQ@mail.gmail.com> <DC1C335A-629D-4E4F-97BD-B4CA3519EDC6@island-resort.com>
In-Reply-To: <DC1C335A-629D-4E4F-97BD-B4CA3519EDC6@island-resort.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 21 Mar 2022 13:04:23 -0500
Message-ID: <CAN8C-_Ks26cf38Y3c1htzhYV4zpos=2fUnCxDaxjtrJbVVytkA@mail.gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>
Cc: Göran Selander <goran.selander@ericsson.com>, "cose@ietf.org" <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000334c8b05dabe5437"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/5uxSQ4yxi5KBagIFoZetrRGV9kQ>
Subject: Re: [COSE] Key identifier of type bstr / int
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 18:04:44 -0000

Thank you, much clearer.

My current position is that I am unconvinced that it's needed, or a good
idea :) ... any links or summary for why a new key identifier is needed
would be helpful.

However, of the names suggested I am mostly a fan of "intkid".

OS

On Mon, Mar 21, 2022 at 1:01 PM Laurence Lundblade <lgl@island-resort.com>
wrote:

> Let me try to be more clear.
>
> The COSE standard now is:
>
>    kid => bstr
>
> If we make this change:
>
>    kid => int / bstr
>
> then we break backwards compatibility for COSE as Mike pointed out today.
> So we need a separate parameter called kid2, ckid, intkid or such.
>
> To not break backwards compatibility we need:
>
>    intkid = int
>
> or:
>
>    intkid = int / bstr
>
> (I don’t remember why an int kid was needed, but do remember I was
> convinced that it was)
>
> LL
>
>
> On Mar 21, 2022, at 6:43 PM, Orie Steele <orie@transmute.industries>
> wrote:
>
> I think I may have misread your proposal.
>
> Why do we need `kid2` is this just so that we can have an integer `kid` ?
>
> Seems not worth it to me, since `kid` is already legal in CBOR, my
> proposal of `ckid` makes no sense.
>
> So I am basically just saying I dislike seeing `kid2` and don't understand
> what its value prop is.
>
> OS
>
>
>
>
>
> On Mon, Mar 21, 2022 at 12:16 PM Göran Selander <
> goran.selander@ericsson.com> wrote:
>
>> Hi Orie,
>>
>>
>>
>> Thanks for input. I didn't get the proposal though:
>>
>>
>>
>> > If we really need an integer version of `kid` I would suggest
>> following the `jti / cti` convention and calling it `ckid`... keeping it
>> optional (as is the convention), and ensuring it is not part of thumbprint
>> computations.
>>
>>
>>
>> RFC 7517/7519: kid and jti value are case-sensitive strings
>>
>>
>>
>> RFC 8152/8392: kid and cti value are CBOR bstr
>>
>>
>>
>> Is there any difference between a `ckid` which is CBOR int or a `kid2`
>> which is a CBOR int (besides the name)?
>>
>>
>>
>> Thanks
>>
>> Göran
>>
>>
>>
>>
>>
>> *From: *Orie Steele <orie@transmute.industries>
>> *Date: *Monday, 21 March 2022 at 14:55
>> *To: *Göran Selander <goran.selander@ericsson.com>
>> *Cc: *Laurence Lundblade <lgl@island-resort.com>, cose@ietf.org <
>> cose@ietf.org>
>> *Subject: *Re: [COSE] Key identifier of type bstr / int
>>
>> I am a -1 to changing `kid`, it should remain a string, for compatibility
>> with existing key identifier systems.
>>
>> Including ones that support
>> https://datatracker.ietf.org/doc/html/rfc7638#section-1
>>
>> See the original definition:
>> https://datatracker.ietf.org/doc/html/rfc7517#section-4.5
>>
>> > The "kid" value is a case-sensitive string.
>>
>> Many implementations have built hard dependencies on RFC7515.
>>
>> One of the nicest things about JOSE / COSE is being able to "upgrade"
>> from JOSE to COSE.
>>
>> Having a significant difference between `kid` in JOSE and COSE would be
>> harmful.
>>
>> If we really need an integer version of `kid` I would suggest following
>> the `jti / cti` convention and calling it `ckid`... keeping it optional (as
>> is the convention), and ensuring it is not part of thumbprint computations.
>>
>> Regards,
>>
>> OS
>>
>>
>>
>>
>> On Mon, Mar 21, 2022 at 8:35 AM Göran Selander <goran.selander=
>> 40ericsson.com@dmarc.ietf.org> wrote:
>>
>> Hi Laurence,
>>
>>
>>
>> Thanks for copying in the old thread. As noted, you and others preferred
>> `kid` as bstr / int rather than `kid2` as int when we discussed it last
>> time. Would be good to come out with a more solid motivation this time so
>> we can converge on this  :-)
>>
>>
>>
>> With `kid2` as int, the fields that uses both bstr and int would be of
>> type  `kid` / `kid2` which is fine.
>>
>>
>>
>> There is an algorithm for translation from CBOR bstr / int to byte
>> strings on the wire (back and forth) in draft-ietf-core-oscore-edhoc.
>>
>>
>>
>> Göran
>>
>>
>>
>>
>>
>> *From: *COSE <cose-bounces@ietf.org> on behalf of Laurence Lundblade <
>> lgl@island-resort.com>
>> *Date: *Monday, 21 March 2022 at 14:14
>> *To: *Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
>> *Cc: *cose@ietf.org <cose@ietf.org>
>> *Subject: *Re: [COSE] Key identifier of type bstr / int
>>
>> Thinking about Mike’s comment today in COSE/Vienna about backwards
>> compatibility. Looked at my code around this. That definitely seems like an
>> issue.
>>
>>
>>
>> What about defining “kid2” as just int? “kid” stays as bstr only. Then
>> there’s no backwards compatibility break. Adding support for another
>> integer parameter isn’t difficult. The downside is a little extra code to
>> look at two different parameters.
>>
>>
>>
>> You’d probably want to say that only one of the two kids MUST be present.
>>
>>
>>
>> Another random idea — could you say that it is allowed to translate an
>> integer kid to a bstr kid by assuming network byte order and stripping
>> leading zeros?
>>
>>
>>
>> LL
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Aug 13, 2021, at 3:01 AM, Laurence Lundblade <lgl@island-resort.com>
>> wrote:
>>
>>
>>
>> Understood about the use case. Thx for the background.
>>
>>
>>
>> On Aug 10, 2021, at 3:13 AM, Göran Selander <
>> goran.selander=40ericsson.com@dmarc.ietf.org> wrote:
>>
>>
>>
>> Assume that we do want to allow key identifiers to be CBOR ints in
>> certain settings,  what is the best (least intrusive) way to allow this
>> while still maintain compatibility with 'kid's supporting the type bstr?
>> Another alternative to what has been listed below is to define 'kid2' to
>> only be of type int - is that a better option?
>>
>>
>>
>> I didn’t write actual code to check, but they about the same to me.
>>
>>
>>
>> ‘kid' as int/bstr seems less confusing to me than ‘kid2’. It tells you it
>> does exactly the same thing whether it is an int or a bstr.
>>
>>
>>
>> So my pick is ‘kid’, but ‘kid2’ is OK too.
>>
>>
>>
>> LL
>>
>>
>>
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
>>
>>
>>
>>
>> --
>>
>> *ORIE STEELE*
>>
>> Chief Technical Officer
>>
>> www.transmute.industries
>> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a7ff2eb208872658&q=1&e=94b1f6ec-570c-49db-b72f-d15cfe926d93&u=http%3A%2F%2Fwww.transmute.industries%2F>
>>
>>
>>
>>
>> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c169100f194b3f01&q=1&e=94b1f6ec-570c-49db-b72f-d15cfe926d93&u=https%3A%2F%2Fwww.transmute.industries%2F>
>>
>
>
> --
> *ORIE STEELE*
> Chief Technical Officer
> www.transmute.industries
>
> <https://www.transmute.industries/>
>
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

v2.23.0 | Report a Bug | By Email