IETF Logo Mail Archive

Re: [COSE] "CBOR Certificates"

John Mattsson <john.mattsson@ericsson.com> Fri, 12 February 2021 08:06 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B8093A136B for <cose@ietfa.amsl.com>; Fri, 12 Feb 2021 00:06:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id chnnncOieE9h for <cose@ietfa.amsl.com>; Fri, 12 Feb 2021 00:06:08 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150081.outbound.protection.outlook.com [40.107.15.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D07E93A136C for <cose@ietf.org>; Fri, 12 Feb 2021 00:06:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YJL2LHeHsV+G0GUNxFkKLvDXAFuZQ2K4vr1JmbbOC4oCDrZIAgxcZjAUAuZEvUP00bi8dbzHznUNyJtAGCRKIBxcvIswbcj3fSrbITHHdKQN64s05HKJ8Ro7h6Pbpx6gUssCY8j+JnOxOI2RExVPMbg+7u00269akspK1DI89eNui7NsACCqWtgyyN0bZCojr2sQ73L3az0pHkDFiWxb3v0RN/E6mkVAVPb/XI+0gHQ1HdBzLrKj1t3xF/uHkW361KvDfyMmMPimBn/SuFNbnRkC8/Z0fswRxnqoL87mo1AmCY54jXqR/yUqs+UNn72B0ZGSyeXuxXoQUKKhiCyLvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KN9a46aYdfsUrpk7yvz7xIzRc25dxOlsEj054C04dUg=; b=aTtMR01WELdPKbNq65WQKrHtoXx7AyKgU+C5d5nPygiVCi9sDUg3eAKHSN9MH8xiKz1XwSuBrJaQTrstudUUqIAKMhE8CbhGFhvfszbPaJZGtO58i0mR0qsLqnI6qLLNF6ya1JOAYviq5QofHaOIFAVk/lBVIJEq3Nfji+68+x6qzAElTW6uQ8wORACugeVsHDFrGgk5gnv1NWMeKz9ODlWw9SbYHGGjieFoZ7yYik/HA7Anwa47VDElG5eG1tq2PE+ZZOgZmVV+I7uGT+Kmh9a76PLHWRaSJZJJUSNO6bo9Vjuv589Ltxy//DOCBpsJYifuG5B8acql83+YUS1jZw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KN9a46aYdfsUrpk7yvz7xIzRc25dxOlsEj054C04dUg=; b=NR0eiSICZ4zHT2f5q1bvG29X4dQry1JnxAm5wpYvH6j9U66gESGcWI5SL0NSCHOgjHTdfRD02Sy2cWjG2+cfr2ATeSs/ek7Yvd0DbwMJT+bfnS0CHtHaPgQwjE6zXvLgPLcUAiQ16SGRCrizq0H3B9tDoyQmHYci7aSxjXlRj/M=
Received: from (2603:10a6:3:4b::8) by HE1PR0702MB3548.eurprd07.prod.outlook.com (2603:10a6:7:8b::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.10; Fri, 12 Feb 2021 08:06:03 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3868.015; Fri, 12 Feb 2021 08:06:03 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] "CBOR Certificates"
Thread-Index: AQHXAL5qVuLfKZxewkeWYGCJXuYNo6pUIiWAgAAY8AA=
Date: Fri, 12 Feb 2021 08:06:03 +0000
Message-ID: <309BD244-44E7-455D-854F-C36F42104331@ericsson.com>
References: <5C2A6065-AC5E-4702-A94D-F72C85BD6DAC@ericsson.com> <452ddae14b19ac8a6b98cdbbb20edede@bbhmail.nl> <4c5a7de2-e855-3bb7-cc6d-abfaa86c09dd@ri.se> <d197e8c500c7f1b284c74f3d25985df845d722c2.camel@aisec.fraunhofer.de> <2214.1613079564@localhost> <B8DE7623-B2D2-48EE-A832-626058268EDB@ericsson.com>
In-Reply-To: <B8DE7623-B2D2-48EE-A832-626058268EDB@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 31b5285a-6145-4c73-c2a4-08d8cf2d0aad
x-ms-traffictypediagnostic: HE1PR0702MB3548:
x-microsoft-antispam-prvs: <HE1PR0702MB3548FAD318A08286E22D6D20898B9@HE1PR0702MB3548.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TvqJ3YYL8SCvOSgHLjQ2Clo4Sjcbo7m4YV2A3GeDyLh/aHjh7GTE2DuMHoV/sfUrITqsTvzycy0uKXrruIZfa7S94fKMWtYV1ObPJ7YNkXnoCK1ALID1sV85IBSrK1PQY6iPL/XbU+VCDrWRZcZnrfbykIvnsdu88SIpI1wMxmYqY6ABb+YXFKzc3dUL7kR+o5ch5aY6gXda0LhWn0IdNvWXKD7aEAP5ejcjg0dkQua6PJJ+bIyeytZmHum+Atpg1oVD9zp1RG1Ny0EAhTBMbpCjzDExE0g9Ku4TLmN5k5ii7+wUF45EFWRRhz1ied3DYyGhE5KpBKF8KYBM4/FIFHHiX8t57FbZo5y5okb7CN+1xqu7yqhRryDjsUtc06ZxMntJKkbU+qZUs6rd09pweg1/4V0W44FPzWV3XFV2puqdqZJiEvUkjG3Ljl404MfCNQiW6ekZjqRH/UaKEG6E3PO2nu6e1EzLI1Hyzn5iEOE61JMj3iY112tYSJp1LKc08nPWK/vzOgkR8fntD1CxchekFsBCtaX1jEjG4/uCSegYFi5BgS96EWRHS+zjI8GzhCIIVaxv7yYelJj+7q9+r2lvpx1mSOyFuBWGAVpq37G8IHhhvaeTAowJtQLZe1zwOQJ8havIYV2HHZC+mIch6w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(136003)(376002)(39860400002)(346002)(5660300002)(8936002)(66574015)(83380400001)(110136005)(76116006)(6486002)(66446008)(64756008)(66556008)(66476007)(8676002)(316002)(71200400001)(66946007)(86362001)(966005)(478600001)(186003)(2616005)(36756003)(26005)(2906002)(44832011)(33656002)(6512007)(53546011)(6506007)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: z0QefknzY2oo3T7Aa2yQIL7n0raG2/YM8Te73kYQtOOAHgQaPkcVnumF5saqhVH4zTadG7dDxZ4wMlmBFnqxgg+L/qTzwffGLTNCvuiIrEdAIqLXATPjLL2CAlPSnxCioiUeiWXSwVJVqySFa1v7FUEdKoNDSNR+uHz3+xRKvgVKF17ujCsCRKQnKjNNR6QywYHxjJ9UKxKP7/s9dR9G8Q/oxwHEqCCLyX/io9NF+Hkc/ogb1eYfYmn9cnLj6KQiBEQEnn/o5ryEzdtLVQ6BpaF0H4xzjLIq5I0BTS+qpx1U7s+M+ouQfXSUWSbuzpU1vGweHNvU5e69PfLEDc1hRWFsCTE1qcGzgRAZtxf0ytUxaAjpGtYX/YDZC+wZ7fg8p1/yAC5UIhFgpGXGdsPtlJdPNRZrgzJbxmC+/B77ms62MvQhmro0Vdq9BLxMeT1SIdq9O0TGSEmDijYs0IjJmm2i3VS/IwMzqSWKNp5wT2z0+8ETwZ6RdqgIJmYhDntHLNt2J3yIHNMk98tXW5/jKbKi3CZBOkOptYeOWHbzyTuiXmR9M65xR0Imb6Kv0ykG97WYf07lmXYgnUmu+Alf0xJOd2drN3rgt3GWd1tA9N0+VJlYONXr9ZiorO624ilfz6RIBzWlzThfTDuG2uTrecLqDHEFtpbBgh4nfRg/2riV99nmDl2i8yqfSXzwQ+IMyVDioEO+DESkAXb27LTQbzp8+nH74QOcE7Re3fK9VuqCvAsuwPEwX9FcVmoh13NdeUVvKXRYeXbqCOSUxzcoavTPbixrM4pA7f9SDa6twBAOEMMCMBxneKDzVafpiV1Zr2boAHoVzSfpz7E3lsgm/PUiEAwrOL8k6Nv7H2uH/rMrXTheuQnH96IkGcMowek4ytWlgp73xbDzcD1J6IRFCNDANqppU7cBqrP5EiKpM53V7kd9CEwrGAPBqzWwzeHOz4EKd3a3v7XqJalZtoNdF+kcr9J4giO0cOXhS1G+XebBnW0hEaNLrSYYoXY27pXElF+Db+gzgTKM19NpEpej7sAs0Nz1wgaiRFUD7mAN54KI0ngk0S3kyewkwCWR7nOlb1W8HyWHYfOl1O/k4ZjvjiIybe9e54OD1uZrNoODvtuqVIywbq5xC8eUoZsLnCaELYCkNHMPlRJMkzbQDh4QxAn53/kEUjyM2B5NQFGeswmEuljV893TsipAjyhoo2PgKyXv9DuduTTYRWNJRSjYUx4rL+UIxhpTXTnE05ZfAXp+hPC18TggdbIrFL6ExFCZclRSsDxDb307yE5u5rYFqR2w6IyabWE5i6ePCgkG9Gke/8js2dx2Pq6OnUQ4nfnkmQepBn8IBIO2+EXk6l4Z4Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <28779DB1E2BAD64B903C5BB7D12E37DA@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 31b5285a-6145-4c73-c2a4-08d8cf2d0aad
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2021 08:06:03.1683 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jqnv98QmXdlrOUnFI1b+iXOJlC8/Tt337JogLMTYfjlxrBlP+nMFoLZZjUwEDO48Q1Q6VHftoCrCEmsn4CP0ocq+2iojN4PYTucC/KBpyvA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3548
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/oUIpwBMz29cF72Oo6CLKgt01aiA>
Subject: Re: [COSE] "CBOR Certificates"
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 08:06:09 -0000

Hi,

I don't think it makes sense to primarily use the term "PKIX". I understand Michaels wish to use "PKIX", but I think is bad for marketing purposes. Everybody knows what "X.509" is and very few knew what "PKIX" is, especially outside of the IETF.

Even in RFC 5280, X.509 is used in the title and five times in the abstract. PKIX is not mentioned before Section 3 and then mainly used in the term "PKIX specifications" mostly referring to the PKIX WG.

John

-----Original Message-----
From: COSE <cose-bounces@ietf.org> on behalf of Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
Date: Friday, 12 February 2021 at 08:37
To: Michael Richardson <mcr+ietf@sandelman.ca>, "cose@ietf.org" <cose@ietf.org>
Subject: Re: [COSE] "CBOR Certificates"

Hi Michael,

We have struggled with naming. And as names have been updated, not all text has followed. 
The draft is defining a CBOR encoding of PKIX certificates and two different ways of signing them. One which requires re-encoding as ASN.1/DER and one which does not, each having advantages and disadvantages. It seems to me that both variants have support in the working group. 

We can revisit the naming, and discuss whether it is relevant to describe one as an intermediate step between the PKIX and the other. But removing the specification of one of them because of confusion with the current naming is throwing the baby out with the bath water.

What you point to is that in -06 the term "CBOR certificate" is overloaded to mean either both variants, or the variant which is signed over ASN.1/DER.

I think it makes sense to use the term "CBOR certificate"  (shorthand for "CBOR encoded X.509 certificate") as a common term for both (i.e. keep the title of the document), and use other qualifying words to describe the difference in how the signature is generated. 

These terms are probably too long:
1. CBOR certificate signed over the ASN.1/DER encoding
2. CBOR certificate signed over the CBOR encoding

We have already discussed and agreed on "natively signed CBOR certificate" for no. 2 and I don't have a better proposal. How about "PKIX signed CBOR certificate" for no. 1? Other proposal?

For comparison, with this terminology the quoted text (with minor editorial) becomes:

       PKIX signed CBOR certificates provides an intermediate step between
       PKIX certificates and natively signed CBOR certificates: An implementation
       of PKIX signed CBOR certificates contains both the CBOR encoding of the X.509 certificate
       and the signature operation, which are sufficient for processing natively signed CBOR certificates.

(If we still don't link this paragraph and can't fix it then we can skip it.) 

Thanks for providing IDevID examples! Please share, you don't need to do the compression.

Göran


On 2021-02-11, 22:39, "COSE on behalf of Michael Richardson" <cose-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote:


    So, draft-mattsson-cose-cbor-cert-compress has in it's title:

            CBOR Encoding of X.509 Certificates (CBOR Certificates)

    Section 7 is: _Natively Signed CBOR Certificates_

    and I strongly believe that we should remove this section, and the title.
    This is going to very confusing.  And section 7 is not sufficient to really
    have native CBOR Certificates.  It even says that it's an intermediate step.

       CBOR encoded X.509 certificates provides an intermediate step between
       [RFC7925] or [IEEE-802.1AR] profiled X.509 certificates and natively
       signed CBOR certificates: An implementation of CBOR encoded X.509
       certificates contains both the CBOR encoding of the X.509 certificate
       and the signature operations sufficient for natively signed CBOR
       certificates.

    So if this document confuses people into thinking that this intermediate step
    are "CBOR Certificates", then when we actually do that (as LGL and others
    want to do with EAT), then there will be mass confusion.

    So, if that term could be struck from this otherwise excellent document on
    compressing PKIX certificates, that would be nice.

    (ps: I have some IDevID examples which I can share.  I've been trying to
    compress them, but haven't done the OID compression that I need yet)

    --
    Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
               Sandelman Software Works Inc, Ottawa and Worldwide





_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email