Re: [COSE] [Ace] draft-raza-ace-cbor-certificates-04.txt
Laurence Lundblade <lgl@island-resort.com> Mon, 27 April 2020 18:12 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 767853A13F5 for <cose@ietfa.amsl.com>; Mon, 27 Apr 2020 11:12:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZy7IQo_uxJh for <cose@ietfa.amsl.com>; Mon, 27 Apr 2020 11:12:44 -0700 (PDT)
Received: from p3plsmtpa06-04.prod.phx3.secureserver.net (p3plsmtpa06-04.prod.phx3.secureserver.net [173.201.192.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972EC3A13F9 for <cose@ietf.org>; Mon, 27 Apr 2020 11:12:44 -0700 (PDT)
Received: from [192.168.1.78] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id T8FGjWHD9yxohT8FGjkPdK; Mon, 27 Apr 2020 11:12:43 -0700
X-CMAE-Analysis: v=2.3 cv=D4M51cZj c=1 sm=1 tr=0 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=48vgC7mUAAAA:8 a=NeJZvmmVAAAA:20 a=8aHrabQ16hnPy60Vl7wA:9 a=WLYB0anuR71vkHwG:21 a=oUvknMVYQ17N8dzp:21 a=QEXdDO2ut3YA:10 a=1FQnyevworvUIDAmB10A:9 a=deDHt174sL9GY5xG:21 a=_0pdXMZ77TLyqXQk:21 a=VIMNpRtCtqaqwis5:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <AE7B76F5-12A0-4F65-BD6E-B0428B2AFA40@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_46B091B9-CE71-4B27-A9DF-B8F1F6999C6E"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 27 Apr 2020 11:12:42 -0700
In-Reply-To: <964634A4-7B61-4CEF-8ED0-6A9A48D984CD@ericsson.com>
Cc: Joel Höglund <joel.hoglund@gmail.com>, "ace@ietf.org" <ace@ietf.org>, "cose@ietf.org" <cose@ietf.org>
To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
References: <CAHszGE+s0gBKNmDky4NZLP3SO-BqosQ2FvA7HeZprv3jWFFL7g@mail.gmail.com> <CAHszGEJ94aF9XA_4q-DnKzUNAtJo059zXMFcunOv8f-SG2hyvw@mail.gmail.com> <8B4A9572-3770-416E-B937-1902AFC07DA7@island-resort.com> <964634A4-7B61-4CEF-8ED0-6A9A48D984CD@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfHCpfS+EpDtJSHNJoUwByozzHqeotVuK0xvXw4KOY9q/a02blW6O12SdXH0UAtuQ+dq64LQ1h0H1rnJ2fqZzRbCKpf63xx5t2rs9CallysKb7Vx63sFA ILOsKDy4VcRsGouFlQamHi8jYF2LI0l+w2z7KBPasdxDxT5A8pu5O5KsRLWwWaBG8DK/mTLlx4XeYIc7/MJFWKH8P8r4S6t7RFJQJFmRS4+htDzJhCjDLQLH A5cq2G5NkHs0X958CnBlU4TeeVapYqGSRqsryON0Ru+uUVwn6YXo6SOMY+vnVAQP
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/9bLj6h2yHZfQiihIJQOMsezEk_s>
Subject: Re: [COSE] [Ace] draft-raza-ace-cbor-certificates-04.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 18:12:49 -0000
> On Apr 27, 2020, at 5:00 AM, Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org> wrote: > > [GS] The rationale for native CBOR certificates is to reuse the same encoding as in the compression scheme defined for RFC 7925, but signing the CBOR instead of signing the uncompressed data. This provides a roadmap with minimal changes when moving from compressed to native CBOR certificates. > > I agree with you that the overhead of COSE_Sign1 or CWT is not major and these points are open for discussion. The more important question is where this should be standardized. The compression scheme is now included in the new draft charter for COSE: > https://github.com/cose-wg/Charter/blob/master/Charter.md <https://github.com/cose-wg/Charter/blob/master/Charter.md> > The charter is currently not explicitly supporting native CBOR certificates. If you think it should, in some variant, then this is a good time to raise your voice. To go straight to the issue, I think a designing a native CBOR cert should be approached differently than compressing / re-encoding an X.509 cert: Re-encoding - Size is important - Exact compatibility is required - Near zero change to fields and semantics Native CBOR Cert - Clean up some of the mess in X.509; it is an old standard with a lot of cruft and baggage - Re design extensions so they are in CBOR format - Make many of the fields optional, for example not before can often be left off, maybe even serial number - Avoid DN structure for issuer and subject for most use cases - Use modern formats like COSE and CWT and COSE_Key - Size is important, but far from the only goal (some size reductions, like optional fields will be possible here that are not possible with re-encoding) - Compatibility matters, but not in the same way Seems like the right thing to do here is to remove native CBOR certs from this document and just focus on compression and re-encoding. Maybe even call them “Compressed Certs” rather than “CBOR Certs”. Where that work should go is above my pay grade. BUT, my main interest here relates to CWT and EAT. CWT seems like a really good choice on which to base a native CBOR cert. Some of the fields for an X.509 cert are already defined in CWT (subject, issuer, expiration, not-before). It has an extension mechanism built in already in the CWT IANA registry. The crypto and signing are well-handled by CWT’s use of COSE. In work to fit EAT <https://tools.ietf.org/html/draft-ietf-rats-eat-03> in as a CWT, a few issues have come up — how fields / claims are managed and registered with IANA, label spaces and other. All these issues would apply to CWT/COSE/CBOR-based certificate as well. To name just one issue, in CWT the expiration date/time can be a floating-point number, which is burdensome, not useful. Should we change CWT to disallow or should it just be disallowed when a CWT is used as an EAT and when it is used as a Cert? I’m also excited at the idea of re using CWT in a simple form so there is re use of code between CWT, EAT and native CBOR certs. I’ve started playing with an implementation like this. LL
- Re: [COSE] [Ace] draft-raza-ace-cbor-certificates… Joel Höglund
- Re: [COSE] [Ace] draft-raza-ace-cbor-certificates… Laurence Lundblade
- Re: [COSE] [Ace] draft-raza-ace-cbor-certificates… Göran Selander
- Re: [COSE] [Ace] draft-raza-ace-cbor-certificates… Laurence Lundblade
- Re: [COSE] [Ace] draft-raza-ace-cbor-certificates… Göran Selander
- Re: [COSE] [Ace] draft-raza-ace-cbor-certificates… Laurence Lundblade
- Re: [COSE] [Ace] draft-raza-ace-cbor-certificates… Göran Selander