IETF Logo Mail Archive

Re: [COSE] Key identifier of type bstr / int

Orie Steele <orie@transmute.industries> Mon, 21 March 2022 17:43 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 048B53A116B for <cose@ietfa.amsl.com>; Mon, 21 Mar 2022 10:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjRBqMC6FTiD for <cose@ietfa.amsl.com>; Mon, 21 Mar 2022 10:43:24 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8A403A1AC5 for <cose@ietf.org>; Mon, 21 Mar 2022 10:43:21 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 17so5966584ljw.8 for <cose@ietf.org>; Mon, 21 Mar 2022 10:43:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2vvIicxhhQNw01S2wBxSjnivlRLVPDp5FsR8c6JYcSQ=; b=Sf/ZEZthPig8MlTGV+dOB+HLtHYRaT3fSmGwVdrlxH/0m8+pGpNoFwIIIY3v+FIQx7 yhxqyj1Aq29ZM0kpL2yzmqgL5tnv6046qhhhFV97QssSv4ovfQn+kwa9rSgOYixltGNV kDTEJTk9/KZohh5HMr74Mk2UpMUrlIRbiSn81P0VjUhKzxkxR3FAPMbNppzz8F+SOFK8 0e8GXMkTHqZb21WCw5OSZmXafJ2JfRdg8piKF6oDu0ZQ2A5iDggbEAmeaaXKy/cuwNTn NXqU/+gV1cHuiCI+nKUnhlafmqn8QREUQmWqTNQhwSf8fChDHeuBlhaFEr/Y0nLGx9X+ 0XOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2vvIicxhhQNw01S2wBxSjnivlRLVPDp5FsR8c6JYcSQ=; b=iRl5swvCa0JIcBt1Q804VlXGDJDCMwX15kSpD/lv5Ta/yoJh6qIGDK2mkNBApDeTuM v9YRVtLUnJoxkU3hsvksZIZHSTAOFrSC3rhHyaKQ3dvA48dXz5/33iRqHgnq91GjM6wW Kug4KwEA0Zhw21rHI+Q7Jqigjql75X/9qJzZPUWB9MxyvMsGXCFSXz7qOBNRP0xPOZAk QDKwaGIV3hfRiS1HmgLAsuiOS/W09Uk7XC4Jvkx881G+xzY0PSveAYUudfKQnMjDSohG 69GLbwXSFbXJXgdyODRS96lS3u6YC16YJ65mQ32Yg675pQJ41Kcw2CC63LalwXag8vdq 0sxQ==
X-Gm-Message-State: AOAM531ohp3g/vXTtNzsS9pAfR012PmRqo3Hq8VMSE9TAHqzplgoEzNA /gcWHSKHidRyqBP/yWqtqZ09OLVvkSS7kD1CZ5JNqQ==
X-Google-Smtp-Source: ABdhPJz6JiLqodDqcFAX2y/PYsn6xLq+wSN+xSEY7omOPiYPQizstp9/AtBmPIGsD3FrSQ9BmU9tyU1fGEBaC7+UuKc=
X-Received: by 2002:a2e:8495:0:b0:247:dca3:f7bc with SMTP id b21-20020a2e8495000000b00247dca3f7bcmr16465749ljh.12.1647884599271; Mon, 21 Mar 2022 10:43:19 -0700 (PDT)
MIME-Version: 1.0
References: <95B75634-B147-4756-A950-C6B139CF3ADD@ericsson.com> <9DF382AC-12A8-47A5-AAE7-2B0D75EAA669@island-resort.com> <EDFDB6E4-2BDE-4E2E-9CF0-D771E2DEF3C6@ericsson.com> <823C00C2-4F6C-4DF5-99B0-87D8524D4A9C@island-resort.com> <C059B669-4C5D-4980-A665-96A39F4457C3@island-resort.com> <AM4PR0701MB21958541C07CEA44DB1B1578F4169@AM4PR0701MB2195.eurprd07.prod.outlook.com> <CAN8C-_+3sWckZKo7KS2fsPU4pBHo+NNGgQpxg7p8LytFX01eEw@mail.gmail.com> <AM4PR0701MB2195D76D8CFCC873C1D05A04F4169@AM4PR0701MB2195.eurprd07.prod.outlook.com>
In-Reply-To: <AM4PR0701MB2195D76D8CFCC873C1D05A04F4169@AM4PR0701MB2195.eurprd07.prod.outlook.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 21 Mar 2022 12:43:08 -0500
Message-ID: <CAN8C-_K4EfFSar9H_QR+cV_pz+xhXtWA=pKK+rFv241E5DQofQ@mail.gmail.com>
To: Göran Selander <goran.selander@ericsson.com>
Cc: Laurence Lundblade <lgl@island-resort.com>, "cose@ietf.org" <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002bb82e05dabe08de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/h1ctpfmpJkTY16m7dLEE9qY-mSM>
Subject: Re: [COSE] Key identifier of type bstr / int
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 17:43:47 -0000

I think I may have misread your proposal.

Why do we need `kid2` is this just so that we can have an integer `kid` ?

Seems not worth it to me, since `kid` is already legal in CBOR, my proposal
of `ckid` makes no sense.

So I am basically just saying I dislike seeing `kid2` and don't understand
what its value prop is.

OS





On Mon, Mar 21, 2022 at 12:16 PM Göran Selander <goran.selander@ericsson.com>
wrote:

> Hi Orie,
>
>
>
> Thanks for input. I didn't get the proposal though:
>
>
>
> > If we really need an integer version of `kid` I would suggest following
> the `jti / cti` convention and calling it `ckid`... keeping it optional (as
> is the convention), and ensuring it is not part of thumbprint computations.
>
>
>
> RFC 7517/7519: kid and jti value are case-sensitive strings
>
>
>
> RFC 8152/8392: kid and cti value are CBOR bstr
>
>
>
> Is there any difference between a `ckid` which is CBOR int or a `kid2`
> which is a CBOR int (besides the name)?
>
>
>
> Thanks
>
> Göran
>
>
>
>
>
> *From: *Orie Steele <orie@transmute.industries>
> *Date: *Monday, 21 March 2022 at 14:55
> *To: *Göran Selander <goran.selander@ericsson.com>
> *Cc: *Laurence Lundblade <lgl@island-resort.com>, cose@ietf.org <
> cose@ietf.org>
> *Subject: *Re: [COSE] Key identifier of type bstr / int
>
> I am a -1 to changing `kid`, it should remain a string, for compatibility
> with existing key identifier systems.
>
> Including ones that support
> https://datatracker.ietf.org/doc/html/rfc7638#section-1
>
> See the original definition:
> https://datatracker.ietf.org/doc/html/rfc7517#section-4.5
>
> > The "kid" value is a case-sensitive string.
>
> Many implementations have built hard dependencies on RFC7515.
>
> One of the nicest things about JOSE / COSE is being able to "upgrade" from
> JOSE to COSE.
>
> Having a significant difference between `kid` in JOSE and COSE would be
> harmful.
>
> If we really need an integer version of `kid` I would suggest following
> the `jti / cti` convention and calling it `ckid`... keeping it optional (as
> is the convention), and ensuring it is not part of thumbprint computations.
>
> Regards,
>
> OS
>
>
>
>
> On Mon, Mar 21, 2022 at 8:35 AM Göran Selander <goran.selander=
> 40ericsson.com@dmarc.ietf.org> wrote:
>
> Hi Laurence,
>
>
>
> Thanks for copying in the old thread. As noted, you and others preferred
> `kid` as bstr / int rather than `kid2` as int when we discussed it last
> time. Would be good to come out with a more solid motivation this time so
> we can converge on this  :-)
>
>
>
> With `kid2` as int, the fields that uses both bstr and int would be of
> type  `kid` / `kid2` which is fine.
>
>
>
> There is an algorithm for translation from CBOR bstr / int to byte strings
> on the wire (back and forth) in draft-ietf-core-oscore-edhoc.
>
>
>
> Göran
>
>
>
>
>
> *From: *COSE <cose-bounces@ietf.org> on behalf of Laurence Lundblade <
> lgl@island-resort.com>
> *Date: *Monday, 21 March 2022 at 14:14
> *To: *Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
> *Cc: *cose@ietf.org <cose@ietf.org>
> *Subject: *Re: [COSE] Key identifier of type bstr / int
>
> Thinking about Mike’s comment today in COSE/Vienna about backwards
> compatibility. Looked at my code around this. That definitely seems like an
> issue.
>
>
>
> What about defining “kid2” as just int? “kid” stays as bstr only. Then
> there’s no backwards compatibility break. Adding support for another
> integer parameter isn’t difficult. The downside is a little extra code to
> look at two different parameters.
>
>
>
> You’d probably want to say that only one of the two kids MUST be present.
>
>
>
> Another random idea — could you say that it is allowed to translate an
> integer kid to a bstr kid by assuming network byte order and stripping
> leading zeros?
>
>
>
> LL
>
>
>
>
>
>
>
>
>
> On Aug 13, 2021, at 3:01 AM, Laurence Lundblade <lgl@island-resort.com>
> wrote:
>
>
>
> Understood about the use case. Thx for the background.
>
>
>
> On Aug 10, 2021, at 3:13 AM, Göran Selander <
> goran.selander=40ericsson.com@dmarc.ietf.org> wrote:
>
>
>
> Assume that we do want to allow key identifiers to be CBOR ints in certain
> settings,  what is the best (least intrusive) way to allow this while still
> maintain compatibility with 'kid's supporting the type bstr? Another
> alternative to what has been listed below is to define 'kid2' to only be of
> type int - is that a better option?
>
>
>
> I didn’t write actual code to check, but they about the same to me.
>
>
>
> ‘kid' as int/bstr seems less confusing to me than ‘kid2’. It tells you it
> does exactly the same thing whether it is an int or a bstr.
>
>
>
> So my pick is ‘kid’, but ‘kid2’ is OK too.
>
>
>
> LL
>
>
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>
>
>
>
> --
>
> *ORIE STEELE*
>
> Chief Technical Officer
>
> www.transmute.industries
> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a7ff2eb208872658&q=1&e=94b1f6ec-570c-49db-b72f-d15cfe926d93&u=http%3A%2F%2Fwww.transmute.industries%2F>
>
>
>
>
> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c169100f194b3f01&q=1&e=94b1f6ec-570c-49db-b72f-d15cfe926d93&u=https%3A%2F%2Fwww.transmute.industries%2F>
>


-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

v2.23.0 | Report a Bug | By Email