IETF Logo Mail Archive

Re: [COSE] [Rats] RAM requirements for COSE/CWT

Carsten Bormann <cabo@tzi.org> Tue, 22 February 2022 14:50 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617F43A12F6; Tue, 22 Feb 2022 06:50:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OX6O2Vmwmnuf; Tue, 22 Feb 2022 06:50:14 -0800 (PST)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C4373A12C6; Tue, 22 Feb 2022 06:50:10 -0800 (PST)
Received: from [192.168.217.118] (p5089ad4f.dip0.t-ipconnect.de [80.137.173.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4K32C34qghzDCgM; Tue, 22 Feb 2022 15:50:07 +0100 (CET)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <14c8d106-3b4b-f973-94b8-018852ff4769@gmail.com>
Date: Tue, 22 Feb 2022 15:50:07 +0100
Cc: "rats@ietf.org" <rats@ietf.org>, "cose@ietf.org" <cose@ietf.org>
X-Mao-Original-Outgoing-Id: 667234207.119362-95ae139d06380dd92147ccc8b0c9131d
Content-Transfer-Encoding: quoted-printable
Message-Id: <8C2C6592-D5B9-430A-B878-E1009E9BCF22@tzi.org>
References: <e8995f0c-ad85-f702-da6b-051ffdc4cb08@gmail.com> <DBBPR08MB5915B874FD16107A7B0105AAFA3A9@DBBPR08MB5915.eurprd08.prod.outlook.com> <1a16c80d-40cd-baba-b1ce-2033dd0db294@gmail.com> <D22D0D63-F76C-48B3-A034-F8B5B2BB6005@tzi.org> <2c8be442-9899-d117-155c-f6f2096b7055@gmail.com> <92C7CF7C-ED23-41B3-AB32-8438C4C88C20@tzi.org> <14c8d106-3b4b-f973-94b8-018852ff4769@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/fnn6mPq1gc9bci1q374fpVc2130>
Subject: Re: [COSE] [Rats] RAM requirements for COSE/CWT
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 14:50:26 -0000

Hi Anders,

> The WebAuthn/FIDO specification details CBOR serialization requirements

(As does COSE *for its internally constructed signing inputs*, not for what goes over the wire.)

> while the EAT draft specifies multiple alternatives.  

Maybe we need to fix that then.

> There must be a reason for that.  

The spirit is willing, but the flesh is weak.
Well, actually, the spirit is the problem.
We need to get better in the willpower to nail down unneeded choices.
(Of which JSON vs. CBOR is one.)

> To cope with (and potentially enforce/verify), different CBOR serialization variants, CBOR tools typically provide options: https://github.com/peteroupc/CBOR-Java/blob/master/api/com.upokecenter.cbor.CBOREncodeOptions.md

This is a bit of a Cadillac implementation with lots of options, many of which have to do with API variants as opposed to encoding options.
None of the latter ones will get in the way of EAT interoperability.

> The proposal is simply defining something like an "I-CBOR" that could serve as the foundation for future standards like EAT.

I-JSON was necessary because JSON implementations claim to have ingested something and then give you something else, unless you stay in the fold of I-JSON.
I’m not aware of a similar problem for CBOR, so I don’t know why we’d need I-CBOR.

Yes, because of historical artifacts we have different deterministic/“canonical” encoding rules — but that is of interest only where you *need* deterministic encoding.  COSE did the right thing and minimized that surface so it actually doesn’t matter which ones you are using.  (CTAP2 actually did that too, IIRC, they just wrote down some additional rules that they don’t actually need.  But I didn’t look at this for a while.)

If you really do need deterministic encoding, it’s right there in STD94 (RFC8949).  You need to remember that deterministic encoding spans all the way to the application, so slapping an I-something label on the encoder is not going to give you actual interoperability if you really do need deterministic encoding.

Do we?

Grüße, Carsten

v2.8.7 | Report a Bug | By Email