IETF Logo Mail Archive

Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 03 March 2022 09:45 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 299083A0913 for <cose@ietfa.amsl.com>; Thu, 3 Mar 2022 01:45:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=LsZIeFHT; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=LsZIeFHT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_PIa7IVQIkD for <cose@ietfa.amsl.com>; Thu, 3 Mar 2022 01:45:13 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on062a.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EC463A08C5 for <cose@ietf.org>; Thu, 3 Mar 2022 01:45:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=006TSBkUznT8QwXTPJe8Ms6Ke7e9tHS/ac19e9vJ6W4=; b=LsZIeFHTHY1K/k+0iHql4t2C4bvdT4SjxLMlNhzWIpN2CZvPatvDprEjQnmtTzDVzkOBdMIHEzLFPXmeKZ2E5HrMvTdRT7Y85GKTlqvEITKvD2miygkCm0dlyC0EuC5loPQRpRmQ12Ga+e84tiX6gV3moO2y0ZOadpfFzz0S6Ko=
Received: from AS9PR06CA0321.eurprd06.prod.outlook.com (2603:10a6:20b:45b::23) by AM8PR08MB5745.eurprd08.prod.outlook.com (2603:10a6:20b:1c5::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.14; Thu, 3 Mar 2022 09:45:07 +0000
Received: from AM5EUR03FT026.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:45b:cafe::bb) by AS9PR06CA0321.outlook.office365.com (2603:10a6:20b:45b::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.14 via Frontend Transport; Thu, 3 Mar 2022 09:45:07 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT026.mail.protection.outlook.com (10.152.16.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22 via Frontend Transport; Thu, 3 Mar 2022 09:45:07 +0000
Received: ("Tessian outbound 1f399c739551:v113"); Thu, 03 Mar 2022 09:45:07 +0000
X-CR-MTA-TID: 64aa7808
Received: from 2b7d02d12f87.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id D2DB5C99-C7D5-49B9-B331-5651A10C496D.1; Thu, 03 Mar 2022 09:45:01 +0000
Received: from EUR02-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 2b7d02d12f87.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 03 Mar 2022 09:45:01 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZrRb417nes0oz1e3mMIZ6uCmaVjVuICRIML/GD+NlrRVxoFaDpsEadvaH39qxxqrRhJWtnpFnjBvQraL/S9u+mopC4FXnTrQje7E0D9xwuNmHJtQ8MZkNJT0ndNOIti52tPMfLvWBq+V3YXvdP7lnVOzMNcep7fF8mGZpZN62D/KT3V6eyrJ2TSUXqXHMYOHkRc9Km3rAQEyeEV9atE3AaxQXUroGSk66WXFfgf690AJzYyHz7FYc1P3w1ilzl91N5UGMvu7RzQJlv93RbD0NTucfLyf1SP1rodNNjaKefS2JHJCY3dHntBGYxk6l0yXxXNvHzvmxIj3VwKBd6i8Ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=006TSBkUznT8QwXTPJe8Ms6Ke7e9tHS/ac19e9vJ6W4=; b=mAMYQ3/B4i7ZOem0ZK4RCNAHv76CCYuc65U4jElp2stw3TZiu+3sRk7KsrHVtqWLqoFmE6hTUa1wYNPzt5kLqJv6c7T/Te/hmVwGkzBnKwxgRdZPy1oY3kLmco7reOsXKk7eC3zwCd7w8fdVPJUdb1BNktHhSb6ARY2bMac5TuBz7PSZtAZqBbrKmishu9OWoOOaqx1Sgtsc0aV1tXbT9TcX8/X2Xsmo0eWj6Mu0QKHBJZVGVhHvunB9I5iTYh6BdIg2YrWUGe/uTRUmAC8493xvuceaZyE1rgI7XSKD0SBeh8wTMka4P5luPup/7VN7c3lo4fOGilclZjDNeP6IsA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=006TSBkUznT8QwXTPJe8Ms6Ke7e9tHS/ac19e9vJ6W4=; b=LsZIeFHTHY1K/k+0iHql4t2C4bvdT4SjxLMlNhzWIpN2CZvPatvDprEjQnmtTzDVzkOBdMIHEzLFPXmeKZ2E5HrMvTdRT7Y85GKTlqvEITKvD2miygkCm0dlyC0EuC5loPQRpRmQ12Ga+e84tiX6gV3moO2y0ZOadpfFzz0S6Ko=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by VI1PR08MB3663.eurprd08.prod.outlook.com (2603:10a6:803:85::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22; Thu, 3 Mar 2022 09:44:57 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::b478:3f3d:2464:65c8]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::b478:3f3d:2464:65c8%5]) with mapi id 15.20.5038.014; Thu, 3 Mar 2022 09:44:57 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Laurence Lundblade <lgl@island-resort.com>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
CC: Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
Thread-Index: AQHYLe2WRhRO0cNsYEy31uS81Xo4sayrwO6ggACI4DCAACJrgIAA21qAgAAicbA=
Date: Thu, 3 Mar 2022 09:44:57 +0000
Message-ID: <DBBPR08MB59154C935195F0ADEFD0EC4BFA049@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <SY4P282MB1274BCAC469DFE3B7284DFB29D039@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM> <DBBPR08MB5915A5EE40B555A4953E7BA0FA039@DBBPR08MB5915.eurprd08.prod.outlook.com> <SJ0PR00MB10050EBE6EAB4E80584A31B9F5039@SJ0PR00MB1005.namprd00.prod.outlook.com> <280EEA8E-67E4-4E7A-94A6-8C0A60048F81@island-resort.com> <36e34eb7-ee20-3644-4383-1c3f72279fc3@gmail.com>
In-Reply-To: <36e34eb7-ee20-3644-4383-1c3f72279fc3@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: C8B9D536473A7A4C82F6435FA91EABBF.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 202ae010-d962-4a5f-5ec7-08d9fcfa8044
x-ms-traffictypediagnostic: VI1PR08MB3663:EE_|AM5EUR03FT026:EE_|AM8PR08MB5745:EE_
X-Microsoft-Antispam-PRVS: <AM8PR08MB5745F1D0D9EC9F0930E04BF9FA049@AM8PR08MB5745.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 1Tdi3hitNegdYZmxVNg4NXlYeJ5ipem/kXHpul5Q+uc5N8sfcDGYskUn+dC775zAwYqBKUI2kMSO7HC/PFI8LStJPGXuT2MkFuvRHBXjVOkvWMdlPsVk00jnWr0ICW0SkELMfSnUxZP621/4LOxx0vBQ7LlzWzuk5ukGo9VNfeKKXEfxfpYSFLyU6mWpwmb03QvBHtkBgL7xn96ezUUuFGHPYl8W5oxn1PTQtLUDqWze749gJJP0Lab+CyxVSAgktyMWMu84n5+SKoESmeXIZ/dNrKqsiGx+fNEUhUYDnSDFRUIMJQI+vPJTjHO8HjwmJjKFGXCHUgw2xmsLGw8SODJBR8KoOIGb8mAKEwRQzAyRNvvxRcv5s8rhI2VfjR5+58495/EetS1nQbuhnZSy90l+Fb/PnA27fMSEb2ZysyK+QvX1lJwo1o9wLIeZFJ8BwRZ3AOtBCIhmW9DrzkbCYIby7D2Qnapcuk0C7ok1ETeQfMbnbg4FQqJvIbCid3O5Kg+QCpQc6n7/czPdEHkdGiZnq0RDU3pvi6SQD3QJmTREX5StpWlR/zaykekBYv8RZdWHbKOgkQ2Un/sjCR1v0LtD2wePp205uiaWUP2/KpY8RjMLw6qNXNSL+CQESKc3NO8+47jXwiGBQbx2O1VrEoFdCEuYLArx1DKTJFTgTUBMVINp8Ux7+ezIXJ/+fHPQNS7Jo+gz46dwkQ+RJW8JSpEmW772pWpvReYHo3C2C2FN9kjzXLPsXjG+sVwa1Pn5UNoVVWkUHKL58KvavKB5g1KaqESIj18GV+RLbTzUpcA=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(166002)(38100700002)(4326008)(316002)(52536014)(966005)(5660300002)(8936002)(508600001)(9326002)(66946007)(76116006)(66476007)(66446008)(64756008)(8676002)(66556008)(54906003)(110136005)(122000001)(83380400001)(53546011)(26005)(9686003)(7696005)(186003)(6506007)(2906002)(71200400001)(55016003)(86362001)(38070700005)(33656002); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DBBPR08MB59154C935195F0ADEFD0EC4BFA049DBBPR08MB5915eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3663
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT026.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 45156844-6e29-40ed-ad99-08d9fcfa7a68
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: xFPbwQ0b+BuHrwe111d/wzllFnBTeieTXhBs6juRz3imp6TP8paTSL9VEV4wxJtAZabk7DfqfNgn9h+NJkBTXE32qr0ga3/95oCM8miZYslZdb+SXDlaaMukJ1KcymUqbS7LJKnHC9gSZR4ttJJOg07pVq7yDndyxoJbFUzHiVzrym9Ctm4viCPcrOWfQN6C352TpYVTinBkbIhz4OcZncC7Nqq3gqGk4UOzHLaykz2Z0GI7uY6ceYwfZhV/z86txKVwOzEvJ7HfNPEV4+aYMTbwGXd6oMWgytYTLGIQvNIRx4cGzAHKbGC75JQcfgwpoq/vQEcqvCoyp1XSWC4P48M4/QvddERM9p7Jsxzf6l2AR4EJFKQLXgRYJFupKEtUASQZx3XzOQ3gmjlR8ZhLAsZkrt69xKOfztL+KK0K9b5go1I0YU4jW8lGkX+9AaFX7mai1A6zoGJNH7Y9PZP3sgFSgQkqzUEHyhzHwhgwRPjeCnfwE4I4M5Bbch7Zej/xk771qhqh9RZOsENVEwRL/rm9V28ALv3YaDeHamvAOaQFiG2q6iGzp7dnEa7TroZjV0Pf38Iw9WXqokgI7BORw1FStxHI9k3Z+8hABdDxDX+Z1MsgNM/YO+DlSDmyVU2CFGF8HUKeriVypaQrKOMBYj0R4IWplyKi+Db+YIQvjAUryfotgqLVIgaQGLDofW06veR9E6/crk8OOtbnF+icEFSM6GlsvL7I8W/T+GnQNyANvfvdd9oTkRrEHeku7isr
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230001)(4636009)(40470700004)(36840700001)(46966006)(7696005)(26005)(36860700001)(186003)(82310400004)(2906002)(53546011)(336012)(33964004)(9686003)(83380400001)(4326008)(33656002)(5660300002)(40460700003)(47076005)(8936002)(70206006)(70586007)(86362001)(8676002)(6506007)(52536014)(9326002)(508600001)(110136005)(54906003)(966005)(166002)(356005)(81166007)(316002)(55016003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Mar 2022 09:45:07.2842 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 202ae010-d962-4a5f-5ec7-08d9fcfa8044
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT026.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5745
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Xs0-zxPWdCMIQ1bqgOJoJWXPAPc>
Subject: Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2022 09:45:20 -0000

Hi Anders,

Thanks for jumping in.

The example you provide below is actually quite interesting and related to a question I posted to the list a few days ago (see https://mailarchive.ietf.org/arch/msg/cose/9nowDz5kbfUvrGR-o6U1Tm31XAA/).

I am not sure whether the intention of Tobias & Mike are actually to re-define the way how encryption is accomplished. They should confirm.

Ciao
Hannes

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Sent: Thursday, March 3, 2022 8:39 AM
To: Laurence Lundblade <lgl@island-resort.com>om>; Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>rg>; cose@ietf.org
Subject: Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers

On 2022-03-02 19:33, Laurence Lundblade wrote:
Makes sense to me. Helps out for the EAT claim named “profile” which gives information about the type of the token you might want before fully verifying it. Addresses an issue Anders brought up about the profile claim.

Not so fast  :)  I brought up a bunch of things which can be illustrated by this (just implemented...) example of an encryption object:

211(["https://example.com/myobject"<https://example.com/myobject>com/myobject>, {
  / COSE content encryption algorithm = A256GCM /
  1: 3,
  / Key encryption container /
  2: {
    / COSE Key encryption algorithm = ECDH-ES+A256KW /
    1: -31,
    / Key identifier /
    3: "mykey",
    / Ephemeral key /
    5: {
      / COSE Key type = OKP /
      1: 1,
      / COSE Curve = X25519 /
      -1: 4,
      / COSE X coordinate /
      -2: h'33a04b83d4428824b6d5477522d4a88fac4441122bc46136c0203faa308c3929'
    },
    / Encrypted key /
    10: h'e08977c25aeccaecd63b3367de2e2b8f700c82e098ad1e5099d9db510920ccff14debf820427e4ba'
  },
  / Tag /
  8: h'59a84826983e3247fbec4295f75cc138',
  / IV /
  9: h'fd8556c122cff2bc128d5119',
  / Encrypted data /
  10: h'e16b16c29da5163eb0131dd1f10f080f8850f55df2ae9d89a3b839ad50952858445f290dfb60'
}])

The core of this builds on Deterministic CBOR which unleashes the true power of CBOR in a way legacy solutions do not.   The enhancements include:

  *   Eliminating wrapping of header and (unencrypted) application data.
  *   Using the entire container (modulo the algorithm output variables which are added lastly) as input to a signature process and to the authentication part of an encryption process.  In the example that includes the top-level CBOR tag as well.  cryptoOperation(cborObject.encode()) is all that it takes on the encoder's side.
This is pretty much what the X.509 folks have been doing from the very start so there is close to zero innovation here 😁

In the example I have also used a URL as profile/object type indicator since IANA CBOR custom tag 1537244 or whatever you end-up with, simply isn't pretty enough :)  To be more serious: URLs are decentralized and would in this context probably be browseable as well.

Cheers,
Anders
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.8.7 | Report a Bug | By Email