IETF Logo Mail Archive

Re: [COSE] 🔔 WGLC of draft-ietf-cose-cwt-claims-in-headers

Michael Jones <michael_b_jones@hotmail.com> Thu, 29 June 2023 20:09 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31AD5C14CE31; Thu, 29 Jun 2023 13:09:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.223
X-Spam-Level:
X-Spam-Status: No, score=-6.223 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tX7Ga6Aoko0C; Thu, 29 Jun 2023 13:09:20 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10olkn2021.outbound.protection.outlook.com [40.92.42.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D41B8C151097; Thu, 29 Jun 2023 13:09:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Uo9+hPVJRtwtYa1mndAtMz8VYeR8EUQPdy3ndJskOg94r+YNfhozPCxKu5Yq9Uo7pEw0/LDqRRza/J3l+lkmFSe3IydiT8XV495gaIa82dqsXW/rpWVWbN82eIMrzVPO21yVLxA+HaPXlrrD9jlU3yApAr54F8/Dr8ARdHqeqj72fdEloOhmZhxVW6TXrvh8qMm6cR1bq8k0hzrQ7w4nfs5bDW7b1PHn2lVfcSzyxW6odZbly4PBG/Bnhf9yAuTeCj6hZBx/RNwLeXo8os6Cg5R3hE9sY6oobkkumA3QiChXrcZN3Ih6ea43QGzxqW5FwItL71H3CpGg3IIufGqlhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RAiQnUzxRWWFF8b2R+6VmNy8Dv3PDJqvzBcDxG6BFiM=; b=TQt9s3RigKOFAO5erYIotbQ8hHGKOswVBb9QYz9OE5P6C/oBG/NDLItbnDCjPX2b03Da7fn7CYSOpvuGQzJuhfZK9YnPCFr0cbf/2D1QXY+bsjj6MlpyIjO/23jN0pGiV0wbxWemqXPrhR3rt4uiqV/vTqgYiLhPGh9qxSPyeZ8oJdqiXO5ETBZtVniBHd/DOkVauywfe6HFzHkkEkW1KHsQOhiPeWGqQRFgYkqEo5/PbW82S0/YCyG7uGZE6QBHIKII+bWOuaECaqyVTjVKz6CmtknjejGY4Ob3tzWwpDy4MP+af9Y19xz+5C1ej8GMTc0cpuv/RBPFrgFVfRYhzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RAiQnUzxRWWFF8b2R+6VmNy8Dv3PDJqvzBcDxG6BFiM=; b=Wop+N0j88+TXraOmAM60O4Z6tbTiWLOuMeQ2sL84LcnWkzop8ESFTLWxQVUvoJq0frgj3y5JzlgfeW8rggriguFtMulypLmXc25tEiDR3wjVtH+3Wr8d9EDwZ0XltQVLl6ajBBq0mArVa4EgSbM2TzI3OfMtliWTcnYe8I52eYCa/QVfvctytVXx22iW8pbE3fQT2v67BF/o62g54LW3PDwFmySSmfog05UDJMb4m5u8WD17geIWGOWKGovdtyDIoKCOxq96dXzg0w+v042d0krzwLIue1Csm+DZpZI95InmcL+wxXTjPXASUqIFqyz88bIRJAlEmtaovkmtDnGgEQ==
Received: from MW4PR02MB7428.namprd02.prod.outlook.com (2603:10b6:303:71::5) by MW4PR02MB7460.namprd02.prod.outlook.com (2603:10b6:303:70::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6565.8; Thu, 29 Jun 2023 20:09:19 +0000
Received: from MW4PR02MB7428.namprd02.prod.outlook.com ([fe80::e7bf:b257:d77f:97e9]) by MW4PR02MB7428.namprd02.prod.outlook.com ([fe80::e7bf:b257:d77f:97e9%2]) with mapi id 15.20.6544.010; Thu, 29 Jun 2023 20:09:19 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Orie Steele <orie@transmute.industries>
CC: AJITOMI Daisuke <ajitomi@gmail.com>, Cose Chairs Wg <cose-chairs@ietf.org>, cose <cose@ietf.org>, Mike Prorock <mprorock@mesur.io>, Ivaylo Petrov <ivaylo@ackl.io>, Tobias Looker <tobias.looker@mattr.global>
Thread-Topic: [COSE] 🔔 WGLC of draft-ietf-cose-cwt-claims-in-headers
Thread-Index: AQHZeUYtPEVdRCxDbkyq0sv9sOEXkK8/rIEAgAANw4CAAAk0gIAH3LQAgEsq/XCAAXELAIAJdsEAgAALZACABM7aAA==
Date: Thu, 29 Jun 2023 20:09:18 +0000
Message-ID: <MW4PR02MB7428BCED9EDC60ECD2224728B725A@MW4PR02MB7428.namprd02.prod.outlook.com>
References: <CAJFkdRw075tYGVT1mghOwzwKFRahBRz0q2rrhjPO2ATziofxPg@mail.gmail.com> <MW4PR02MB7428D03014EC6251E5B90935B76A9@MW4PR02MB7428.namprd02.prod.outlook.com> <CAGJKSNToC+waFM-wigAf2k3KP-L-48U9X_jhWejbTVFgeoouNQ@mail.gmail.com> <CAN8C-_LGdDd=prtytMo5Qe21g+ZWgD3bdiMjrxJg=_vtsZ96Bg@mail.gmail.com> <CAFWvErXXGOY-79zsg34z0t3nsmSJgwnby1ECoKNHb3S7Z4B0Rw@mail.gmail.com> <MW4PR02MB74280F6390B849A12313F775B75FA@MW4PR02MB7428.namprd02.prod.outlook.com> <CAN8C-_KG6BFnxpJr5rH0-6i5aeZJnMUi5mCy=gLh8hLiJP1Bfg@mail.gmail.com> <MW4PR02MB7428358E1AE80E43882F9FAEB726A@MW4PR02MB7428.namprd02.prod.outlook.com> <CAN8C-_KJ2Oahz6OAYiwmxZw9_YjaKGSABqidmeQbR7fbLTuJiw@mail.gmail.com>
In-Reply-To: <CAN8C-_KJ2Oahz6OAYiwmxZw9_YjaKGSABqidmeQbR7fbLTuJiw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [9lNv/Nr5xXLCkuSm85TgXgZXGt1DS3XtihozzewZSVmiKEyItyjiKoHuOhS9S4ZOFe5Pe2surOM=]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR02MB7428:EE_|MW4PR02MB7460:EE_
x-ms-office365-filtering-correlation-id: 556eee10-52f0-4d96-a3c8-08db78dcb8bb
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5YionNyZCbhfQjGtmkKuJodSKXB3UNbXMNNbCE4DINHGPf7QYokjVL5FJO/zIzUCR/G7xa5hMmRzwdZw38n6S41lTRgP8NIGllW9zic78a8j5mC0lEGk+ebpaaVuhJ1X9cxFPip7odEpP5tzd1ZxYy3y8FmzeQ7tTPLjpDeNoMh7UIXRJEKLeVk8qYLJj0nlJOEf8tHgsd7racTIB0xV/slCtTASv558pRvjSLuBblq8DIsbnXoLaAg9BTEa6ck8/H0j6y98FTxsofFqmyIic4Z1rdEvegsJPuEdyTTdr+c253ZRS4npLvW7JG7OaJvnh/ikQDQWmLxzfoEygkOFCwzadUaMpjf+CkOlw54ynSsNjhDFc5hr1mRquvkb6hHCSYCSG9rcpRQbRx+HLYkWrgosJepvxhlC9BnNDycl/A7ZtLEIMx5NJvsBAQKMlvtRoXY/iJCDql9X4z5vbfBMMkS9JZrZ57O+qvs0aEjwhtypouWn7aGE0ivnxfcbuIPkuCAE4c1349QSH1nUBJvf+zsy3dFpWuRQq6so9I1mFNS0AiL/I3/7z4L5lY1GCM7k1VlK6Np3OpsBI+uez5CD4jusPqlrLkcXeOFBFjWAMm7gznyBbtmwP/UAU3g+fw7jFtHeeVptzGlrJhh92vUk3+IUcs1bbL6U73aQjMzpbgBnOkAQP4/dbulaZTXe9ioZ
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: LVv+T1+UFZykdT+HBDVY8qhyrOFpa5OYfzRZwl3GmwjMC6/QYjmmrgW/iiXShLZEF/9e8QiXgy7MuNSDP98u3JRSZdF34suQ2wESvvy9XppdQ9lZ2D3Vx1AbeMlAtVw3LrH7H9D1QLVux7SHrFU5G8G6KMI09gqlvA0Qdte7kuycfla2T51/CNiCmz5HWQxngvPraovitqC5MtRc8CMvDCOIGD2MpBfCTC1JCA3Tnb8E1no9DMi03/Wz35lN3+cSldis8HTK/uH6cP5Gir252Sw0l1oSNhaU/CMBS3KMWJy8JC1t+tDetmZ96dH9WE3u+rzHJBWSmvHgRBgIDZUTinvpJL9fdIzvCrNpEBxcI4OIn48uRxXcdTivv9+NhaElihLv5h39WKts7A3JNIPdxvW7EN2naNqzLn6p4B8IVKNFrAjkmpMAPXXpwXcd5cGuDo1fEk3yg+RRoEovY2YrngiiJcl2FiSjF3x9/1gT2bpLB+mZaayfsSd/XWbqXOxYk8VTk3Wdf8uDCDEKbMBICc/2z1KS87sBkONsoOYnEozEG/Ozi0OU8IeVSCw4jOHWqF7kP/JbezbDcSWgPsxqA3bCE1gxaGlfkJ1MTozUgTboTwzkufYu23b28vnbzmIaTlFR/l+otqitrPVZJgP80ZlhtCParK4XpX4MCJ0c5aGXVfDf7x1GQ15q4L2uQHpVLLJPx/377chiePDmDn9QwPAAxGo6V6J+d59uEBW5AkDpnN/7mKPBUlLeS2G9swxsdDBuGG+5gwU9tOczjgMlaYcDdQULqIpJX+hgQkNrgTPUL6RD1VriI65MjhaYonEy8wRI2NIbxxBR47nC8VL0SB58oH/Dl+VMWLEAEN1243Ag43/m936W5B5pnomHhIFVwvKY0/FPkXJF8amTP/HPKP41k5stLyj/rN4L3o6Y0zBCG/oj2abZAXPAkW2UDtHjcqNbGFuBvxsTMnpJ8/92P/1SFSaPPkPyF1oYdmtJZEBl+XKebSzycjO/xmzrpeXLU5X+Ei3guuMBk3BuRmAhR2c8O/Frw3Zg0amYYHyaqxOms3NZlPxAbmjRLnd4j3mSZAvxqCM/6x/PVpUXiCE9zXtZKrO3I20NeZ1RDiWnFo/O0hodUGvigVvQuBItmoHWxo/RgLwY9y1MX/50k1FWEp1uOm/j/VRzGGgJ/JF9TcYG/b1I5t+XpemnVJvzVzgWkB8uaLjPkviK8ugHTcA9rLCrYKr+EXpPl2g7nEctmvRWUS9fEzheiQSh/7YC+053dlBBNob7FnbEmanXqD4anvD9XUdNugU1pbCxFYFi8ak=
Content-Type: multipart/alternative; boundary="_000_MW4PR02MB7428BCED9EDC60ECD2224728B725AMW4PR02MB7428namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR02MB7428.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 556eee10-52f0-4d96-a3c8-08db78dcb8bb
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2023 20:09:19.0330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR02MB7460
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/AnAmL_KEYRmUrmd0zvSfKQS0OYQ>
Subject: Re: [COSE] 🔔 WGLC of draft-ietf-cose-cwt-claims-in-headers
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 20:09:26 -0000

Thanks, Orie.  Replies inline in green.

From: Orie Steele <orie@transmute.industries>
Sent: Monday, June 26, 2023 11:03 AM
To: Michael Jones <michael_b_jones@hotmail.com>
Cc: AJITOMI Daisuke <ajitomi@gmail.com>; Cose Chairs Wg <cose-chairs@ietf.org>; cose <cose@ietf.org>; Mike Prorock <mprorock@mesur.io>; Ivaylo Petrov <ivaylo@ackl.io>; Tobias Looker <tobias.looker@mattr.global>
Subject: Re: [COSE] 🔔 WGLC of draft-ietf-cose-cwt-claims-in-headers

Inline:

On Mon, Jun 26, 2023 at 12:36 PM Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>> wrote:
1.  Answering your first question, yes, the equivalent CWT header would be { alg, kid, cwt-claims (TBD): { iss, cnf, exp, sub } }.

Awesome... One comment is that this could make "key discovery" slightly more complicated, and also in general `iss` will NEVER be allowed as a top level COSE Header, which will impact key discovery for SCITT, KT or other systems that might have wished to mirror JWT 1:1...

Concretely, a verifier / RP might need to pull `iss` from TBD, and then find the corresponding `kid`.

Yes, a verifier/RP could pull “iss” from the new claims-in-headers header parameter and use it as part of its matching logic (some of which could also utilize other header parameter values).

Or the verifier might choose to ignore `iss` completely, and just rely on `kid`.


2.  Is it possible to promote "reserved claim names" across serializations?
Applications could choose to do this if they have a reason to do so.  This proposed standard doesn’t say anything about JSON.  It’s intentionally very focused in its scope.

Interesting, see my comment below:

3.  Is it possible to secure "application/json" using CWTs that have this new header parameter?
Strictly speaking, CWTs always have a CBOR claims set as their body.

This is the same as saying you can't promote cross serialization, IMO.... it also precludes calling certain "COSE Sign1" examples "CWTs"...
I can imagine that impacting how a lot of other documents might or might not use `iss`, or `cnf`.

It’s fine to secure a JSON payload with COSE_Sign or COSE_Sign1.  Just like it’s fine to secure a CBOR payload with JWS.  Neither of those are conforming JWTs or CWTs, nor do they need to be.

But being positive about your points, going further, it’s fine for the JSON payload secured with COSE to use registered JWT claims; it’s likewise fine for the CBOR payload secured with JWS to use registered CWT claims.  There may be application reasons to do either or both, which is fine.

They could also choose to use this new header parameter to include some CBOR claims in the headers.


We have several use cases related to this at SCITT, but we specifically don't use CWT because of the ambiguity regarding content type.

So SCITT wants to secure non-CBOR payloads with COSE_Sign?  That’s fine and I have no problem with that not being called a CWT.  That said, if SCITT is securing sets of CBOR claims with COSE_Sign, using CWT for that would be appropriate.

Again, applications could choose to mix COSE and JSON, but that would no longer be a CWT.

Right, so the `content_type` header parameter should never be used with a CWT, since it's assumed to always be CBOR.

So for example you might never see a CWT header that looks like this:

{ alg, kid, content_type: application/spdx+json, cwt-claims (TBD): { iss, cnf, exp, sub } }

That’s a perfectly legal COSE_Sign header.

As a consequence CWT is not suitable for general purpose signatures over arbitrary content types,
and COSE Sign1 with cwt-claims (TBD): { iss, cnf, exp, sub } }, could still be a solution even though the payload is technically not a CWT.

It’s COSE_Sign and JWS that are suitable for signatures over arbitrary content types.  If that’s what SCITT is doing, I’d describe it that way.

Of course, if JWS is used to sign a JSON Claims set, the result is a JWT; and if COSE_Sign is used to sign a CBOR Claims Set, the result is a CWT.

I think that is confusing enough to add some explicit text, warning against it or at least commenting on it.

I’m not sure what specifically you find confusing about the current draft or what you’d like us to warn or comment about.  For instance, nothing about securing JSON is in scope for CWT or this draft, but that’s not what either of them are about.  Warning about not being able to do something that’s not in scope could more confuse than help people.  But I may be entirely missing your point.

What specific warning text would you like to be inserted where into the draft?  (Or maybe you’re talking about your suggestions below.)

Does that help?

Yes, I think you should clarify the following:

1. cwt-claims (TBD) MAY be present in the protected header, even when `content_type` is present and the payload is NOT CBOR.

We can say that.  In particular, we can include a clear statement that the CWT-claims-in-headers header parameter can be used for arbitrary COSE objects, whether the payload being secured is a CBOR CWT Claims Set or not.  Is that the main point you’re trying to get at?

2. typ AFAIK it's not reserved at the top level, so there is no way to subtype a CWT following the same best practices as the JWT BCP: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp-07#section-3.11

I agree that that’s a problem that should be fixed, but in a different spec.  If no one else is actively doing, it, I willing to write that spec and present it at IETF next month.  It will be very short.  And it will cite wanting to do the equivalent of JWT BCP explicit typing for CWTs as one of the motivations.  Of course, it would be generally useful, just like the JWS “typ” parameter is.

2 seems related to 1 in that we are not really sure how to distinguish "types" of CWT and "types" of CWT payload.

Agreed

It seems fine to request a registration for `typ` in another document, but if it would be possible to address it at the same time as clarifying `content_type` that does seem desirable.

Especially given we already have requests to register +cwt as a structured suffix: https://www.ietf.org/archive/id/draft-ietf-rats-eat-media-type-02.html#section-6.1

While this is off-topic for this draft, I’m curious, how’s the +cwt registration progressing?  Any estimate of when the registration might occur?

Today, there would be no way to use this structured suffix, in a CWT similar to how other structured suffixes are used for JWT:

typ: application/secevent+jwt
typ: application/secevent+cwt

This will likely cause wrinkles for anyone trying to upgrade from a BCP following JWT based implementation to a CWT one that attempts to align with the JWT BCP.

Agreed.  These are gaps we should address, as described above.

OS
                                                       Thanks again,
                                                       -- Mike

                                                       -- Mike

From: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Sent: Tuesday, June 20, 2023 9:51 AM
To: Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>>
Cc: AJITOMI Daisuke <ajitomi@gmail.com<mailto:ajitomi@gmail.com>>; Cose Chairs Wg <cose-chairs@ietf.org<mailto:cose-chairs@ietf.org>>; cose <cose@ietf.org<mailto:cose@ietf.org>>; Mike Prorock <mprorock@mesur.io<mailto:mprorock@mesur.io>>; Ivaylo Petrov <ivaylo@ackl.io<mailto:ivaylo@ackl.io>>; Tobias Looker <tobias.looker@mattr.global<mailto:tobias.looker@mattr.global>>
Subject: Re: [COSE] 🔔 WGLC of draft-ietf-cose-cwt-claims-in-headers

I want to confirm my understanding of this paragraph:

> Directly including CWT claim values as COSE header parameter values would not work, since there are conflicts between the numeric header parameter assignments and the numeric CWT claim assignments. Instead, this specification defines a single header parameter registered in the IANA "COSE Header Parameters" registry that creates a location to store CWT claims in a COSE header parameter.

So for example, in a JWT header looks like this:

{ iss, kid, alg, cnf, iat, exp, sub }

The equivalent CWT header would look like this:

{ alg, kid, cwt-claims (TBD): { iss, cnf, exp, sub } }

This would impact key discovery for the issuer of the token, since they would need to review both top level header parameters such as "alg" and "kid' which are already registered.

As well as CWT claims, such as "iss"...

Another related question... is the value for the "claimset" of a CWT, to be any content type? or MUST a CWT only secure CBOR content?

For example, consider the hypothetical CWT:

COSESign1 // Tag 18 [
protected header: { alg, kid, content_type: application/json, cwt-claims: { iss, sub, cnf, iat, exp, nbf } }
unprotected header: { counter signature }
claimset / payload: { iss, sub, cnf} (as JSON)
signature
]

In other words:

Is it possible to promote "reserved claim names" across serializations?

Is it possible to secure "application/json" using CWTs that have this new header parameter?

Regards,

OS

On Mon, Jun 19, 2023 at 1:55 PM Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>> wrote:
Thanks for the review, Daisuke!  Responses are inline below in green.

From: AJITOMI Daisuke <ajitomi@gmail.com<mailto:ajitomi@gmail.com>>
Sent: Tuesday, May 2, 2023 3:57 PM
To: Cose Chairs Wg <cose-chairs@ietf.org<mailto:cose-chairs@ietf.org>>; cose <cose@ietf.org<mailto:cose@ietf.org>>
Cc: Mike Prorock <mprorock@mesur.io<mailto:mprorock@mesur.io>>; Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>>; Ivaylo Petrov <ivaylo@ackl.io<mailto:ivaylo@ackl.io>>; Tobias Looker <tobias.looker@mattr.global<mailto:tobias.looker@mattr.global>>; Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Subject: Re: [COSE] 🔔 WGLC of draft-ietf-cose-cwt-claims-in-headers

Hi authors,

I read the draft for the first time today. I think it's basically fine, but there are some points I'm concerned about, so I'd like to make some comments from an imprementor's perspective.

1) I think it would be better to limit the COSE structures that can have the CWT claims parameter.

Specifically, I think the use of the CWT claims parameter should be limited only for COSE_{Encrypt0, Encrypt} and the COSE structures without payloads (COSE structures with detached contents). I'm not sure whether it should be MUST, SHOULD or RECOMMENDED though. In JOSE as well, I believe the JWT claims were only partially usable (only "iss", "sub", "aud") in JWE.
In JWT, any claim can be duplicated to a header parameter.  This is described in https://www.rfc-editor.org/rfc/rfc7519.html#section-5.3.  There was no restriction on use in structures without payloads, etc.  It’s a design goal of CWT to be as parallel to JWT as possible.  Therefore, I don’t think it makes sense to impose restrictions on CWTs that were not made in JWTs.

2) Similarly, I believe that there is no need to enable the use of the CWT claims parameter in COSE_Recipient or COSE_Signature, as it doesn't seem meaningful.

If my understanding is correct, it might be helpful to mention this somewhere in the document.
Successful specifications are used in ways that the authors never envisioned, provided they are written to enable general applicability.  For instance, I never imagined JWTs would be used to secure Caller-ID, but that very thing has happened in the STIR working group, in specs such as RFC 8224.  The same is already true of CWTs.  Therefore, I’m very reluctant to limit the applicability of the CWT claims-in-headers feature because, as a general-purpose feature, we are unlikely to be able to guess the productive ways that it will be used.

3) I think it would be better to limit the use of the CWT claims parameter only to the protected header.

I believe there is no need to leave room for using it in the unprotected header, as it would increase security concerns.

I’m fine suggesting that use in the protected headers is preferred in the Security Considerations.  But as above, it seems unwise to impose arbitrary restrictions on the applicability of the feature.

4) I think the following sentence in Security Considerations might be better written in the main body of this specification. Is there any reason not to write it in Chapter 2?

"In cases where CWT claims are both present in the payload and the header, an application receiving such a structure MUST verify that their values are identical, unless the application defines other specific processing rules for these claims."
I’m fine with promoting this sentence to the main body of the specification.

If there are any off-the-mark comments due to my lack of understanding of the context, I apologize in advance.
Not at all.  I appreciate you taking the time to review the specification and make concrete suggestions.  The “understanding the context” point is right on.  Some of my responses above essentially say that we don’t have a crystal ball to gaze into to know the contexts in which the CWT feature will be used in advance.

Best regards,
AJITOMI Daisuke

                                                       Best wishes,
                                                       -- Mike

2023年4月28日(金) 7:53 Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>:
I support publication.

On Thu, Apr 27, 2023, 5:20 PM Mike Prorock <mprorock@mesur.io<mailto:mprorock@mesur.io>> wrote:
I believe that this is ready to go as well.
Mike Prorock
mesur.io<http://mesur.io/>

On Thu, Apr 27, 2023, 15:31 Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>> wrote:
I believe that this specification is ready for publication.

                                                       -- Mike

From: Ivaylo Petrov <ivaylo@ackl.io<mailto:ivaylo@ackl.io>>
Sent: Thursday, April 27, 2023 1:23 PM
To: michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>; Tobias Looker <tobias.looker@mattr.global<mailto:tobias.looker@mattr.global>>; cose <cose@ietf.org<mailto:cose@ietf.org>>
Cc: Cose Chairs Wg <cose-chairs@ietf.org<mailto:cose-chairs@ietf.org>>
Subject: 🔔 WGLC of draft-ietf-cose-cwt-claims-in-headers

Dear all,

This message starts the formal Working Group Last Call of the draft-ietf-cose-cwt-claims-in-headers [1].

The working group last call will run for **two weeks**, ending on May 12, 2022.

Please review and send any comments or feedback to the working group. Even if your feedback is "this is ready", please let us know.

Thank you,

- Mike and Ivaylo
COSE Chairs

[1]: https://www.ietf.org/archive/id/draft-ietf-cose-cwt-claims-in-headers-04.html
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose


--



ORIE STEELE
Chief Technology Officer
www.transmute.industries<http://www.transmute.industries/>

[https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/>


--



ORIE STEELE
Chief Technology Officer
www.transmute.industries<http://www.transmute.industries/>

[https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/>

v2.23.0 | Report a Bug | By Email