IETF Logo Mail Archive

Re: [COSE] [Ace] draft-raza-ace-cbor-certificates-04.txt

Göran Selander <goran.selander@ericsson.com> Mon, 27 April 2020 12:00 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81F9D3A045E; Mon, 27 Apr 2020 05:00:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdj7_PGiqJSf; Mon, 27 Apr 2020 05:00:21 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20044.outbound.protection.outlook.com [40.107.2.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ACE93A044E; Mon, 27 Apr 2020 05:00:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wnd7mc4Zv0K1smI8lVWz2gH9GuqhkenVzTlX3lrZcVg7mxm9pCIJcxhCyy9JRREj3aA8uZLdndJwKO7Q8VXBWTfj6+5vmeX7T2Tyw2aCWiKguGjSxRxT7iReTBRyPQ4HCzOQeDCOh+nIQ/7dpPgJA+1c+m2luJegNChUtN0/O+Aj+PIZEjq+wdN6DrkkFe4xbAiJnwCQ6tToh9g0QlcytKxc1Zy0ZgcXjGu42XL9D6Mq7L/vY8whbI0LUC9dfwKdhCOgJubJpV2iqRRrrQSnTI1NugE7412Ki0bkRSq0V7cLqh+bztFaWiSSzff+8ueQimBaRfEkqlBNFYa6mAEcww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ESZ7szV0th7osmMJtRKG9/i1kia6rEztazeOEIiR5U8=; b=oApymZUhboDIxs6VJ8Qe/dqxaXaNqVeVHtddZIabmCcZazvk4ezpjm2A337oqetsobTHoyz8o5TrMrWYXnSarysZZsFH87F53hUP4hFb8uHSIIcKMVk/KRlN+PVu/CTpHvJ7mDpDbGsYhmiFiZbHtfZfk2/saybHySCh/D/7x029lU/H8pgNPIwyAy7j0vOtrXQN8dKC23oCmASXbhfg9bJq6t0G2F41XXJiV3Gonv/phsdr5efuTWAE3N9NvQhQOke8KUI3ykkm+3HYhm/oixStmfp0jGG0jU7P9d1444l3NCFBogzdhYJA25G4IzFu0wX8qzEk09igzpiID1BtcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ESZ7szV0th7osmMJtRKG9/i1kia6rEztazeOEIiR5U8=; b=QA8uozjKNtSPoiWxwGvYixS/M9VrQKBjvhcR1mQL0CL044BHSd6JrFt6XM+N0B3PwpuNWTTDvVeBLnWOzrHPA1o4D7/AWWUce/WQW283VvO6V6Ued46K1opubjr9zsI/HLx4cAmsAjvnIo1HHfB8Q2G7xgrw084MwE+/LWQMrw4=
Received: from VI1PR07MB5023.eurprd07.prod.outlook.com (2603:10a6:803:9e::13) by VI1PR07MB5805.eurprd07.prod.outlook.com (2603:10a6:803:d7::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.14; Mon, 27 Apr 2020 12:00:18 +0000
Received: from VI1PR07MB5023.eurprd07.prod.outlook.com ([fe80::7c90:eb1a:e7da:2321]) by VI1PR07MB5023.eurprd07.prod.outlook.com ([fe80::7c90:eb1a:e7da:2321%7]) with mapi id 15.20.2958.014; Mon, 27 Apr 2020 12:00:18 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Laurence Lundblade <lgl@island-resort.com>, Joel Höglund <joel.hoglund@gmail.com>
CC: "cose@ietf.org" <cose@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [COSE] [Ace] draft-raza-ace-cbor-certificates-04.txt
Thread-Index: AQHWGjAedUYMYk6mBEmSoRUOvFZ8rKiIoCaAgARj1wA=
Date: Mon, 27 Apr 2020 12:00:18 +0000
Message-ID: <964634A4-7B61-4CEF-8ED0-6A9A48D984CD@ericsson.com>
References: <CAHszGE+s0gBKNmDky4NZLP3SO-BqosQ2FvA7HeZprv3jWFFL7g@mail.gmail.com> <CAHszGEJ94aF9XA_4q-DnKzUNAtJo059zXMFcunOv8f-SG2hyvw@mail.gmail.com> <8B4A9572-3770-416E-B937-1902AFC07DA7@island-resort.com>
In-Reply-To: <8B4A9572-3770-416E-B937-1902AFC07DA7@island-resort.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [213.89.246.8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f84a7ff0-ea59-4f21-84a4-08d7eaa28e27
x-ms-traffictypediagnostic: VI1PR07MB5805:
x-microsoft-antispam-prvs: <VI1PR07MB5805FAC500EE6F9C2843303DF4AF0@VI1PR07MB5805.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0386B406AA
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB5023.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(366004)(346002)(376002)(39860400002)(110136005)(316002)(6512007)(6486002)(33656002)(8676002)(36756003)(54906003)(85182001)(85202003)(86362001)(81156014)(53546011)(6506007)(2906002)(71200400001)(2616005)(478600001)(66556008)(4326008)(966005)(66574012)(64756008)(26005)(8936002)(5660300002)(66446008)(76116006)(186003)(91956017)(66476007)(66946007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dnT0jW6SqfbjKgMoi0zw9IZUtguAAQUzQ9ZaEz1cL69DbMK/eBP81CsmARFdhnPuWxuCZoE0ahNfirlcUldspD2NN5i3Wy770qi761PIPj8JJvzd5viyKP5IRqTWSHHkYQXuqwWNh37kajmD7sd2bujSt7yD9PPWa2k7Wr8a4ytTgCcF54U4poElAZdw28uNMMGq59lGPEY1icGPySb8quPVCepNU6ESHFt2BcvAkRS13hdt+bzOyrpy+KpNht3rzb2IV5KLzQdREN7iu7SFBSN4F0ty4lgJJYKgr6d1CauJqTsjmFdodvbf70BXZ/jiCpS0B8NBLEJ3Z4h4YU55p63d7gO3YG7MER3xM5O0cD9xH4PpD9hv2rDjbYMCZ//Dj4HumNhn/L3xBBDbjzN8d5s+4NfAbcXdpXhz3lAOnIzo+yi1sKRODOnzfVfJxYLquRUaBifRV1VtBi0+l9RjvtsEo7TpU1c81UoQQIYDdEEGqyofwrGQXeqxEwVTH0W069L1ZSnqUylf3vWkjOb08g==
x-ms-exchange-antispam-messagedata: YWOMbKANK5mPWgZOxW7I3IGnXc+ybGInJYCSL4oJRjYlOyxstpIvPY/T7yvCg2Cwo/lqUzOk0IK6NCz/v/6Ad72akQUY5xlrZrVH+yIDSAGK4VrmcNwtNY3YqElSQ894Iz5EsFV0Y8rmjyM1gRq7S3N4nlisLyWqQYxvJYyL4chCuJOZsqhjXc0U0QYRMTDZhH7eyZ9WX1YRQQfSL2eZHPG6rin2Dv8zT3QcpMAhxo4kS++4Ij5MwuKfNU2atea1oTBPh8MULJ0KcR8xGZmE0YWlXXvajF43vQoQOB6UEPQrrkQoBi9hSzhEKz0NleE1oq9y/Lpf5e1hY7Q/YdZ4mTjnCCAaW4K6uiM8a75macu+Vb58aEQlfBMp5MWN29pFFzaVwzo5m5gqUf3QaSnfax7ZV67blCHV1RU8HuxRdH0LL16CUlldqn5bueB97ePoggVqEsqy6QXeBEpexSCZWU+W+xY2gT+d9ofI5juNVLCtmdEA1tiH0t75MiMlHfdUoC5JdnwZueKry9EiETWOjHUTxewa+qYcE3HJNIG9XUtOGB8i47l/nSn3tdqgk535B/Ag67VYuCVrjAjPdkVHQ09JYPDt4+vH9z7lHxUm8iyc/ZHBspB9t3/NHNcxfLFQ17leU/DZYU1tETf19UZE4ACd6L4e8uksRqL/Js4eouO3altuGSO5oNTcLt0CGfbGQKlqNLFLOCMIStqbGZ/4vRhnqRtbJ0iaObXpK81y9QcgHry2yK71vFM3nOo0m+PPEBl7LAOzt9stdWB3zg9DkzWLqHMEXshIpMcganpoXTQ=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_964634A47B614CEF8ED06A9A48D984CDericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f84a7ff0-ea59-4f21-84a4-08d7eaa28e27
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2020 12:00:18.5131 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SlrRtgPkCh8IdENHO+B41R8q2rxUlOABoO613PytTJpcB4LkIM/PShgpfUbBp+nsywbpYBAl0c2xa6jQBZ9VLyxLgVMZ6TBqi+6PXmfZU7M=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5805
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/RbJBbq3ewOj88YiuxsuO6nK3bcA>
Subject: Re: [COSE] [Ace] draft-raza-ace-cbor-certificates-04.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 12:00:24 -0000

Hi Laurence,

(Copying both ACE and COSE pending further notice about right mail list.)

Comments inline.

From: COSE <cose-bounces@ietf.org> on behalf of Laurence Lundblade <lgl@island-resort.com>
Date: Friday, 24 April 2020 at 20:58
To: Joel Höglund <joel.hoglund@gmail.com>
Cc: "cose@ietf.org" <cose@ietf.org>
Subject: Re: [COSE] [Ace] draft-raza-ace-cbor-certificates-04.txt


On Apr 24, 2020, at 5:01 AM, Joel Höglund <joel.hoglund@gmail.com<mailto:joel.hoglund@gmail.com>> wrote:

> But of most interest to me is whether the COSE was considered as the
> signing format for native CBOR certs. If COSE is used, then this looks
> almost identical to CWT and may be a native CBOR cert is a variant of
> a CWT? … …

Our starting point has been to stay close to the original X.509 format while minimizing size. A COSE encoding would re-add some format overhead (close to 10% for the provided example certificate). But if a COSE encoding would help making the format accepted and used, it can definitely be further discussed.

Once again, thank you for your comments!

Hi Joel,

I’m just focusing on the native CBOR cert here.

[GS] Thanks for showing interest!

The overhead for COSE_Sign1 to encode the algorithm ID, key id (optional), payload, and signature is tiny and is fixed. If you assume each of these (IDs, payload, sig) already have to be a CBOR-encoded integer or string, then the overhead is probably less than ten bytes total, maybe even less than five for the COSE structure that groups them.

In your example A.3, I don’t see how the to-be-signed bytes are identified. Some solution, probably using bstr wrapping is needed. COSE solves with no more overhead than necessary.  (You don’t need this in example A.2, because you reconstruct the X.509 ASN.1/DER which does identify the to-be-signed bytes).

I’m not sure where you got the 10% number, but it seems high. Also, the COSE overhead is fixed, not proportional to the size of the certificate.

[GS] I think Joel is making a rough estimate of the size of a CBOR certificate to that of a COSE_Sign1 of a CWT.

To go on a little more, in the ASN.1 world, X.509 certs didn’t use CMS structure for signing which meant they couldn’t share implementations. Seems like X.509 and CMS were developed separately. Also, CMS isn’t that compact.

However, COSE_Sign1 is very compact and efficient. If it could be used for a native CBOR cert format, then COSE code can be re used. In use cases like signed SW updates and secured boot that use certificate chains, both the certificate chain and the signed SW updates would use the COSE format and share for verifying signatures.

[GS] The rationale for native CBOR certificates is to reuse the same encoding as in the compression scheme defined for RFC 7925, but signing the CBOR instead of signing the uncompressed data. This provides a roadmap with minimal changes when moving from compressed to native CBOR certificates.

I agree with you that the overhead of COSE_Sign1 or CWT is not major and these points are open for discussion. The more important question is where this should be standardized. The compression scheme is now included in the new draft charter for COSE:
https://github.com/cose-wg/Charter/blob/master/Charter.md
The charter is currently not explicitly supporting native CBOR certificates. If you think it should, in some variant, then this is a good time to raise your voice.

Göran

v2.23.0 | Report a Bug | By Email