IETF Logo Mail Archive

Re: [COSE] [Rats] RAM requirements for COSE/CWT

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 22 February 2022 14:00 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62B893A11D1; Tue, 22 Feb 2022 06:00:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAixvTgzxKg5; Tue, 22 Feb 2022 06:00:24 -0800 (PST)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53DE73A11CD; Tue, 22 Feb 2022 06:00:24 -0800 (PST)
Received: by mail-wm1-x32f.google.com with SMTP id az13-20020a05600c600d00b003808a3380faso1935571wmb.1; Tue, 22 Feb 2022 06:00:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:cc:in-reply-to:content-transfer-encoding; bh=20q9VoYithtWU5AG+7wKhanECjE7JQJOcuFx+i81gd0=; b=eApERc8FSIPmNhpWPre0fpwTmDIkIPc9/yGyDuCNxMiYoAHmv+1XqDSGIVIRdkUYIk ur9fWe6i+1OfawkdX6+mu2OTe57qoYOE8kFYxz17o8LTeng1gYWuPachVTFHCduy9NQW 4p6ZeDpAROo+RST0plCGI4PbUAczMIK2XQZAX0+3ckGRO1bGb08iaET9j+PYlACs+C4V psFJT8AE9CA7mWf8bjTe6Mz4g/tI1crUfSk98JCe+oxYc6LE/2UApZmeSw9Q7uvlxxFT kqoICz8zHvF3New1n5dHxaeFLJILJq34QgeyCP1UDDpdNfWHqiltlQEbiX1j6jY0FG4x BGsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:cc:in-reply-to :content-transfer-encoding; bh=20q9VoYithtWU5AG+7wKhanECjE7JQJOcuFx+i81gd0=; b=cfo7m9g4v7A6EGPxqUjIXkpjC/G2BzDnl56DKSfZnHm1TK04VcUFIW5aFsNP6oJmch yyDRdYZbHOn4XfqXj98TqSup6SrAilwu/SzoBoc1xjM8O8HGrg4Z83pe1+5TT8iNFSUN TrQUYnmfJILXWh4Gn0dZQyVxtm96qkMm1cQ5QqQG2Nf+bpCoUAx7yNSMAJNRWHIyhmyG p6VlBshM8E+Acjj43RyF4jf8abbpzjy+XJ/TsnVGflz6r7ix22LRLtls5mDDceRoMZpV DwMN5tZPSwaVWwGGycLXzHPDIO+15vP1Owg5Nxcy+hqYCfGlAKiJUdKVjjNRviWHBWO6 jIRg==
X-Gm-Message-State: AOAM531wLnFzNH3iCKwcK/+Oi/HkzLBCIIZkFWJAYaOZI2T7l0k3UsXU tHDNfC1ThO/ru3QDubpJcmK00PjZ9qE=
X-Google-Smtp-Source: ABdhPJwSrImb5G9/NcYNZ06xbRsSRxsQX7oRc/SkAJodUiuFOYwsK60cKDJ68mvEjNYIGEcMs4cTXA==
X-Received: by 2002:a7b:c409:0:b0:34d:4775:4961 with SMTP id k9-20020a7bc409000000b0034d47754961mr3488198wmi.44.1645538422050; Tue, 22 Feb 2022 06:00:22 -0800 (PST)
Received: from [192.168.1.67] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id c13sm53518833wrv.24.2022.02.22.06.00.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Feb 2022 06:00:21 -0800 (PST)
Message-ID: <14c8d106-3b4b-f973-94b8-018852ff4769@gmail.com>
Date: Tue, 22 Feb 2022 15:00:18 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1
Content-Language: en-US
To: Carsten Bormann <cabo@tzi.org>
References: <e8995f0c-ad85-f702-da6b-051ffdc4cb08@gmail.com> <DBBPR08MB5915B874FD16107A7B0105AAFA3A9@DBBPR08MB5915.eurprd08.prod.outlook.com> <1a16c80d-40cd-baba-b1ce-2033dd0db294@gmail.com> <D22D0D63-F76C-48B3-A034-F8B5B2BB6005@tzi.org> <2c8be442-9899-d117-155c-f6f2096b7055@gmail.com> <92C7CF7C-ED23-41B3-AB32-8438C4C88C20@tzi.org>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "rats@ietf.org" <rats@ietf.org>, "cose@ietf.org" <cose@ietf.org>
In-Reply-To: <92C7CF7C-ED23-41B3-AB32-8438C4C88C20@tzi.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/i4PVYpxgSfCA2XozA8uTageicko>
Subject: Re: [COSE] [Rats] RAM requirements for COSE/CWT
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 14:00:30 -0000

On 2022-02-22 10:08, Carsten Bormann wrote:
<snip>>>

On 2022-02-22, at 06:59, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>> However, due to the myriad of CBOR serialization options,...
> 
> Not true.
> All widely used serialization formats grant the encoder some freedoms in encoding information, CBOR is not different.  There are no “options” that need to be chosen or known to the recipient; there is only one CBOR.

Dear Carsten,

I have absolutely ZERO interest in criticizing You, CBOR, or COSE, I'm here to point out a problem which I have experienced both as an *enthusiastic* CBOR implementer and as a reviewer of various drafts.

The WebAuthn/FIDO specification details CBOR serialization requirements while the EAT draft specifies multiple alternatives.  There must be a reason for that.  To cope with (and potentially enforce/verify), different CBOR serialization variants, CBOR tools typically provide options: https://github.com/peteroupc/CBOR-Java/blob/master/api/com.upokecenter.cbor.CBOREncodeOptions.md

Anyway, it has been a while since CBOR was conceived.  In the mean time, Moore's Law has kept chugging along nicely, making previously unimaginable things like Apple's Max Pro chip with 58 Billion transistors a reality.  Obviously these developments trickle down to constrained devices as well.

The proposal is simply defining something like an "I-CBOR" that could serve as the foundation for future standards like EAT.

"I-CBOR" would (in my take on the matter), be CBOR's counterpart to ASN.1's DER.  RFC 8949 is just fine, but it doesn't take this concept the whole way: https://www.rfc-editor.org/rfc/rfc8949.html#name-additional-deterministic-en

Cheers,
Anders



> 
>> CWTs suffer from interoperability issues (*)
> 
> Not true.  Pure FUD.
> 
>> making JWTs a better choice for *ubiquitous* usage :(
> 
> No
> 
>> By *mandating* preferred serialization ("I-CBOR") you can achieve the same
>> interoperability as with JWTs,
> 
> Nonsense.
> JWTs don’t use deterministic encoding, and neither does CWT need to to.
> 
>> as well as getting away from the need to bury data-to-be-signed in byte-strings.
> 
> Detached payloads solve that particular problem (if you have it).
> Note that “burying” in CBOR is a simple copy (or reference), while JOSE needs to base64-encoding everything, often in a nested way.
> 
>> Such solutions can also conserve buffer RAM in the case RAM is a scarce resource.  Yes, depending on the application your mileage may vary.
> 
> CBOR saves RAM compared to JSON here.
> 
> Grüße, Carsten
>

v2.8.7 | Report a Bug | By Email