Re: [COSE] Gunter Van de Velde's No Objection on draft-ietf-cose-typ-header-parameter-04: (with COMMENT)
Michael Jones <michael_b_jones@hotmail.com> Wed, 03 April 2024 04:45 UTC
Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09951C14F6BE; Tue, 2 Apr 2024 21:45:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.223
X-Spam-Level:
X-Spam-Status: No, score=-6.223 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMO0Z7_iOdYf; Tue, 2 Apr 2024 21:45:47 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12olkn2105.outbound.protection.outlook.com [40.92.21.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC70BC14F5F1; Tue, 2 Apr 2024 21:45:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M5AkmBuRrBMxUOrrxoQQ40adC/9rsyX2bXDlHIQGB66fYNqFLRnNVl5h5MbKP8WoQm+P430ndvI7B5xLctiSyPCzI79Q+q+XoG/5mUggEUyBCWoMMwMaVoHXW6FCD03gxOU4y3yQWvdbsmFBLnXKPAiOq8b+F6/jA4+7K6T/YMKbUNp31rvkKtxja+piRVZDDunmO3vEXJRkJPseaU9nGzHPa0azRwB7l3AuGWv//NxfLLS/tgx6I7NlsILdH3TIzUj1AEgc6UZ5zsvG0xh2K+8hZLDSlMBOr/tbgIGZWx3rFmWRe6cIk/1Vf9sjYKu00sAUGgkyi9lhZGmjynWj6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KFXP1wyw66OIY/TzBUP7Ne2GqT0m5TZ/rnabDUunFQs=; b=Qn/iSTgIkn7TFidB5ESmlvpJSqt++mv9iwkuwUbBZXLYfB6zF+pen0/I8afGBYLbmWAHSYwhnTbAhEyFo8BZxZumZmWN2nry8+g4xh1eI+ibE8+JGXm71jKcHTYt4ylnK25baQ0fPzS1Leza+JQaASTw+MzuLPYp5IgL+EAJB2ZE6ZbTUZceS/haBm/dbKeD8QspBgFYCdtlZGrwbY7PoKmZBcKFZOgCSTdqMHsqaaWC9omG7ZljgHnNXdEiX4atTSs5cwb6uubpIrMor1CI7KtrcNDH2cIs0S5RcRUcR3noR71ruVB7skxsdo9DoMYqjd9r5n72J2GNpoA01E7KNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KFXP1wyw66OIY/TzBUP7Ne2GqT0m5TZ/rnabDUunFQs=; b=oODD7KIaBd1t3qwGZF6noIvtsN0Rn+iGA2omsYXGrn4wN4snq6JdeSyltyTETCt8ymRYtF3CgHSHu0FGuTr42JU9k9HLbgtosOEubjnLiwIfRz8JomALaffEJuCyzIX9CKp7MNFlwAI+aC0fO21CsAqLw2ZrPOV8eVUNvQSt+JH6HewoQKWglHmJcIYwFblGrgFZiWfS3hqYuRO0XvhtWubv+eN+JTQDED/8nl5uVAfAY4cpHbwl66f2h/UDiu1J/0A7WN9iM5SW/2yztNg2HBZmkpiHo0mfT9Hia5ukjR3WE4+gicSp8Rk+608+BPQOV+CmXZT13v7InnUSQhJbPA==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by SA1PR02MB8430.namprd02.prod.outlook.com (2603:10b6:806:1f5::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Wed, 3 Apr 2024 04:45:44 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::7c2c:4b2:7be3:4f66]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::7c2c:4b2:7be3:4f66%4]) with mapi id 15.20.7409.042; Wed, 3 Apr 2024 04:45:44 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Gunter Van de Velde <gunter.van_de_velde@nokia.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-cose-typ-header-parameter@ietf.org" <draft-ietf-cose-typ-header-parameter@ietf.org>, "cose-chairs@ietf.org" <cose-chairs@ietf.org>, "cose@ietf.org" <cose@ietf.org>, "ivaylopetrov@google.com" <ivaylopetrov@google.com>
Thread-Topic: Gunter Van de Velde's No Objection on draft-ietf-cose-typ-header-parameter-04: (with COMMENT)
Thread-Index: AQHagdzNUAb8cDvnTk6vPRqJHah817FV2QsA
Date: Wed, 03 Apr 2024 04:45:44 +0000
Message-ID: <SJ0PR02MB7439F90F377BD7CBC6E6601DB73D2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <171171882564.50696.11543326163935544718@ietfa.amsl.com>
In-Reply-To: <171171882564.50696.11543326163935544718@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [sXf/bVV+ksMnARajIuoiClmHxDiow8SWz9+9E5OmmYNyccCCpwJ49FDkIeShLZa912bohzE3bOI=]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|SA1PR02MB8430:EE_
x-ms-office365-filtering-correlation-id: bdc11bb9-6759-4b54-f539-08dc5398ec5c
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3gzR7OZILLhnujId7hOqYELo3JNFN9LYy4dB4iTiwX1qn70O7bxsiOhxcpq0+DxYTxKbxQbn709aj2d1BIv14H5vY2bJiV3G5SU3SXrBK34EJlliZ0jQfrulRgWlGzc8vTrZ+aNfP3esu0SyRsqmzq/tKXCk0Mz9bYgnw/4B//sfhDsIMFPQwd4e64sH4ubLD7Xo9aOcsDgDYHASFTwEyXD/L1SnPyfvH35se2S/BKGZ8I4GWkfULZ8589yVNuM4zo/2K5Jbe3CkBTwypW/inWQM2aEi2VB/Crv9zRc8exoaV+MD3ByH9urpdzlRZIKj3drkEPFmAd+e7galEpmoLvLbOeUBo8PlXtmeIMu4uTdvWqWFqntbE5eeSOijTbPxH/90FVDCyfi1cZBAtGWSST+oT7OoeXIJvXBbYsil+1B6DOTfsybipks1G1CUr9cKSAZfbt/WykkhqgFA2FtLdIyuEtmemrzb60L9dfJD2ym44PWDOl7B23W0wQaXiTYKH75PhvMGuM4Sm7fJ7vRGnW0NqxnuMqHp4s1ef5zNiirbsTp4KOJyDwPa6Y5I8eLxj1w1nfSnP+QOjGHy0x9BALIU4uhhdodvaflZl0I9L+m/9T98h4GRp5IH3fRq2Bv3SjUVcZpVljV91jr4lhuLhDdj91C1UatjJRcrwvUI7Nk=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wB8MDwVhS0SUkwivpfaMLFno5JRxeyRBPY0+HX5b6s93cgLajusZVFrt7Y6jLo9QOB30x4cPOgJ+8aK3JOxOFhjtekSoZAKzQ42IwhDB5dYB/dKBDGbYFCuDR5ZSI3jbU2EBXmPZXhRWtoDsBpqz9Zj3HWAJSxYJa0PBKc2I48SBO6Vjx6WG3np08Eujq9l0hRxhewDzvIf7YxNgV1BlrWpBGp2+FZLqRlPP9fcJh04RlnIqnlv0OdkPReSLg6wDm3OtvlDbODXbZ80aKxixsPV9jGNoSi7HWwzVdD2rFQWarOfhZYvlfAz45au7EvfvCmfFxuAA2jRqdK0CEj0l0DyA0BiqOv38/n+/mP3ESGeS8bifSyZN27sjD9+8Dpl/1doMvoQjBUVGWZZNHzA/uLVFFIpkYz2/9kAoSrvbFRUN7iomc1Yl/U82EsuJtBarDgJNLhhqseTVLrOs2SsAeAvdzohEuO1jDKGjpQhUfvLB9kOLv5gfr+DICKXQc4iZJEjTBv0ppvk6jOIipMBXEf8RV1vxs5Cvc/r7P/VbzBLWhbQsvsd1fhLypdPFd/34pQdSG0U/GGrI1CVHuymqQ6HoMCuQGmNLZyRsPIq3R/6zS6IwVi48ifFVAVN02+L4p+KUztleC+bsUAJCO4o4eiK01uWp8M2pAM6nQ6jszfMcnQAtXVHBuPhQdJlwy2liIKRUxSLX1GfYEp7/n0IpvKiNsYBoTZerbJWo361buwVFescP7dcFNC+lSAFYV/hjFPB+k4ngxz4LxSH+8dkalAuMHW4ythjbCR44nPtTs5VYB62ml6E66v/mEhipAICVncBNroXy6e4Moowiw79SzFvUkOtiR7MnOdM7f4FUyuXs6U+ZheOPho56GH8u+YsX5oQpYu2QJpwap44H0CTPPNu6H7YaffP2Sbiu6L761QN0pk/Xm0UCgxzZsyRdSRynrDpDxUm86kL7i2CEoA4p861lMF7cn60vDw05WjWnSAapx7U+oroTDAgnmCJtItk8T2BqoB5RT2d3q2JiEUQ+2Yg79q+XawEk8VHrxaiYPA5zgmxuG/MTRUwjyb5pASF5+vFWY4P656MhTQrWhL87N3oEOTFxG98kFalvB2ToUX+jJhaglz99ujGsQgBa/XIDJdV8SMxrWsIrQfbiKA5rlCx49nC2Axp5rxuYvapmkWkkUsoDYp+CkdDu5pfE5AiTTBZf8cVBrpgDUXX/1+F3hVKyvLToei5PxDI1bWY+T6v88CKDBtxoXAHcaUr0vtJXQr+NJS8EqJyRSG4H9+bmP2iNk74aDhGOKCGmhlyfnXDI5YPKm8026CFM4Mb1mye6
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: bdc11bb9-6759-4b54-f539-08dc5398ec5c
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2024 04:45:44.5282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR02MB8430
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/qIKBVNPGT6uhNcPcU54MTtwlOxg>
Subject: Re: [COSE] Gunter Van de Velde's No Objection on draft-ietf-cose-typ-header-parameter-04: (with COMMENT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 04:45:51 -0000
Hi Gunter, Thanks for taking the time to review the specification. My responses are inline below, prefixed by "Mike>". -----Original Message----- From: Gunter Van de Velde via Datatracker <noreply@ietf.org> Sent: Friday, March 29, 2024 6:27 AM To: The IESG <iesg@ietf.org> Cc: draft-ietf-cose-typ-header-parameter@ietf.org; cose-chairs@ietf.org; cose@ietf.org; ivaylopetrov@google.com; ivaylopetrov@google.com Subject: Gunter Van de Velde's No Objection on draft-ietf-cose-typ-header-parameter-04: (with COMMENT) Gunter Van de Velde has entered the following ballot position for draft-ietf-cose-typ-header-parameter-04: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-cose-typ-header-parameter/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Please find here some observations during processing of the draft. Please use or ignore as you find appropriate. The document uses a significant number abbreviations. For generalists as myself, maybe consider adding a section to spell out the three letter acronyms together with pointers to references. Mike> We've been following the practice of spelling out acronyms on first use and providing citations. The one exception to providing citations in the Appendix, which I'll address below. This review uses line numbers as found with the idnits tool. 13 This specification adds the equivalent of the JSON Object Signing and 14 Encryption (JOSE) typ (type) header parameter to CBOR Object Signing 15 and Encryption (COSE) so that the benefits of explicit typing, as 16 defined in the JSON Web Token Best Current Practices BCP, can be 17 brought to COSE objects. The syntax of the COSE type header 18 parameter value is the same as the existing COSE content type header 19 parameter. This complete paragraph does not have any reference pointers, making it rather difficult for generalists to process. Mike> When reviewing one of my early IETF drafts that became an RFC, an IETF old hand told me that the Abstract shouldn't contain citations. That's because it will sometimes be published in places without the rest of the document, so the references there can't be followed. Rather, all the references that would otherwise appear in the Abstract normally appear in the Introduction. That's what we've done. The abstract has a single giant phrase stretching from line 13 through 17 making the abstract intense to process. consider cutting up in smaller chunks for readability. Mike> Good suggestion. I've broken it into two sentences. What are 'the benefits of explicit' typing being referred towards? What is 'explicit typing'? Maybe i do not know because i am not familiar with these technologies? (there seems a short pointer in a later section in the document) Mike> There's a reference to explicit typing in the Introduction. What is CBOR acronym? When reading the abstract, as a generalist, it is unclear what exactly the document is trying to achieve. Mike> CBOR stands for Concise Binary Object Representation. It's become so pervasively used that some IETF contexts don't expand the acronym. For instance, the working group name "CBOR Object Signing and Encryption (COSE)" doesn't expand it. (And it would be weird to do so because you'd end up with the nested expansion "Concise Binary Object Representation (CBOR) Object Signing and Encryption (COSE)", which to me seems down-right odd and confusing.) I had to look up what 'CBOR Object Signing and Encryption (COSE)' stands for. consider for generalists to spell out abbreviations to help better understand. (I had to research and discover that COSE it is a specification that defines a data format for encoding and processing cryptographic objects using Concise Binary Object Representation (CBOR).) Mike> Again, there's a citation for COSE at its first use in the Introduction. And at that reference, there's a citation for CBOR. 74 typ (type) header parameter, which is used for declaring the type of 75 the entire JOSE data structure. The security benefits of having typ 76 (type) are described in Section 3.11 of the JSON Web Token Best Is there a particular reason why 'typ (type)' are always used together? i assume it is for readability? Mike> This follows the typographical conventions in RFC 7515, which defines the "typ" (type) header parameter. RFC8725 for example seems to have fixed this with consistent usage of "typ" to avoid always writing the combination of typ (type) Mike> Either choice is reasonable. We chose to follow the original typography. 77 Current Practices [RFC8725], which recommends its use for "explicit 78 typing" -- using typ values to distinguish between different kinds of 79 JWTs. What is a JWT? Mike> I've expanded this on first use in the Introduction to "JSON Web Tokens (JWTs) [RFC7519]". 89 The term "COSE object" is used in the same manner as in [RFC9052]. 90 An example of a COSE object is a COSE_Sign1 structure, as described 91 in Section 4.2 of [RFC9052]. This text seems to be written as if there are multiple manners to use the term "COSE object"? If there are multiple manners, should that be more explicit identified for clarity? Mike> I agree that this wording could be improved. I've changed it to "The term "COSE object" is used as defined in [RFC9052]." 101 2. COSE "typ" (type) header parameter 103 The typ (type) header parameter is used by COSE applications to 104 declare the type of this complete COSE object, as compared to the 105 content type header parameter, which declares the type of the COSE There seems to be mixed usage of "typ" and typ. it distracts reading the document due to inconsistency. Also line105 references the type, but should that not be typ header parameter to be correct with the naming of the field? Mike> This intentionally parallels the definition in RFC 7515. 143 COSE applications employing explicit typing should reject COSE 144 objects with a type header parameter value different than values that 145 they expect in that application context. They should also reject 146 COSE objects without a type header parameter when one is expected. is there benefit for BCP14 style language in this section? Mike> Indeed, this language intentionally mirrors the language in BCP 225 (which is also RFC 8725). Mike> The changes described above are in https://github.com/selfissued/draft-ietf-cose-typ-header-parameter/pull/10 (as are changes motivated by two other reviews). I plan to merge it and publish mid-day Wednesday US Pacific Time unless I hear objections so that the new draft is ready for Thursday's IESG telechat. Best wishes, -- Mike
- [COSE] Gunter Van de Velde's No Objection on draf… Gunter Van de Velde via Datatracker
- Re: [COSE] Gunter Van de Velde's No Objection on … Michael Jones