IETF Logo Mail Archive

Re: [COSE] Structure of CBOR certificates

Göran Selander <goran.selander@ericsson.com> Fri, 10 July 2020 10:08 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED0893A07C3 for <cose@ietfa.amsl.com>; Fri, 10 Jul 2020 03:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4VGxRS3zjChG for <cose@ietfa.amsl.com>; Fri, 10 Jul 2020 03:08:10 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140088.outbound.protection.outlook.com [40.107.14.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A7C3A07C5 for <cose@ietf.org>; Fri, 10 Jul 2020 03:08:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=clCHhN7J5ZfQ93+Vya+zUzd8bcItH3tsg8kkDReHUulb4AXR6aORTo7DSTk3F1Moz9q86821D25JLm8PDTJQM/lKYcUS4nzuWa1eM/9uPY6rVje6Q6gXV06+RaPCo2AH+P8qiu42kKWC8wTZhINT0b89QGHWUT8va4t698rWo0Z2hi2n1Jor48ry5S4FpFbsooEVV/sv7TGaZuNzZ7KMtltOxvTEaJVtDVB29leePkvuoQcx01bufLpXmn6hhHqpG7cnA26NWVJp7xbuFXBcWtGffcpCYD0/A+Hp5MENWD4kFyO6v/rWViA0AOIt0EFegZOucMC4OrOy5waztQCWhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k8HdiyEsAR0xk4TzOd1MJ0MlfXOo402SBnHNDUSBglE=; b=OTNHbDGCqtYxfDhRQhcjjmrzzpfkaQFtery/hiIq7SG+TFcXqoe93pwQNnEo4dzbRjuaiOLHGe4lf8AcTdk5vjU7MbP5rwVMaeACEHqL6S/aB7UM/Iqe9jjUfx34cxC7BunmYcQ8Yotbrjh756d4uNwkazcQaK3+Zfw0D3g8K/GJQBRZkQqOTbN3MTiqrxPdFK0Qd2/6kswO1vxz0Y4s2Yn4EYNpEzS7REFx9zxWZKNZAnbAnugtsxdCakVcSHdM9gfDPcQUrl/z8/2Ym2zMP9wIHOk+ZIV+oVZ+TQM9//rHPNDc9qcp8RFeQRlc3GzG5tNSuksVCPN4q+e0OFyHdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k8HdiyEsAR0xk4TzOd1MJ0MlfXOo402SBnHNDUSBglE=; b=KYRAyM1AhPiemo6PGfv+F+7CMgUoJOpMvJcDpFiF2jfSO8XXXuIHe5ky+HepZ0569idh0pgM8OadPxzHMQGM9bxhGb1aOijmOMzUrGU0CL84ae1w3a3M4KliOQwyERXZSezUi+rhLVqANDpfVucupi54LIlB9at5biIeAB0niq4=
Received: from AM0PR0702MB3665.eurprd07.prod.outlook.com (2603:10a6:208:1e::21) by AM4PR0701MB2164.eurprd07.prod.outlook.com (2603:10a6:200:4a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.9; Fri, 10 Jul 2020 10:08:06 +0000
Received: from AM0PR0702MB3665.eurprd07.prod.outlook.com ([fe80::75ea:232a:4132:452e]) by AM0PR0702MB3665.eurprd07.prod.outlook.com ([fe80::75ea:232a:4132:452e%4]) with mapi id 15.20.3195.009; Fri, 10 Jul 2020 10:08:06 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] Structure of CBOR certificates
Thread-Index: AQHWVdtqmNOSgAbKkUeKPEjyndKwSqj/q/eAgAEN2oA=
Date: Fri, 10 Jul 2020 10:08:06 +0000
Message-ID: <3BB91C08-EA7E-4388-8CB9-78275E1CBDF4@ericsson.com>
References: <4fbee615-6d6f-700f-2439-237add7fbcf2@sit.fraunhofer.de> <CAHszGE+A=e9tdBZpa51wMasxm1AhA_xRbAUCmR55xXSJgtF7Lg@mail.gmail.com>
In-Reply-To: <CAHszGE+A=e9tdBZpa51wMasxm1AhA_xRbAUCmR55xXSJgtF7Lg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
authentication-results: sit.fraunhofer.de; dkim=none (message not signed) header.d=none;sit.fraunhofer.de; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.251.145.232]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a2839791-487c-4fc5-5930-08d824b92418
x-ms-traffictypediagnostic: AM4PR0701MB2164:
x-microsoft-antispam-prvs: <AM4PR0701MB2164FBAE0C517A47D7DB6A24F4650@AM4PR0701MB2164.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dCzm9EPoKVhOGoiWXkGCEycmPQdrP/1NlwzQBcKeqG/iz7cG5MeGD3qmqKH4qIvAZRuk1uyh4wyn3sUfGHBoZZgmr/2jtmjym4ws1rmufwm+3c8eyPXYG3J/4O7SO9OB5R0lyeHXSVbudBBIkHSCia1lsvFcyj30Th3yRAMM9pDIC18qmlkVbPNb0CIc5W3VEfGNooFxJ71hBL+R7UOaPjbDtBwLEKuCDsLtHaDKZpJjx6+0jc6iviyT1WEiTDWEUFTEQgT0aIZZN2SX6VV7PAuYi2/uA9kyHXJvk8A8V5I6/QJgbkEMSgSHo+14V85PEip4YiTw/+Z7Yq1rBvNmydicxCttIXWY/2ZbwXsbShk7O939Yv9o2Sq3zv/82J8lBSzn/C8HYgm49Ue7apda7Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0702MB3665.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(396003)(346002)(366004)(39860400002)(136003)(2906002)(83380400001)(66574015)(2616005)(316002)(110136005)(6512007)(85202003)(64756008)(66476007)(86362001)(66946007)(5660300002)(71200400001)(66556008)(85182001)(8936002)(8676002)(33656002)(66446008)(91956017)(6486002)(36756003)(76116006)(53546011)(6506007)(166002)(186003)(26005)(966005)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: y3yKNacciCWpV1TqIjEE5nGRFvBR3DJH9ZtCbpxz0rqEPpfz6pW7GwbUSLfVlVdhSMtqkYP+2//t2R+XAl+HqEZ2XjuSUkeF/shxLjxubpY84g8hZZw25w6EvlinwMdhRP3oIWsmqq1CVptCyRsrEg3PyzLhPNhQApzoxq7lhRWNc9lsvWuAZidwbVby5o0vC1SEbMV5h4J0eIqhBugdgRvgS1gajmdEZznUmq3BtGOhouMEYYPZcS5Me51ewTR4yHa+yttFffCv+/pg5u41JGNoZzd5JK92vrs/qZ+0LYwcR7q66GAZOviJWRKKB28baNgQ04LGyxQ9ga8n7xr6kvcvIhlencIcjms/i/NXaETxn67veZSsSkP/w7wgLv+D3EMESgqsznGhrYY3ZIJnlZV4T0NtnNieunAdszug/0eQrsajjq6pcSZETf8s4/7xgtAZPUnGlas6Op61/KK1bQToYdJh9dDWpT/NfuB09jggluYmBKvbtgKVZupopNOg
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_3BB91C08EA7E43888CB978275E1CBDF4ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0702MB3665.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a2839791-487c-4fc5-5930-08d824b92418
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2020 10:08:06.3971 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: o2YNchcDP6p41k/34YMIg8d8xUDlJi9yCXqv8FpbD+P4E+TElqpE/9dW6MuE5PpNU3SOeXycERgyXy5rI/dmFkEW+HDnZZMunMBnCSNoDek=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0701MB2164
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/mCtGWtBAPPv2CT2nDyUQFNmvkgw>
Subject: Re: [COSE] Structure of CBOR certificates
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 10:08:13 -0000

Hi Henk,

Thanks for the input. Great to also see your note about usefulness of native CBOR certificates! This adds to Laurence previous comments on the list.

For your information, we are now working on a merge of the following drafts:

draft-raza-ace-cbor-certificates
draft-mattsson-tls-cbor-cert-compress
draft-mattsson-cose-cbor-cert-compress

The union of the contents will become a new version of draft-mattsson-cose-cbor-cert-compress (being the draft having the right WG designation). We will not be able to take your comments into account before the cutoff on the 13th, but this is excellent input for discussion before and at the !ETF 108 WG meeting.

Thanks
Göran


From: Joel Höglund <joel.hoglund@gmail.com>
Date: Thursday, 9 July 2020 at 22:02
To: "cose@ietf.org" <cose@ietf.org>
Cc: "draft-raza-ace-cbor-certificates@ietf.org" <draft-raza-ace-cbor-certificates@ietf.org>
Subject: Re: [COSE] Structure of CBOR certificates
Resent from: <alias-bounces@ietf.org>
Resent to: <shahid.raza@ri.se>, <joel.hoglund@ri.se>, <goran.selander@ericsson.com>, John Mattsson <john.mattsson@ericsson.com>, <martin.furuhed@nexusgroup.com>
Resent date: Thursday, 9 July 2020 at 22:02


Hi Henk and all!


Thank you for your comments and update proposals!



In brief, there is definitely a need to clarify the assumptions about existing x509 data structures we want to encode, and probably in some cases make the proposal more general to allow more valid rfc7925 certificates. Some further comments to the highlighted issues follows.


1. About Issuer-field encodings: We would like to have more discussions on if for instance your directoryString proposal is necessary, or if the string types can be assumed -- hopefully with input from others with experience of how Issuer-fields normally are encoded.


2. About algorithm parameters: Our current assumption is that for our target certificates, all needed algorithm info can be represented using only the subjectPublicKeyInfo_algorithm field.


3. About a general extension oid-mapping: We believe the four extensions mandated by rfc7925 should suffice, but are open for hearing about IoT requirements that go beyond those four.


Looking forward to further discussions, and


Best Regards


Joel Höglund





On Thu, 9 Jul 2020 at 12:26, Henk Birkholz <henk.birkholz@sit.fraunhofer.de<mailto:henk.birkholz@sit.fraunhofer.de>> wrote:
Hi all,

TL;DR moving the CBOR X.509 Profile forward + comments on native CBOR
certificates


After some dialog with the authors, I created a PR on a few topics we
think should be discussed on-list.

> https://github.com/EricssonResearch/CBOR-certificates/pull/24<https://protect2.fireeye.com/v1/url?k=55948e46-0b346ed8-5594cedd-86ee86bd5107-faf6e602f8a174dd&q=1&e=4b292bae-4962-4a86-9de0-0c0127e741fe&u=https%3A%2F%2Fgithub.com%2FEricssonResearch%2FCBOR-certificates%2Fpull%2F24>

Some context: The CBOR profile for X.509 certs is based on requirements
coming from the (D)TLS profiles for IoT as defined in RFC7925.

Section 4.4 in RFC7925 is about certificates and the most relevant part
of that RFC for this work.  Most of the requirements defined help to
reduce the complexity of how to use X.509 pub-key identity documents.
This helps with the complexity of a corresponding canonical
de-composition and re-composition of "CBOR certificates" - and
ultimately to safe bytes during conveyance.  It is also important to
highlight here that not only saving bytes is important, but also the
applicability of the solution.  The more certificates can be
processed/compressed via the defined approach, the more it will be
useful in the field.

The PR highlighted above includes a proposal how a full CDDL
specification can looks like.  It also adds some complexity to the CBOR
structure that we may or may not want.  And that is what we would like
to find out with the help of the list.  As a result that PR is intended
to be a basis for discussion.

In order to kick-off the discussion, I would like to highlight a few
topics we started to discuss via the PR here on the list.

1.) While the use of Subject is significantly simplified in RFC7925, the
same is not true for Issuer.  The PR provides an example of how to
present "not-RFC7925-optimized" hierarchical names.  And you can see the
increased complexity quite well.  String types like the options from
directoryString or AI5 have to be retained in order to allow for
canonical re-construction of Issuer.  But maybe - effectively - strings
type are used in a very deterministic manner.  Would that be naive
assumption?  Or might it be feasible to reuse the Subject constraints
from RFC7925 for Issuer?

2.) In order to steer the use algorithms, algorithm parameters can be
included next to the algorithm identifiers.  If they are included in a
certificate, these have to be represented in this profile, too.  Or can
assumption be made that they are not used or somehow deterministic?  If
in doubt, the small amount of complexity as found in the CDDL might be
warranted.  In the end, it would be unfortunate to exclude a subset of
certs, because they include alg parameters.

3.) How relevant is the inclusion of generic extensions via oid for the
application of the CBOR profile for X.509?  The PR includes a relative
straight forward approach how to map oid, but is that necessary?  Is it
safe to assume that there will be a core set of extensions that warrants
a mapping to a set of integers that would significantly reduce the size
of a CBOR cert?

These are three prominent topics today and there will be other.  I hope
to get feedback on the topics elaborated on here and of course the PR.
The diff for the PR to see the changes side by side can be found here:

> https://github.com/EricssonResearch/CBOR-certificates/pull/24/files<https://protect2.fireeye.com/v1/url?k=10493808-4ee9d896-10497893-86ee86bd5107-d50a06dc675c460c&q=1&e=4b292bae-4962-4a86-9de0-0c0127e741fe&u=https%3A%2F%2Fgithub.com%2FEricssonResearch%2FCBOR-certificates%2Fpull%2F24%2Ffiles>


Looking at the current and proposed CDDL structure, I'd like to note as
    a separate topic that with only a few minimal tweaks to the current
specification it already resembles a solution viable for native CBOR
certificates, too. The only effective difference is the scope of the
signature, which would not require a dual stack implementation on
constrained devices (that sometimes might want to check a signature).

In general, native CBOR certificates would be quite useful in
applications, such as SUIT Workflow Models, trustworthy time
synchronization in swarms of things, lightweight remote-attestation,
Concise Software Identities or the emerging SBOM efforts of NTIA/CICP.
If you think of the IoT as an initial scope, there is also no pressing
need for public CAs to embrace a native format ad-hoc.

Viele Grüße,

Henk

_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email