Re: [COSE] Some comments on draft-mattsson-cose-cbor-cert-compress
John Mattsson <john.mattsson@ericsson.com> Thu, 13 May 2021 11:22 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 974D63A0AEE for <cose@ietfa.amsl.com>; Thu, 13 May 2021 04:22:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUdyJ6QEB01I for <cose@ietfa.amsl.com>; Thu, 13 May 2021 04:22:42 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00045.outbound.protection.outlook.com [40.107.0.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F8CA3A0AE8 for <cose@ietf.org>; Thu, 13 May 2021 04:22:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ipttCJcKAoa1RJQRz1NyFPb2Rz/DNAE0ZzlR4yJ+Yox/F+W+Oh5XXx8oacq4tTZlqWBCVpr/reYk43Wr4Lsq9LU94IKXPG/C1NwPVzEC+I03xGxoy0HeoF1neLQPGgxdhV/HuPhujMV0SEYMo00/oA7G6J+j7iSg8aRNIcRaUvQwpTi8/cpAF4UrH0IGk08GhXete99JSEXEK8u7WWYlEk4utp6PAfEh7e7+EFQyM1Z0ZoG+1RUPSDVm31h+nSuvEHSmmsBfh1miceTXeZGX3n1OxWVTxUanryCIEsP5ujM7+ZwpjMnGZAH4o7wNaHoAE0zFSYRgNp/M5wRIwlpaxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0h43URVvmZUW/X1bquflwuYY/spRqz9KQY6IuuN//SE=; b=eQ/Fz8lwBRN6f8Y21r/QFTMoTAYZSu7fMe0VYYsP7lc/5Tx7Pkg5yza4/NlRLZSIXdpd1vGqNt5mb+ocataqo0rlw17q9J5vO9KgKrLVaztVGjW8LvPp2wchAj2BeyQXCHRtyCPV95runPZAjTZyd+Si4HcbTzRdq6uqMkuc17305Zsi1WuJUtuP077nmo0KQCEwjVUwU0JWtqhGfEtN0U0GbpXPcZ/H75QA9sSiCW9x6DozHpQ9CglgsDUgXJOutGXqXwLMb4E+QnMEI9tzQEcLkDt4Y93mt2rAI2RigVtzbgUa+Mj6GObEo6zDmuNyea0eeL8XGE+lM6nvQv7+1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0h43URVvmZUW/X1bquflwuYY/spRqz9KQY6IuuN//SE=; b=tuoZ15e0R5eTb7aMICgofdHpMkInCnir2DIlP0Ngk4LM2EMy04f057FXnvOzYB+aphoDwBxsg/I/IKWZqYcU/6R6dhS3V4ORNuUmtoYotex2ZOgaQBDOm27j6UTiqyhrCzIk/upSWkXayKkjRyzuoeVmjNXU2BPWAE+XiakVEs8=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR07MB4284.eurprd07.prod.outlook.com (2603:10a6:7:9f::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.23; Thu, 13 May 2021 11:22:36 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4129.026; Thu, 13 May 2021 11:22:36 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>
Thread-Topic: [COSE] Some comments on draft-mattsson-cose-cbor-cert-compress
Thread-Index: AQHXH0CA/70uM3lWbUSNBXqbbhkSXarht5GA
Date: Thu, 13 May 2021 11:22:36 +0000
Message-ID: <A8BC22D5-B869-47ED-9F70-C24D51DE0401@ericsson.com>
References: <CAJFkdRwmFZy7PGgJNUpr6New9Op=9cpUg56mmmNFGzhn8pWmXQ@mail.gmail.com> <YFjTK7GSzs1EtPR2@LK-Perkele-VII2.locald>
In-Reply-To: <YFjTK7GSzs1EtPR2@LK-Perkele-VII2.locald>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: welho.com; dkim=none (message not signed) header.d=none;welho.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 623bd6b3-b357-475b-e0b0-08d916016963
x-ms-traffictypediagnostic: HE1PR07MB4284:
x-microsoft-antispam-prvs: <HE1PR07MB42847EE07357CAC3B5AD2FC089519@HE1PR07MB4284.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KiRbsXjZfY8a3S0PN1AdBzmnsDdebaU4iDNecWBYxuCgE395UWku2+g1B/4lScVkMSipcFn2iPWSJH2gD7B+u/8zuHL1+dlU9V/gA/p1oFCxVJVl5x+S9RkBoLwQcJWmAA0surc3vJcFmyF0yYygx9VPE6JueRMQ9KUsxY2ZEhg04oG2RXvLA+sp5noYBl0OO9tz+OtdHx47M9huuBa2zwiQyBxussNo1gluSiZxkZuvGVbjsjrghODhzzF5UAfYIXHpB26M2rMNEUcWIo+0iI0P+aahaOnvzpdpWl8ce5R58XEN6LVh89y6M9W+IHgFKX0Ogr1os5F22hyYJWCLBeZAGgMQPfPUbneFs/VUAUhKD2tvFIc0jxaKlBWyKUCguTBHRkBwGJPRN/GhHr0wd3jXTl/Mew6RQcS7uhMESzkAZY2Nr84nPc07H1uE6CJDh3RynT9A6s3o8d7lE9Fy5LlWsEE0nvYok+Vjw+aMOmaWyazi8S3my1fb4K61NmdPIc/SremlPBV2JJea6mNpGWaEr9RpjBbrAXc9lPOq2Ecs5tz892yTDJEwJjKfogrsgXyAt1seVPUJqDBQYzmdWOXvk0zKvwJmPxSeLs2H0sy7RPeSu0nF0E12xtmc8PiQGQ1CX0bm5FsqzpihackWkGK5nRkInu6rb0ny5UmLErL2TU+eDBTc4zPf+sPlZZNZhhT//41u294n8C9YEon2i1AEzVXU+F1bNS3oVGeHz/x+voZ3N8gNJug8TAO1nZfwrNvRjUrIa9h/PWSoVYPuZg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(376002)(346002)(39860400002)(366004)(44832011)(33656002)(5660300002)(966005)(8936002)(76116006)(64756008)(66476007)(66946007)(186003)(66446008)(8676002)(6486002)(6506007)(66556008)(83380400001)(2616005)(6512007)(71200400001)(122000001)(38100700002)(2906002)(53546011)(86362001)(478600001)(26005)(36756003)(110136005)(316002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: h1Oiay6SLTKPmMSDbus6Z7sTkvEYv/7ANEFMANqRcN4OgeQ84GTf9DNMWRCplQogcaY5Np5FBiM9Bxp4zH9/BqtazhOi4QsnICZrbkpPPg8yZIugvehRsaNmtERxkhqk1yZHp0HcD7e2FbHZERNwIT+SuusBXYzj/fA3lU+WjQcWKVOFgSQS7gr+G6cM67i6jOKs5uHrXdBerEHgCw2qfxHyVtcutjOIWVwoLwOx21vAFkFwk2apvqVPzMLyQ6ExPcCwGW81345XJmvCfrJsMsqXQQUtT/bF+bRuNM8eXD/xJR/o7qJzTSx5VSh//jHhvHUjWxUA0wAa/fmK0HeJNxBfnS+eKDeewSYIxKr8h2gasLmmIgHGG/xXxksRV3Hsq7NGTRMLz8rAfSW5X8JwaVPfDqb0IBcrstlCNYfMWeeZyCLcjTVMy2oywPX3Z+tfvtJ6LIBEnPfAVkJN0c6CNzWzu8NEBilge6SE3WflwU/Xb7gucsOa5WDhmfIxqb1+8xeMmaZdtdQX9XbjXHXkGjGXSmdC3U3OvCEFBcRfaiSBTpmY7Yt/IWu1YDzfb8qs/d0U4UAA434qkYjysFLXMVianggc7twj9n4qq/fjIJ3NXIIIpuTYewLK55PWJ2Z0KjjGxqwwbBzPAJ5v2SXbMwd3U/oxXIyTNdhScjmSK2/NyN6aUjnacAAxSaKubdPtizW7aojMZzdYdLN5Bb2l2ED1ae5tr1v+4fsaOgkw76GUN/zWN4Qbf+t54j/O/qkyFuMLdTKYcnQZfCeW4l/0cRVwDFDY55+uQT+ZMgQNi/Cmy1a+/Xsykps996FUubV9VTzvySBXgDHahlQJFwBo7UfqqS26rantSz+M1cF8YwUHxX3PuqCGZukpDhpbIJ667e54lMn4W0vHa+ZpOyr4xU1Oyfqt2mQwoo34TNidpDhmFVqR0MEIXX0I1IaC/xbwie+r3A60NDOMwNunZI0425dpcw7uWwGMvSeWqxj1OIVL5dsTVDkLTmtGU6wltZafr/VnfbHSBEBjrlNc0rKebDJzxeTiA6KvAGVj1QUzx/ClqYMPsrm/WBHRo4CC0tcjil3DUwJlehEDPWialR6/P2xRxmYlOToFlZFgJxvH90xhTtB8+czYci7lfLvuGJvWhIZhWH/U3RliM4vtquXdnsB6o83v8cEMBxTjTrtkEcinztxoIfWRYqT1L5nxO9uCHdFBwJdrQXATuxvyB/lxaPNU5ml43N9Lt3+hmJy+J59J98tni6+rc3b/Px25Fvrd/ITqbYyMW69l5uXqzFdexHhwzosQNXxdLfqqBmhc7y/0X3opnIKjjUmlOO6kxJDaUZCVWO90EY5Gxx0blnQUeQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <54C5F0A4B361BE4EADE08A3B0A6E4A7D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 623bd6b3-b357-475b-e0b0-08d916016963
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 11:22:36.7158 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vzclL2wLR65d5/EQQ1s0orD2PCyJLrYiYf63vbPEzaUslTa0v/WkXbKRVzxqKcqYDIaZ8cTDRbubZxInakzW+10t+UcuHcp251/iAv0egzs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4284
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/_C7ZIj3Sny75bIDpKeAVotWa1xo>
Subject: Re: [COSE] Some comments on draft-mattsson-cose-cbor-cert-compress
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 11:22:48 -0000
Thanks Ilari! I will go through your comments next week and include updates for version -01. Great that you are implementing, there are other people implementing as well. In the future, we should maybe make a list of implementations and maybe make sure that they are interoperable. Next week I will release the RUST code I wrote to generate the examples in the draft. My code take a DER encoded cert from file, or a DER encoded chain from a TLS server and compress it to C509. Cheers, John -----Original Message----- From: COSE <cose-bounces@ietf.org> on behalf of Ilari Liusvaara <ilariliusvaara@welho.com> Date: Monday, 22 March 2021 at 18:26 To: cose <cose@ietf.org> Subject: [COSE] Some comments on draft-mattsson-cose-cbor-cert-compress I am trying to write an implementation of draft-mattsson-cose-cbor-cert-compress, some comments on editor's draft about things that came up: - Section 3.3. Encoding of Extensions says that: "Critical extensions are encoded with a positive sign and non-critical extensions are encoded with a negative sign." However, section 8.3. C509 Certificate Extensions Registry has: 0 -> Subject Key Identifier 0 is neither positive nor negative, so sign-flipping can not be used with it. Name kinds do similar name flipping, but there at least is no name kind 0. - Section 3.3. Encoding of Extensions says that: "Critical extensions are encoded with a positive sign and non-critical extensions are encoded with a negative sign." However, section 3.3.1. Example Encoding of Extensions contains a number of examples, where seemingly sign is used in exactly the opposite way (positive is non-critical, negative is critical). - Section 8.3. C509 Certificate Extensions Registry has: Authority Key Identifier -> bytes However, section 3.3. Encoding of Extensions says: "authorityKeyIdentifier. extensionValue is encoded as an array where" So AKI may be an array. - Section 3.3. Encoding of Extensions has CDDL, which has derivation: ExtValueAKI -> bytes However, the prose does not seem to say what having bytes there means. It would make sense to use bytes to mean AKI that has only the keyIdentifier field, as that is seemignly the most common case, and it would make AKI match up with SKI. - Section 8.3. C509 Certificate Extensions Registry has: Extended Key Usage -> int However, section 3.3. Encoding of Extensions says: "extKeyUsage. extensionValue is encoded as an array of" So EKU may be an array. - Section 3.1. Message Fields says: "If the array contains exactly two ints and the absolute value of the first int is 2, the array is omitted and" Extension 2 is Subject Alternative Name, which does not admit int as argument (only array and text). - Unknown algorithms with no parameters could be encoded as bytes instead of current [bytes]. - Unknown non-critical extensions could be encoded as (bytes, bytes) instead of current (bytes, false, bytes). - This may be intentional, but looks bit odd: RSASSA-PKCS1-v1_5 with SHA-256 is 23, which is 1 byte int, whereas all the other RSA signatures use 2 byte identifiers. -Ilari _______________________________________________ COSE mailing list COSE@ietf.org https://www.ietf.org/mailman/listinfo/cose
- [COSE] Conditional call for adoption: draft-matts… Ivaylo Petrov
- Re: [COSE] Conditional call for adoption: draft-m… Russ Housley
- Re: [COSE] Conditional call for adoption: draft-m… Michael Richardson
- Re: [COSE] Conditional call for adoption: draft-m… Marco Tiloca
- Re: [COSE] Conditional call for adoption: draft-m… Rene Struik
- Re: [COSE] Conditional call for adoption: draft-m… John Mattsson
- Re: [COSE] Conditional call for adoption: draft-m… Rene Struik
- [COSE] Some comments on draft-mattsson-cose-cbor-… Ilari Liusvaara
- Re: [COSE] Some comments on draft-mattsson-cose-c… John Mattsson
- [COSE] The one-byte saving from use of a sequence Laurence Lundblade
- Re: [COSE] The one-byte saving from use of a sequ… John Mattsson
- Re: [COSE] The one-byte saving from use of a sequ… Carsten Bormann
- Re: [COSE] The one-byte saving from use of a sequ… Laurence Lundblade