Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
Laurence Lundblade <lgl@island-resort.com> Thu, 03 March 2022 08:21 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 626DE3A132E
for <cose@ietfa.amsl.com>; Thu, 3 Mar 2022 00:21:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id lafiT8WPJ3ty for <cose@ietfa.amsl.com>;
Thu, 3 Mar 2022 00:21:31 -0800 (PST)
Received: from p3plsmtpa09-06.prod.phx3.secureserver.net
(p3plsmtpa09-06.prod.phx3.secureserver.net [173.201.193.235])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 207003A1332
for <cose@ietf.org>; Thu, 3 Mar 2022 00:21:30 -0800 (PST)
Received: from [192.168.1.4] ([75.80.148.139]) by :SMTPAUTH: with ESMTPA
id PgiHn4MJnjLSOPgiInciKN; Thu, 03 Mar 2022 01:21:30 -0700
X-CMAE-Analysis: v=2.4 cv=P6v/OgMu c=1 sm=1 tr=0 ts=62207a8a
a=qS/Wyu6Nw1Yro6yF1S+Djg==:117 a=qS/Wyu6Nw1Yro6yF1S+Djg==:17 a=pGLkceISAAAA:8
a=A1X0JdhQAAAA:8 a=Rk0G77Q6AAAA:8 a=RgsDSeR-yo1x0FoNH08A:9 a=QEXdDO2ut3YA:10
a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=K6EGIJCdAAAA:8 a=5IDVRTpXmca4vEseFkIA:9
a=Od1TnLSa_uO1CZY1:21 a=_W_S_7VecoQA:10 a=Df3jFdWbhGDLdZNm0fyq:22
a=Gm3NnvTJZDD8rlIxkz8j:22 a=L6pVIi0Kn1GYQfi8-iRI:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <478E99FC-4E46-4F08-9588-14308FD709CC@island-resort.com>
Content-Type: multipart/alternative;
boundary="Apple-Mail=_B2C51FDA-3D4E-4BFD-BC6B-67B203395F74"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Thu, 3 Mar 2022 00:21:29 -0800
In-Reply-To: <36e34eb7-ee20-3644-4383-1c3f72279fc3@gmail.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>,
Hannes Tschofenig <hannes.tschofenig@arm.com>,
Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>,
"cose@ietf.org" <cose@ietf.org>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
References: <SY4P282MB1274BCAC469DFE3B7284DFB29D039@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM>
<DBBPR08MB5915A5EE40B555A4953E7BA0FA039@DBBPR08MB5915.eurprd08.prod.outlook.com>
<SJ0PR00MB10050EBE6EAB4E80584A31B9F5039@SJ0PR00MB1005.namprd00.prod.outlook.com>
<280EEA8E-67E4-4E7A-94A6-8C0A60048F81@island-resort.com>
<36e34eb7-ee20-3644-4383-1c3f72279fc3@gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfP4/6DYZJupEipS4wUFApz6P2jbZ/lumATAcY2VaB1j6eGllKflBuNukBgbsuaQwTy0LlkWDKWxUimeCmoWsyW8GTB5Rv0tHAfL8IJa0m6hxLVF2IIR0
q9LFgTWPNTZV21DpnrIORDDNolSoBbWIMGajd8JH00KtyLX2CT+Rl3nMpw4UMGyMpc5iJfYlZoUHkIRb7qrs9vtEInUCRtwd6wi99/P0RnchNe1JaIwbs4pv
+XujSskqxopmO6ahbPg+SlwYdEJhcziER/8FDENHtqmlIaB9jRNEROD/Sciarl8plkQX/dI1qvFTywTMYNJfe7GUbEqu0Xmjc3zxI0eQP9HRpN3P52kSOtch
TsEvh8Ne88I6q5+5uyqyH6nnZ8RiKChCcHeRqTRG1FPayYVM/RQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/bR_PKKW8guJoYCrpWqy-iHbgWFQ>
Subject: Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in
COSE Headers
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>,
<mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>,
<mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2022 08:21:37 -0000
Yes, the only issue of yours that addresses is the ability to access the profile claim before decoding, decrypting and verifying the COSE payload. LL > On Mar 2, 2022, at 11:38 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > > On 2022-03-02 19:33, Laurence Lundblade wrote: >> Makes sense to me. Helps out for the EAT claim named “profile” which gives information about the type of the token you might want before fully verifying it. Addresses an issue Anders brought up about the profile claim. > > Not so fast :) I brought up a bunch of things which can be illustrated by this (just implemented...) example of an encryption object: > > 211(["https://example.com/myobject" <https://example.com/myobject>, { > / COSE content encryption algorithm = A256GCM / > 1: 3, > / Key encryption container / > 2: { > / COSE Key encryption algorithm = ECDH-ES+A256KW / > 1: -31, > / Key identifier / > 3: "mykey", > / Ephemeral key / > 5: { > / COSE Key type = OKP / > 1: 1, > / COSE Curve = X25519 / > -1: 4, > / COSE X coordinate / > -2: h'33a04b83d4428824b6d5477522d4a88fac4441122bc46136c0203faa308c3929' > }, > / Encrypted key / > 10: h'e08977c25aeccaecd63b3367de2e2b8f700c82e098ad1e5099d9db510920ccff14debf820427e4ba' > }, > / Tag / > 8: h'59a84826983e3247fbec4295f75cc138', > / IV / > 9: h'fd8556c122cff2bc128d5119', > / Encrypted data / > 10: h'e16b16c29da5163eb0131dd1f10f080f8850f55df2ae9d89a3b839ad50952858445f290dfb60' > }]) > > The core of this builds on Deterministic CBOR which unleashes the true power of CBOR in a way legacy solutions do not. The enhancements include: > Eliminating wrapping of header and (unencrypted) application data. > Using the entire container (modulo the algorithm output variables which are added lastly) as input to a signature process and to the authentication part of an encryption process. In the example that includes the top-level CBOR tag as well. cryptoOperation(cborObject.encode()) is all that it takes on the encoder's side. > This is pretty much what the X.509 folks have been doing from the very start so there is close to zero innovation here 😁 > <https://apps.timwhitlock.info/emoji/tables/unicode#emoji-modal> > > In the example I have also used a URL as profile/object type indicator since IANA CBOR custom tag 1537244 or whatever you end-up with, simply isn't pretty enough :) To be more serious: URLs are decentralized and would in this context probably be browseable as well. > > Cheers, > Anders >
- [COSE] Newly Submitted Draft - CBOR Web Token (CW… Tobias Looker
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Hannes Tschofenig
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Mike Jones
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Laurence Lundblade
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Anders Rundgren
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Laurence Lundblade
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Hannes Tschofenig
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Hannes Tschofenig
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Mike Jones
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Anders Rundgren
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Carsten Bormann
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Anders Rundgren
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Laurence Lundblade
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Anders Rundgren
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Hannes Tschofenig
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Tobias Looker
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Laurence Lundblade
- Re: [COSE] Newly Submitted Draft - CBOR Web Token… Hannes Tschofenig