IETF Logo Mail Archive

Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 03 March 2022 07:38 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D38D3A13FA for <cose@ietfa.amsl.com>; Wed, 2 Mar 2022 23:38:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqx4Q5UjTDw7 for <cose@ietfa.amsl.com>; Wed, 2 Mar 2022 23:38:54 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5471A3A13F9 for <cose@ietf.org>; Wed, 2 Mar 2022 23:38:54 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id u10so4735457wra.9 for <cose@ietf.org>; Wed, 02 Mar 2022 23:38:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to; bh=9pQ7i1Aoi9aSmr2CUgdUqJaNjpXZtNnmEwfvv4zGWVc=; b=M03ChsH2q53zq6BOeCp2VMb7+g3M4rcGDzHsJxyvwRCMBWOXUmzWSfDDSiPgB/2lkq MvmrLZCQd3+bngr3GFienvEzfPp4++88o1efQWucobIDVxFMRFI7bsspK8gn9kdnnQHd HOrxMmwYh2KUehB8h87W9LXdsg2qQUuk8/Nt9sAhOmNGll8FhN9YeE7m5wm61799QBlv qeT27NSIHIAi9NVA2eE6Vk8LNlMFHbA/M+xcemRdbIOtkHWQhC8oSw8xCFhWgiAtr84Q d9IadeqXMy7h56xbcz+MDYLqOQyQl5F9vM30Rzx7CLC0x6jjrhVszlvgbAknf/ZucN4Z NZUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to; bh=9pQ7i1Aoi9aSmr2CUgdUqJaNjpXZtNnmEwfvv4zGWVc=; b=DFXYGsGb5WpzUoziqfzjwzBvoyu+qrz7OhZsA5UfVVTWvwMmB8a8TpGZDMJ7l9JMK7 wJiwwoN6mjFdEC4CNMa6hADi/GaYzoBwhvKKe0os8fzX7OlB1YrlTAanRS5P8Lxc9PfS iCpX0XQllz3IYqycUQLK1p02CF+5wyrNykeiUvpUlaTzooopdDNn9lLupdbadTBR4oJh 1jU3ZpwYgpsiFWAmXAGZ0Vb/jFO9PR152YnxnNJKJTMHxMASdiUX+HOgpxa2vxZfI6kK gef/9VCcyG5ZSzufgQO/ItoHWkSlXXBc6u/OFqEsJ57f5bh0AJ8wFCXQ18ENe35SnorO nTNA==
X-Gm-Message-State: AOAM532m0xV+axk6aClxlAo8b1PCrlnCjSJJTX8Al6CFp1hglwZSzHrc CtkqzBR5tI/8XZFtSoYDDKRdwnSf8R0=
X-Google-Smtp-Source: ABdhPJxn+/TKcaRmwMMUnGuzwaPKp/9rcM1+A8L4i49kxKqhXcNIGyGnnkGpRoAlK2LNJ7W4rupi9w==
X-Received: by 2002:a05:6000:1a89:b0:1f0:4b5b:e0ce with SMTP id f9-20020a0560001a8900b001f04b5be0cemr1911699wry.425.1646293132367; Wed, 02 Mar 2022 23:38:52 -0800 (PST)
Received: from [192.168.1.67] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id u10-20020adfa18a000000b001f04c24afe7sm1183716wru.41.2022.03.02.23.38.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Mar 2022 23:38:51 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------IFfA95zlQP4J0dznwwy4xAqR"
Message-ID: <36e34eb7-ee20-3644-4383-1c3f72279fc3@gmail.com>
Date: Thu, 3 Mar 2022 08:38:47 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1
Content-Language: en-US
To: Laurence Lundblade <lgl@island-resort.com>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: Hannes Tschofenig <hannes.tschofenig@arm.com>, Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>, "cose@ietf.org" <cose@ietf.org>
References: <SY4P282MB1274BCAC469DFE3B7284DFB29D039@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM> <DBBPR08MB5915A5EE40B555A4953E7BA0FA039@DBBPR08MB5915.eurprd08.prod.outlook.com> <SJ0PR00MB10050EBE6EAB4E80584A31B9F5039@SJ0PR00MB1005.namprd00.prod.outlook.com> <280EEA8E-67E4-4E7A-94A6-8C0A60048F81@island-resort.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
In-Reply-To: <280EEA8E-67E4-4E7A-94A6-8C0A60048F81@island-resort.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Fzap8YEYundydbmQY2f_VJGuKEg>
Subject: Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2022 07:39:00 -0000

On 2022-03-02 19:33, Laurence Lundblade wrote:
> Makes sense to me. Helps out for the EAT claim named “profile” which gives information about the type of the token you might want before fully verifying it. Addresses an issue Anders brought up about the profile claim.

Not so fast  :)  I brought up a bunch of things which can be illustrated by this (just implemented...) example of an encryption object:

211(["https://example.com/myobject"ject", {
   / COSE content encryption algorithm = A256GCM /
   1: 3,
   / Key encryption container /
   2: {
     / COSE Key encryption algorithm = ECDH-ES+A256KW /
     1: -31,
     / Key identifier /
     3: "mykey",
     / Ephemeral key /
     5: {
       / COSE Key type = OKP /
       1: 1,
       / COSE Curve = X25519 /
       -1: 4,
       / COSE X coordinate /
       -2: h'33a04b83d4428824b6d5477522d4a88fac4441122bc46136c0203faa308c3929'
     },
     / Encrypted key /
     10: h'e08977c25aeccaecd63b3367de2e2b8f700c82e098ad1e5099d9db510920ccff14debf820427e4ba'
   },
   / Tag /
   8: h'59a84826983e3247fbec4295f75cc138',
   / IV /
   9: h'fd8556c122cff2bc128d5119',
   / Encrypted data /
   10: h'e16b16c29da5163eb0131dd1f10f080f8850f55df2ae9d89a3b839ad50952858445f290dfb60'
}])

The core of this builds on /Deterministic CBOR/ which unleashes the /true power/ of CBOR in a way legacy solutions do not.   The enhancements include:

  * Eliminating wrapping of header and (unencrypted) application data.
  * Using the entire container (modulo the algorithm output variables which are added lastly) as input to a signature process and to the authentication part of an encryption process.  In the example that includes the top-level CBOR tag as well.  cryptoOperation(cborObject.encode()) is all that it takes on the encoder's side.

This is pretty much what the X.509 folks have been doing from the very start so there is close to zero innovation here 😁<https://apps.timwhitlock.info/emoji/tables/unicode#emoji-modal>

In the example I have also used a URL as profile/object type indicator since IANA CBOR custom tag 1537244 or whatever you end-up with, simply isn't pretty enough :)  To be more serious: URLs are /decentralized/ and would in this context probably be /browseable/ as well.

Cheers,
Anders

v2.8.7 | Report a Bug | By Email