Re: [COSE] [Last-Call] Iotdir telechat review of draft-ietf-cose-x509-07
Carsten Bormann <cabo@tzi.org> Tue, 20 October 2020 11:43 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C3A3A11A6; Tue, 20 Oct 2020 04:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 084a0y64CW84; Tue, 20 Oct 2020 04:42:59 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F4F33A11A9; Tue, 20 Oct 2020 04:42:56 -0700 (PDT)
Received: from [192.168.217.118] (p548dcc60.dip0.t-ipconnect.de [84.141.204.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4CFsFB02Vmz1085; Tue, 20 Oct 2020 13:42:53 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <26102.1603156521@localhost>
Date: Tue, 20 Oct 2020 13:42:53 +0200
Cc: iot-directorate@ietf.org, last-call@ietf.org, draft-ietf-cose-x509.all@ietf.org, cose@ietf.org
X-Mao-Original-Outgoing-Id: 624886973.291835-f071e35de32d14c1f93b613a494a4fec
Content-Transfer-Encoding: quoted-printable
Message-Id: <38B4F6C0-6F7E-46DF-A1B7-24D6E83BFE92@tzi.org>
References: <160314506078.20558.15385106097623388280@ietfa.amsl.com> <26102.1603156521@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Yjk06ovszwgSpQqelLfI9TSHAyc>
Subject: Re: [COSE] [Last-Call] Iotdir telechat review of draft-ietf-cose-x509-07
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2020 11:43:01 -0000
On 2020-10-20, at 03:15, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > I believe we use the term bag because it is permissible for a certificate > artifact to appear more than once. Stupid maybe, but permissible. > > I think that some systems/libaries considered the Issuer/Subject to be the > key for indexing the set, and then they got confused if there was more than > one certificate in the bag. The additional object used a different signature > and/or hash. At least, I have some dim memory of some situation being > described to me. I think that the names of the guilty parties were withheld. I think we have a different perception of what “is” means. In my shopping bag, there *is* a difference between having one or two yoghurts in there. In the x5bag, having the same certificate twice is exactly equivalent to having it once. So it “is” a (non-empty) set, not a bag, even if the *representation* (as an array, with a special case for the singleton) can actually have duplicates. Given the semantics, the question how one “finds” things in that set is more of an implementation question. I don’t think offering this as a multimap(*) with some arbitrarily chosen map key is flexible enough. Normally, a simple iterator (so you get to see any and all of the elements) will be the best solution, because the implementation cannot know what the application-specific validation process is looking for, and we are talking about a very small set. Grüße, Carsten (*) Cannot be a map, as there is no guarantee of uniqueness of any key.
- [COSE] Iotdir telechat review of draft-ietf-cose-… Carsten Bormann via Datatracker
- Re: [COSE] [Last-Call] Iotdir telechat review of … Michael Richardson
- Re: [COSE] [Last-Call] Iotdir telechat review of … Eric Vyncke (evyncke)
- Re: [COSE] [Last-Call] Iotdir telechat review of … Carsten Bormann
- Re: [COSE] [Last-Call] Iotdir telechat review of … Ivaylo Petrov